HPE ProLiant Compute Gen12 Embedded Security

Make a confident choice and elevate your security posture with the unbeatable security advantages of HPE ProLiant Compute Gen12 servers.

Physical Security Options

• − System maintenance switch
• − USB security
• − Rack and power security
• − Bezel lock
• − Chassis intrusion detection switch

HPE Integrated Lights-Out (HPE iLO 7)

Enhance your server security with the advanced embedded security features of HPE iLO 7, allowing you to monitor ongoing management, service alerting, reporting, and remote management with confidence.

Secure Enclave with FIPS 140-3 Level 3 support enhances Silicon Root of Trust using Advanced Key Management.

Learn more at iLO Security Implementation Guide https://www.hpe.com/info/iLO

Server Data Security

The available Gen12 controller and drive security highlights are depicted below.

Encryption and key management

• Remote Key Management
• iLO manages the key exchange between the key manager and the other products. iLO uses a unique user account based on its MAC address to communicate with the key manager. For the initial creation of this account, iLO uses a deployment user account that pre-exists on the key manager with administrator privileges. For more information about the deployment of the user account, see the key manager documentation.

• The following key managers are supported.
• − ESKM/KMIP Supported Formats
• − Utimaco ESKM
• − Thales CipherTrust

• For version information, see the iLO user guide: http://www.hpe.com/support/ilo7-ug-en

• Local Key Management
• The server securely stores local encryption keys in iLO’s secure enclave which is in process for FIPS 140-3 Level 3 validation. The encryption keys can be managed through the UEFI BIOS interface, the iLO GUI, and Redfish APIs.

• Self-encrypting drives (SED)
• For storage devices that support the Opal Storage Specification, security is enhanced by making the storage device self-encrypting (SED). Self-encrypting drives encrypt stored data so that an unauthorized user cannot read it. The encryption keys are protected by a local master key (LMK) or through the use of a random master key (RMK).

• For more information about self-encrypting drives, see Self-encrypting drives.
• To view the HPE self-encrypting drive offerings, see the HPE ProLiant Compute SSD Selector Tool: https://ssd.hpe.com/

• SED is the ideal choice for data-at-rest encryption. It is an HDD or SSD that contains an Advanced Encryption Standard (AES) hardware encryption engine, which encrypts data at line rate as it is written to the storage media and provides access control by locking the drive when power is lost. The media encryption key (MEK) encrypts all the user data on the drive. It is stored encrypted on the drive, and the user cannot access it. The MEK is encrypted with a user password, also called a key encrypting key (KEK), which is used to unlock the drive. The KEK can be stored and managed by Host key management (HKM), Local key management (LKM), and Remote key management (RKM).

• SED is ideal for customers who need their data protected with encryption. SEDs provide data-at-rest protection, which means that when power is lost (for example, when the server is turned off), the drive is locked. If someone steals a drive from a server, they cannot read any of the data from that drive. SED performs at line rate, so it does not impact overall server performance, which is critical for customers in the financial service industry (FSI), healthcare, and the U.S. government sectors.

For more information, see the HPE Storage controllers and server: data encryption overview at the following website: https://www.hpe.com/info/SCEO.

HPE Compute MR Controllers

HPE Compute MR controllers support Self-Encrypting Drives (SED) that secure the drive data from unauthorized access or modification. Because the data on the drive is encrypted, it cannot be accessed without appropriate security authorization, even if an SED drive is removed from the storage system.

The following key management types are supported:

• − Host Key Management (HKM)—Manage SEDs by using third-party key management such as SEDutil. SED monitoring is available in HPE MR Storage Administrator, the Storage Command Line Interface (StorCLI) tool, and the UEFI System Utilities.
• − Local Key Management (LKM)—Enable SED drive security for local key management by using HPE MR Storage Administrator, the StorCLI tool, or the UEFI System Utilities. During setup, you provide a security key identifier and security key. At startup, the security key stored in the controller unlocks the drive. When the drive is powered off, the security-enabled drive data encryption key is locked.
• − Remote Key Management (RKM)—The UEFI System Utilities works with the iLO key manager configuration to create the security key identifier and security key in the remote key manager server. When the drive is powered off, the security-enabled drive data encryption key is locked. At startup, the security key is retrieved from the remote key manager server to unlock the drive.

