•
When copying encrypted volumes (using Advanced Copy or copy operations via server OS), transfer
performance may not be as good as when copying unencrypted volumes.
•
SDPVs cannot be encrypted after they are created. To create an encrypted SDPV, set encryption when
creating a volume.
•
TPVs cannot be encrypted individually. The encryption status of the TPVs depends on the encryption
status of the TPP to which the TPVs belong.
•
FTVs cannot be encrypted individually. The encryption status of the FTVs depends on the encryption
status of the FTRP to which the FTVs belong.
•
The firmware data encryption function cannot be used for volumes that are configured with SEDs.
•
The volumes in a RAID6-FR RAID group cannot be converted to encrypted volumes.
When creating an encrypted volume in a RAID6-FR RAID group, specify the encryption setting when
creating the volume.
Key Management Server Linkage
Security for authentication keys that are used for authenticating encryption from Self Encrypting Drives (SEDs)
can be enhanced by managing the authentication key in the key server.
•
Key life cycle management
A key is created and stored in the key server. A key can be obtained by accessing the key server from the
ETERNUS AF when required. A key cannot be stored in the ETERNUS AF. Managing a key in an area that is
different from where an SED is stored makes it possible to manage the key more securely.
•
Key management consolidation
When multiple ETERNUS AF storage systems are used, a different authentication key for each ETERNUS AF can
be stored in the key server.
The key management cost can be reduced by consolidating key management.
•
Key renewal
A key is automatically renewed before it expires by setting a key expiration date. Security against information
leakage can be enhanced by regularly renewing the key.
The key is automatically renewed after the specified period of time. Key operation costs can be reduced by
renewing the key automatically. In addition, the key can be forcibly renewed manually.
In the ETERNUS AF, a "key group" is used as the unit for using the key in the key server. Key groups consist of
RAID groups that use an authentication key stored on the key server.
To use an authentication key in the key server, a key group needs to be created. Multiple RAID groups can be
registered in a key group. Note that only one key group can be created in each ETERNUS AF. One authentication
key can be specified for each key group. The authentication key for a key group can be changed.
Setting a period of time for the validity of the authentication key in the key server by using the ETERNUS AF
enables the key to be automatically updated by obtaining a new key from the key server before the validity of
the key expires. Access from the host (server) can be maintained even if the SED authentication key is changed
during operation.
The following table shows functions for SED authentication keys and key management server linkage.
Table 31
Functional Comparison between the SED Authentication Key (Common Key) and Key Management
Server Linkage
Function
SED authentication key
Key Management Server Linkage
Key creation
In the ETERNUS AF
Key server
Key storage
In the ETERNUS AF
Key server
Key renewal (auto/manual)
No
Yes
Key compromise (*1)
No
Yes
2. Basic Functions
Data Encryption
72
Design Guide
Содержание ETERNUS AF S3 Series
Страница 204: ......