STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide

V-283027

CAT II (Medium)

The HPE Alletra Storage ArcusOS device must implement cryptographic mechanisms to prevent unauthorized disclosure and modification of all information at rest on all system components.

Rule ID

SV-283027r1193771_rule

STIG

HPE Alletra Storage ArcusOS Web Server Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001199

Discussion

Data at rest is inactive data which is stored physically in any digital form (e.g., databases, data warehouses, spreadsheets, archives, tapes, off-site backups, mobile devices, etc.). Data at rest includes, but is not limited to, archived data, data that is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and files stored off-site or on a storage area network. While data at rest can reside in many places, data at rest for a web server is data on the hosting system storage devices. Data stored as a backup on tape or stored off-site is no longer under the protection measures covered by the web server. There are several pieces of data that the web server uses during operation. The web server must use an accepted encryption method, such as SHA1, to protect the confidentiality and integrity of the information.

Check Content

Verify HPE Alletra Storage MP is configured to provide backend drive encryption with the following command:

Cli%controlencryption status -d
Licensed Enabled BackupSaved State  SeqNum Keystore FIPS non-SEDs FailedDisks nodeNonSED
yes      yes      yes          normal      0 ---      yes        12           0          0

If the output does not show licensed, enabled, BackupSaved, and FIPS as "yes" this is a finding.

If the state is not "normal", this is a finding.

If Keystore is not "EKM", this is a finding.

Fix Text

Enable data at rest encryption.

If "cli% showlicense" does not show "SED Encryption" under "License features currently enabled:", then import a SED Encryption license with the "cli% setlicense" command.

Create a CSR for the EKM:
cli% createcert ekm-client -f -csr -CN ekm_username

Sign the CSR with a CA and import the entire certificate chain with:
Cli% importcert ekm-client -f stdin
Paste the ekm-client certificate chain.

Import the EKM Server Certificates:
Cli% createcert ekm-server -f stdin
Paste the ekm-server certificate chain.

Set the connection to the EKM with the following command:
cli% controlencryption setekm -setserver <EKM_IP> -port 5696 -ekmuser ekm_username -kmipprotocols (supported protocols by the ekm) -passwordnoprompt <ekm_user_password>

Enable encryption with the following command:
cli% controlencryption enable -ekm /common/encryptionBackup

Enter passwords and save the encryption backup file off of the array for disaster recovery.