9.2 Modifying the maxCrypto Configuration

To modify the maxCrypto configuration, use the General tab on the Set maxCrypto Configuration window.

If you are logged in as the Crypto Officer, you can:

  • Enable/Disable maxCrypto

  • Enable/Disable new plaintext volumes

  • Lock/Unlock firmware upgrade

  • Change the maxCrypto master encryption key

If you are logged in as the maxCrypto User, you can only Lock/Unlock firmware upgrade.

To modify the maxCrypto configuration:

  1. In the Enterprise View, select a system, then select a controller on that system.
  2. On the ribbon, in the Controller group, click Security Settings.

    When the Set maxCrypto Configuration window opens, click the General tab.

  3. Adjust the maxCrypto settings, as needed:

    • In the maxCrypto field, select Enabled or Disabled to enable/disable the maxCrypto system.

    • In the Key Management Mode drop-down, select Local to configure the local key management mode, where encryption keys are locally generated using the master key. Select Remote to configure remote key management mode, where encryption keys are generated and stored on a remote key server. For remote key management mode, reboot is needed to take effect. To change between Local to Remote or Remote to Local, a master key is required.
      Note: For Remote key management mode, you need to configure the KMS server using Preboot.
      Note: When changing the key management mode, all the other operations in this dialog will be disabled.

    • In the Allow New Plaintext Volumes field, select Enabled to allow plaintext volumes and encrypted volumes in your storage space. Select Disabled to allow encrypted volumes only in your storage space.

    • In the Firmware Locked for Update field, select Unlocked to allow firmware upgrades. Select Locked to block firmware upgrades.

    • To change the master encryption key, click Change Master Key, then enter the new key in the Set/Change Master Key field.

      The Master Key is a 10-32 character string, comprising all printable ASCII characters.

      CAUTION: Be sure to record the master key and store in a safe place. Once set, the Master Key cannot be displayed or recovered, only reset. Failure to provide the Master Key may result in encrypted data being irretrievable.
    • In the Local Key Cache, select Enabled to store the keys in the cache locally to allow access to encrypted logical device(s) when the remote key server is offline. Select Disabled to remove the local keys from the cache. When Local Key Cache is enabled:
      • The Attempts Remaining Before Clearing Local Key Cache field also gets enabled to specify the number of attempts to access the key manager before deleting the local key cache store.
      • The Retry Interval In Minutes also gets enabled to specify the time in minutes between attempts to reach the key manager and validate the key cache.
  4. Click OK.