To add data in flight encryption, License requirements, Configuring the client – HP StoreOnce Backup User Manual

to expand the three subnets for the additional couplet. Remember that VLANs require one IP address
per node and physical data LANs require two IP addresses per node.

# net add ipaddr subnet1 172.168.7.29,172.168.7.30,172.168.7.31,172.168.7.32

# net add ipaddr subnet_vlan1 10.168.8.29,10.168.8.30

# net add ipaddr subnet2 192.168.6.15,192.168.6.16

To add Data in Flight Encryption

IP packets have no in-built security measures, which means that access to the network enables
packet content to be viewed and, because there is no verification, there is no indication whether
a packet has been viewed or the content modified. IPsec is an OSI layer 3 protocol that provides
encryption and mutual verification at the IP address level. The IPsec protocol is supported for data
subnet encryption on all StoreOnce models running StoreOnce software version 3.11.0 or later.
Data in Flight Encryption uses the IPsec protocol to support data encryption at subnet level. It
requires you to pair the IP addresses of the media server and the subnet that you have configured
on the StoreOnce Backup system and to create a rule that ensures the pair communicate uniquely
with each other based on a password that you configure within the rule. Configuration on the
StoreOnce Backup system is via a single StoreOnce CLI command, net add encryption. It
cannot be configured as part of the wizard. But this is only one half of the configuration. You must
also configure IPsec on the media server that forms the other part of the pair.

License requirements

If you wish to use the IPsec feature, you must first install the Security Pack license .

Configuring the client

The IPsec pair and rule must be configured on both the client media server and the StoreOnce
Backup appliance. See the HP StoreOnce Backup system Linux and UNIX Configuration guide for
information about configuring Linux media servers. Configuration of Windows media servers is
via Windows local security policy. (This will be described in more detail in the next edition of this
guide.) For full details of which operating systems are supported go to

http://www.hp.com/ebs

.

Configuring the StoreOnce Backup system

IMPORTANT:

If you subsequently change network configuration. you must re-apply the IPsec

encryption.

The syntax for the StoreOnce CLI command is:

net add encryption myconfig mysubnet ipAddr clientip passPhrase mypassword

In the following example, we have created a copy of the configuration called config_with_ipsec
that adds encryption to subnet_2. The IP address is the client’s IP address and the passphrase
must match the passphrase that has been configured on the client.

# net add encryption config_with_ipsec subnet_2 ipaddr 172.18.198.101 passphrase katedave

Command Successful

NOTE:

You still need to validate and activate the configuration to make encryption active on the

subnet.

The subnet configuration now shows the client IP address in the Encryption Links field.

----------------------
Network: subnet2
----------------------
IP Addresses: 172.168.6.11,172.168.6.12,172.168.6.13,172.168.6.14
Net Mask: 255.255.255.0
Domain Name: nearline.local
Gateway: 172.168.6.1
Default Network: yes
Net Usage: mgmt

Worked example

197