Encryption With Self Encrypting Drive (Sed); Figure 39 Data Encryption With Self Encrypting Drives (Sed) - Fujitsu ETERNUS DX500 S4/DX600 S4 Design Manual

2. Basic Functions
Data Encryption

Encryption with Self Encrypting Drive (SED)

An SED has a built-in encryption function and data can be encrypted by controlling the encryption function of an
SED from the controller. An SED uses encryption keys when encrypting and storing data. Encryption keys cannot
be taken out of the drive. Furthermore, because SEDs cannot be decrypted without an authentication key, infor-
mation cannot be leaked from drives which have been replaced during maintenance, even if they are not physi-
cally destroyed.
Once an SED authentication key is registered to an ETERNUS DX, additional configuration on encryption is not
necessary each time a drive is added.
Data encryption by SED has no load on the controller for encryption process, and the equivalent data access per-
formance to unencrypted process can be ensured.

Figure 39 Data Encryption with Self Encrypting Drives (SED)

Access performance is the
same as when non-encrypted
drives are accessed.
ETERNUS DX
The controller performs authentication by using the authentication key that is stored in the controller or by us-
ing the authentication key that is retrieved from the key server to access the drives. For the authentication key
that can be registered in the ETERNUS DX, this key can be automatically created by using the settings in ETER-
NUS Web GUI or ETERNUS CLI.
By linking with the key server, the authentication key of an SED can be managed from the key server. Creating
and storing an authentication key in a key server makes it possible to manage the authentication key more se-
curely.
By consolidating authentication keys for multiple ETERNUS DX storage systems in the key server, the manage-
ment cost of authentication keys can be reduced.
Key management server linkage can be used with an SED authentication key operation.
Only one unique SED authentication key can be registered in each ETERNUS DX.
The firmware data conversion encryption function cannot be used for volumes that are configured with
•
SEDs.
Register the SED authentication key (common key) before installing SEDs in the ETERNUS DX.
•
If an SED is installed without registering the SED authentication key, data leakage from the SED is possible
when it is physically removed.
Only one key can be registered in each ETERNUS DX. This common key is used for all of the SEDs that are
•
installed. Once the key is registered, the key cannot be changed or deleted. The common key is used to
authenticate RAID groups when key management server linkage is not used.
FUJITSU Storage ETERNUS DX500 S4/DX600 S4, ETERNUS DX500 S3/DX600 S3 Hybrid Storage Systems Design Guide (Basic)
Setting encryption when
adding new drives is not
required.
Self-encrypting drives
Non-self-encrypting drives
67
Copyright 2019 FUJITSU LIMITED
P3AM-7722-25ENZ0