Encryption with Self Encrypting Drive (SED)
An SED has a built-in encryption function and data can be encrypted by controlling the encryption function of an
SED from the controller. An SED uses encryption keys when encrypting and storing data. Encryption keys cannot
be taken out of the drive. Furthermore, because SEDs cannot be decrypted without an authentication key,
information cannot be leaked from drives which have been replaced during maintenance, even if they are not
physically destroyed.
Once an SED authentication key is registered to an ETERNUS AF, additional configuration on encryption is not
necessary each time a drive is added.
Data encryption by SED has no load on the controller for encryption process, and the equivalent data access
performance to unencrypted process can be ensured.
Figure 34
Data Encryption with Self Encrypting Drives (SED)
Self-encrypting drives
Non-self-encrypting drives
Setting encryption when
adding new drives is not
required.
Access performance is the
same as when non-encrypted
drives are accessed.
ETERNUS AF
The controller performs authentication by using the authentication key (common key) that is stored in the
controller or by using the authentication key that is retrieved from the key server to access the drives. For the
authentication key that can be registered in the ETERNUS AF, this key can be automatically created by using the
settings in ETERNUS Web GUI or ETERNUS CLI.
By linking with the key server, the authentication key of an SED can be managed from the key server. Creating
and storing an authentication key in a key server makes it possible to manage the authentication key more
securely.
By consolidating authentication keys for multiple ETERNUS AF storage systems in the key server, the
management cost of authentication keys can be reduced.
Key management server linkage can be used with an SED authentication key operation.
Only one unique SED authentication key is registered in each ETERNUS AF.
Caution
The firmware data encryption function cannot be used for volumes that are configured with SEDs.
Note
•
The SED authentication key (common key) is registered at the time of shipping, regardless of whether
an SED has been prepared. However, only models that can be installed with SEDs can use the encryption
function with Self Encrypting Drive (SED).
•
The common key is used to authenticate RAID groups when key management server linkage is not used.
2. Basic Functions
Data Encryption
70
Design Guide
Содержание ETERNUS AF S3 Series
Страница 204: ......