Hitachi Unified Storage VM Block Module

Hitachi Unified Storage VM Block Module73-03-5x

Encryption Key License User Guide

MK-92HM7051-06 October 2018

© 2012, 2018 Hitachi, Ltd. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including copying andrecording, or stored in a database or retrieval system for commercial purposes without the express written permission of Hitachi, Ltd., orHitachi Vantara Corporation (collectively “Hitachi”). Licensee may make copies of the Materials provided that any such copy is: (i) created as anessential step in utilization of the Software as licensed and is used in no other manner; or (ii) used for archival purposes. Licensee may notmake any other copies of the Materials. “Materials” mean text, data, photographs, graphics, audio, video and documents.

Hitachi reserves the right to make changes to this Material at any time without notice and assumes no responsibility for its use. The Materialscontain the most current information available at the time of publication.

Some of the features described in the Materials might not be currently available. Refer to the most recent product announcement forinformation about feature and product availability, or contact Hitachi Vantara Corporation at https://support.hitachivantara.com/en_us/contact-us.html.

Notice: Hitachi products and services can be ordered only under the terms and conditions of the applicable Hitachi agreements. The use ofHitachi products is governed by the terms of your agreements with Hitachi Vantara Corporation.

By using this software, you agree that you are responsible for:

1. Acquiring the relevant consents as may be required under local privacy laws or otherwise from authorized employees and otherindividuals; and

2. Verifying that your data continues to be held, retrieved, deleted, or otherwise processed in accordance with relevant laws.

Notice on Export Controls. The technical data and technology inherent in this Document may be subject to U.S. export control laws, includingthe U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Readeragrees to comply strictly with all such regulations and acknowledges that Reader has the responsibility to obtain licenses to export, re-export, orimport the Document and any Compliant Products.

Hitachi is a registered trademark of Hitachi, Ltd., in the United States and other countries.

AIX, AS/400e, DB2, Domino, DS6000, DS8000, Enterprise Storage Server, eServer, FICON, FlashCopy, IBM, Lotus, MVS, OS/390, PowerPC, RS/6000,S/390, System z9, System z10, Tivoli, z/OS, z9, z10, z13, z/VM, and z/VSE are registered trademarks or trademarks of International BusinessMachines Corporation.

Active Directory, ActiveX, Bing, Excel, Hyper-V, Internet Explorer, the Internet Explorer logo, Microsoft, the Microsoft Corporate Logo, MS-DOS,Outlook, PowerPoint, SharePoint, Silverlight, SmartScreen, SQL Server, Visual Basic, Visual C++, Visual Studio, Windows, the Windows logo,Windows Azure, Windows PowerShell, Windows Server, the Windows start button, and Windows Vista are registered trademarks or trademarksof Microsoft Corporation. Microsoft product screen shots are reprinted with permission from Microsoft Corporation.

All other trademarks, service marks, and company names in this document or website are properties of their respective owners.

2

https://support.hitachivantara.com/en_us/contact-us.html


Preface

This document describes and provides instructions for performing operations on theHitachi Unified Storage VM (HUS VM) storage system.

Please read this document carefully to understand how to use this product, and maintaina copy for your reference.

Intended audience

This document is intended for system administrators, Hitachi Vantara representatives,and authorized service providers who install, configure, and operate the Hitachi UnifiedStorage VM (HUS VM) storage system.

Readers of this document should be familiar with the following:■ Data processing and RAID storage systems and their basic functions.■ The HUS VM storage system and the HUS VM Block Module Hardware User Guide.■ The Storage Navigator software and the Storage Navigator User Guide.

Product version

This document revision applies to HUS VM firmware 73-03-5x or later.

Release notes

Read the release notes before installing and using this product. They may containrequirements or restrictions that are not fully described in this document or updates orcorrections to this document. Release notes are available on Hitachi Vantara SupportConnect: https://knowledge.hitachivantara.com/Documents.

Document conventions

This document uses the following typographic conventions:

Preface

https://knowledge.hitachivantara.com/Documents

Convention Description

Bold ■ Indicates text in a window, including window titles, menus,menu options, buttons, fields, and labels. Example:

Click OK.■ Indicates emphasized words in list items.

Italic ■ Indicates a document title or emphasized words in text.■ Indicates a variable, which is a placeholder for actual text

provided by the user or for output by the system. Example:

pairdisplay -g group

(For exceptions to this convention for variables, see the entry forangle brackets.)

Monospace Indicates text that is displayed on screen or entered by the user.Example: pairdisplay -g oradb

< > anglebrackets

Indicates variables in the following scenarios:■ Variables are not clearly separated from the surrounding text or

from other variables. Example:

Status-<report-name><file-version>.csv

■ Variables in headings.