To view the controllers a server or compute module supports, see the QuickSpecs document at the following website: https://www.hpe.com/psnow/doc/a50004311enw.

Authentication and Trust of Server Components - SPDM

HPE ProLiant Compute Gen12 servers with iLO 7 use SPDM (Security Protocol and Data Model) to verify the integrity of components and authenticate supported option cards. This allows extending the HPE Silicon Root of Trust to additional components and their firmware in the system. Examples of supported hardware include PCIe option cards, such as storage controllers and network adapters, direct-attached NVMe drives, power supplies, storage backplanes, and riser cards.

This feature uses open DMTF standards to enable a zero-trust configuration between the server management software and the supported server options.

The policy on how the server reacts when a component cannot be authenticated is configurable via iLO 7 settings.

One Button Secure Erase

If you want to decommission a server or prepare it for a different use, you can use the One-button secure erase feature to securely erase user data from the server.

One-button secure erase follows the NIST Special Publication 800-88 Revision 1 in the Guidelines for Media Sanitization guide. The appendix recommends minimum sanitization levels for media, ensuring that it is not possible for even a determined malicious party to re-create the data which had been stored on the media. For more information about the specification, see Section 2.5 Guidelines for Media Sanitization.

One-button secure erase implements the NIST SP 800-88 Revision 1 Sanitization Recommendations and returns the server and support components to the default state. This feature automates many of the tasks you follow in the Statement of Volatility document for a server.

One-button secure erase for DevIDs and System IAK

iLO LDevID, System LDevID, and System LAK certificates are removed during the One-button secure erase process. IDevIDs and IAKs are read-only from the factory in Gen 12 and thus are not removed.

When you use the One-button secure erase process, Hewlett Packard Enterprise recommends performing a manual iLO backup to minimize the impact of losing the iLO LDevID, System LDevID, and LAK certificates. iLO includes all the certificates in its backup service and you can restore the certificates from the backup file.

For More information: One-button secure erase FAQ

Industry Security Compliance

• − FIPS 140-3

  • iLO 140-3 Level 1 and 3
  • SED 140-3 Level 1
• − Secure Digital 4.0
• − TPM 2.0 Support

  • Notes:Since Gen11, the TPM is integrated by default. Placement of the TPM and the routing of electrical signals to the TPM are optimized for protection against physical attacks. Customerscan view the current Trusted Platform Module (TPM) configuration and update the settings with the UEFI System Utilities. By default, the TPM 2.0 device is enabled. Performing operations such as disabling the TPM or Clearing its contents can be performed in the UEFI System Utilities.
• − NIST

  • NIST SP 800-53: This publication provides a comprehensive set of security controls for federal information systems and organizations and covers a wide range of security areas, including access control, audit and accountability, risk assessment, and system and information integrity.
  • NIST SP 800-171: This standard outlines the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. HPE ProLiant Compute servers comply with the security controls specified in NIST SP 800-171 to ensure the protection of CUI when used in government environments.
  • NIST SP 800-88: This publication provides guidelines for media sanitization, ensuring that sensitive data is securely erased from storage media before disposal or reuse. HPE ProLiant Compute servers adhere to the media sanitization guidelines outlined in NIST SP 800-88 to prevent data breaches during the decommissioning process.
  • NIST SP 800-147B: This publication provides guidelines for securely protecting the BIOS in servers systems against attacks. This includes protection against software attacks which could modify the contents of the BIOS storage part as well as ensuring that flash update operations are performed securely and that images are authenticated prior to being committed to the BIOS storage part.
  • NIST SP 800-193: This publication provides guidelines for protecting the numerous firmware and critical data in a compute system from unauthorized modification and attack. Similar to NIST 800-147B which was focused on the BIOS, this specification extends the protections to other firmware in the system, including the base management controller (BMC) firmware, option card, such as network and storage controllers, firmware, drive firmware, and other firmware. In addition, the specification provides guidelines to protect critical data, such as security settings, against attacks which could compromise the security posture of the system.
• − Advanced Encryption Standard (AES)
• − LMS
• − RSA and ECDSA
• − TLS 1.3
• − Open SSL 3.xx
• − CNSA 1.0
• − Common Criteria EAL4+
• − Tamper-free updates – components digitally signed and verified. Validate you are using genuine HPE products here: https://www.hpe.com/us/en/validate.html

Shape the Future of QuickSpecs - Your Input Matters