Issue 1:
Description
Occasionally, when enabling data-at-rest encryption with an External Key Manager for the first time, the system may incorrectly register the encryption configuration using the Local Key Manager (LKM) instead of the selected External Key Manager (EKM). As a result, encryption keys are not sent to the Utimaco ESKM, and no KMIP objects are created.
HPE has acknowledged this behavior and is currently working on a permanent fix.
Official Statement from HPE on the issue
“Occasionally, when enabling data at rest encryption with an external key manager for the first time on a HPE Alletra Storage MP B10000 running 10.5.50, the system may register data at rest encryption using the local key manager. To resolve, check the external key manager settings using the GUI or CLI and re-enable data at rest encryption with the external key manager specified. To verify success, check for a created KMIP object in the Utimaco ESKM GUI.”
Step to Reproduce the Issue
After completing the integration, no keys or KMIP objects appear in the Utimaco ESKM.
Using the Alletra CLI, run the following command to check the encryption configuration:
showencryption -d
If the output indicates that the keystore is set to LKM, the issue is present.
Issue
Troubleshooting Steps
As part of the integration process, a backup file is created. This backup can be used to re-enable encryption with the correct key manager configuration.
-
Restore or reference the integration backup file created during setup.
-
Re-enable data-at-rest encryption, explicitly selecting the External Key Manager (EKM).
-
Verify the configuration again using the CLI:
showencryption -d
-
Confirm successful operation by logging into the Utimaco ESKM GUI and verifying that KMIP objects are created and keys are received from the Alletra system.
-
The system correctly uses the External Key Manager and successfully exchanges keys with Utimaco ESKM.
Keystore updated as EKM