[ ] squarebrackets

Indicates optional values. Example: [ a | b ] indicates that you canchoose a, b, or nothing.

{ } braces Indicates required or expected values. Example: { a | b } indicatesthat you must choose either a or b.

| vertical bar Indicates that you have a choice between two or more options orarguments. Examples:

[ a | b ] indicates that you can choose a, b, or nothing.

{ a | b } indicates that you must choose either a or b.

Document conventions

Preface

Conventions for storage capacity values

Physical storage capacity values (for example, disk drive capacity) are calculated basedon the following values:

Physical capacity unit Value

1 kilobyte (KB) 1,000 (103) bytes

1 megabyte (MB) 1,000 KB or 1,0002 bytes

1 gigabyte (GB) 1,000 MB or 1,0003 bytes

1 terabyte (TB) 1,000 GB or 1,0004 bytes

1 petabyte (PB) 1,000 TB or 1,0005 bytes

1 exabyte (EB) 1,000 PB or 1,0006 bytes

Logical capacity values (for example, logical device capacity, cache memory capacity) arecalculated based on the following values:

Logical capacity unit Value

1 block 512 bytes

1 cylinder Mainframe: 870 KB

Open-systems:■ OPEN-V: 960 KB■ Others: 720 KB

1 KB 1,024 (210) bytes

Conventions for storage capacity values

Preface

Logical capacity unit Value

1 MB 1,024 KB or 1,0242 bytes

1 GB 1,024 MB or 1,0243 bytes

1 TB 1,024 GB or 1,0244 bytes

1 PB 1,024 TB or 1,0245 bytes

1 EB 1,024 PB or 1,0246 bytes

Accessing product documentation

Product user documentation is available on Hitachi Vantara Support Connect: https://knowledge.hitachivantara.com/Documents. Check this site for the most currentdocumentation, including important updates that may have been made after the releaseof the product.

Getting help

Hitachi Vantara Support Connect is the destination for technical support of products andsolutions sold by Hitachi Vantara. To contact technical support, log on to Hitachi VantaraSupport Connect for contact information: https://support.hitachivantara.com/en_us/contact-us.html.

Hitachi Vantara Community is a global online community for Hitachi Vantara customers,partners, independent software vendors, employees, and prospects. It is the destinationto get answers, discover insights, and make connections. Join the conversation today!Go to community.hitachivantara.com, register, and complete your profile.

Comments

Please send us your comments on this document [email protected]. Include the document title and number, includingthe revision level (for example, -07), and refer to specific sections and paragraphswhenever possible. All comments become the property of Hitachi Vantara Corporation.

Thank you!

Accessing product documentation

Preface



https://knowledge.hitachivantara.com/



https://community.hitachivantara.com/welcome

https://community.hitachivantara.com/welcome

mailto:[email protected]

1Encryption License Key Overview

To guarantee the security of the data, use the Encryption License Key featureto store encrypted data in an LDEV and encrypt them. The Encryption LicenseKey feature provides redundant backup and restore capabilities to ensuredata availability.

□ Encryption License Key benefits

□ Encryption License Key support specifications

□ When are data encryption keys needed

□ Primary and secondary data encryption keys

□ KMIP key management server support

□ Data encryption workflow

□ Disable encrypted data workflow

□ Change data encryption key workflow

□ Audit logging of encryption events

□ Encryption states and protection

□ Interoperability with other software applications

Encryption License Key Overview 1-1Hitachi Unified Storage VM Block Module Encryption License Key User Guide

Encryption License Key benefitsEncrypting data can prevent information loss or leaks if a disk drive isphysically removed from the system. Failure, loss, or theft are the mostcommon reasons for information loss.

The following lists the benefits of using the Encryption License Key feature:

• Hardware-based AES 256 encryption in XTS mode for open systems.• You can apply encryption to some or all of the internal drives without

throughput or latency impacts for data I/O and little to no disruption toexisting applications and infrastructure.

• Simplified and integrated key management that does note requirespecialized key management infrastructure.

Encryption License Key support specificationsThe following table lists the Encryption License Key feature’s supportspecifications.

Item Specification

Hardwarespecifications

Encryption algorithm Advanced Encryption Standard(AES) 256 bit.

Encryption mode XTS mode.

LDEVs that youcan encrypt

Volume type Open

Emulation type OPEN-V.

Internal/external LDEVs Internal LDEVs only.

LDEV with existing data Supported. Requires datamigration.

Managing dataencryption keys

Creating data encryption keys Use Storage Navigator to createthe data encryption key.

Deleting data encryption keys Use Storage Navigator to deletedata encryption keys.However, you cannot delete dataencryption keys that are allocatedto implemented drives.

