Key Management Server Linkage - Fujitsu ETERNUS DX100 S4 Design Manual

2. Basic Functions
Data Encryption
The encryption method for encrypted volumes cannot be changed. Encrypted volumes cannot
•
be changed to unencrypted volumes.
To change the encryption method or cancel the encryption for a volume, back up the data in
the encrypted volume, delete the encrypted volume, and restore the backed up data.
If a firmware encrypted pool (TPP or FTRP) or volume exists, the encryption method cannot be
•
changed regardless of whether the volume is registered to a pool.
• It is recommended that the copy source volume and the copy destination volume use the same
encryption method for Remote Advanced Copy between encrypted volumes.
• When copying encrypted volumes (using Advanced Copy or copy operations via server), trans-
fer performance may not be as good as when copying unencrypted volumes.
• SDPVs cannot be encrypted after they are created. To create an encrypted SDPV, set encryp-
tion when creating a volume.
• TPVs cannot be encrypted individually. The encryption status of the TPVs depends on the en-
cryption status of the TPP to which the TPVs belong.
• FTVs cannot be encrypted individually. The encryption status of the FTVs depends on the en-
cryption status of the FTRP to which the FTVs belong.
• The firmware data encryption function cannot be used for volumes that are configured with
SEDs.
• The volumes in a RAID6-FR RAID group cannot be converted to encrypted volumes.
When creating an encrypted volume in a RAID6-FR RAID group, specify the encryption setting
when creating the volume.

Key Management Server Linkage

Security for authentication keys that are used for authenticating encryption from Self Encrypting
Drives (SEDs) can be enhanced by managing the authentication key in the key server.
• Key life cycle management
A key is created and stored in the key server. A key can be obtained by accessing the key server
from the ETERNUS DX when required. A key cannot be stored in the ETERNUS DX. Managing a
key in an area that is different from where an SED is stored makes it possible to manage the key
more securely.
• Key management consolidation
When multiple ETERNUS DX storage systems are used, a different authentication key for each
ETERNUS DX can be stored in the key server.
The key management cost can be reduced by consolidating key management.
Key renewal
•
A key is automatically renewed before it expires by setting a key expiration date. Security against
information leakage can be enhanced by regularly changing the key.
The key is automatically changed after the specified period of time. Key operation costs can be
reduced by changing the key automatically. Also, changing the key by force can be performed
manually.
Fujitsu Storage ETERNUS DX100 S4/DX200 S4, ETERNUS DX100 S3/DX200 S3 Hybrid Storage Systems Design Guide (Basic)
67
Copyright 2023 Fujitsu Limited
P3AM-7642-32ENZ0