Scope of data encryption keys 1,536 data encryption keys perstorage system.You can create 1,536 Free keys orDEK keys. Total number of dataencryption keys will be 1,545 whenincluding CEK keys and KEK keys.

Attribute of encryption keys The following attributes will be setfor the encryption keys:Free: The unused key beforeallocating the encryption key.

1-2 Encryption License Key OverviewHitachi Unified Storage VM Block Module Encryption License Key User Guide

Item Specification

DEK: The encryption key. The keyfor the encryption of the storeddata.CEK: The certificate encryptionkey. The key for the encryption ofthe certificate and the key for theencryption of DEK per HDD.KEK: Key Encryption Key. The keyfor the encryption of the CEK.

Backup/Restore functionality Redundant (P-VOL and S-VOL)backup/restore copies.

When are data encryption keys neededAfter you have completed the encryption environmental settings, you willneed data encryption keys to work on the following operations:

• Increasing drivesA Free key is needed for each drive to allocate a DEK key.

• Replacing drivesA Free key is needed for each drive to change a DEK key.

• Replacing disk blades3 Free keys are needed for each disk blade to create 2 CEK keys and akey to register CEK keys.

• Updating CEK keys2 Free keys for each disk blade (8 Free keys per a storage system) areneeded to change CEK keys.

Primary and secondary data encryption keysThe Hitachi Unified Storage VM (HUS VM) storage system uses the EncryptionLicense Key feature to set up the data encryption keys to encrypt and decryptdata.

You can use the Encryption License Key feature to back up data encryptionkeys. The Hitachi Unified Storage VM storage system automatically creates aprimary backup of the data encryption key, and stores this backup on eachMP package.

You can create a secondary backup data encryption key. The secondarybackup is required to restore the key if the primary backup is unavailable.

Hitachi Data Systems recommends that you back up each key or group ofkeys immediately after you create them. You are responsible for storing thesecondary backup securely. Schedule regular backups for all keys at thesame time one time every week to ensure data availability.


In addition, it is recommended that you back up each key after you performany of the following operations:

• Creating encryption keys.• Increasing, decreasing, or replacing drives.• Replacing disk blades.• Updating CEK keys.• Updating KEK keys.

For more information about backing up secondary data encryption keys, seeWorkflow for backing up encryption keys on page 4-4.

Caution: You must add storing secondary backup encryption keys securelyas part of your corporate security policy.If the primary backup key becomes unavailable and no secondary backup keyexists, the system cannot decrypt encrypted data.

KMIP key management server supportUsing the Hitachi Unified Storage VM storage system, you can create backupand restore data encryption keys on a key management server that supportsKey Management Interoperability Protocol (KMIP).

There are a limited number of keys you can back up on the key managementserver. Therefore, it is recommended that you delete unnecessary keys whenpossible.

For more information about backing up data encryption keys to a keymanagement server, see Backing up keys to a key management server onpage 4-5.

Data encryption workflowThe Encryption License Key feature provides data encryption at the parity-group level to protect the data on LDEVs. Use the following process to set upfor and enable data encryption:

1. A secondary data encryption key is backed up.2. Data encryption is enabled at the parity-group level.3. The logical devices (LDEVs) in the parity group are formatted.

For more information about enabling data encryption, see Enabling dataencryption at the parity group-level on page 4-7.

Data encryption on existing data workflowUse the following process to encrypt existing data:

1. A new parity group is created. Your service representative creates paritygroups using the SVP.


2. Data encryption is enabled on the parity group.3. The LDEVs in the encrypted parity group are formatted.4. The existing data is migrated to the new LDEVs in the encrypted parity

group.

For more information about moving unencrypted data to an encryptedenvironment, see Workflow for moving unencrypted data to an encryptedenvironment on page 4-12.

Disable encrypted data workflowUse the following process to disable encryption:

1. Data in the parity group is backed up.2. Data encryption is disabled at the parity-group level.3. The LDEVs in the parity group are formatted.4. The LDEVs are unblocked.

For more information about disabling encryption, see Workflow for disablingdata encryption at the parity-group level on page 4-9.

Change data encryption key workflowYou must migrate data to encrypt data with a different data encryption keyon the Hitachi Unified Storage VM storage system.

For more information about migration practices with encryption, see Migrationpractices with encryption on page 1-5.

Use the following process to change encryption keys:

1. A new parity group is created.2. Encryption is enabled with a new data encryption key.3. The LDEVs in the encrypted parity group are formatted.4. The source data is migrated to the new target LDEVs in the encrypted

parity group.5. The data is encrypted with the new data encryption key on the Hitachi

Unified Storage VM storage system.

Note: When you exchange the drive, data encryption keys that areallocated to the drive will be deleted. New data encryption keys will beallocated when the new drive is implemented.

Migration practices with encryptionMigrate encrypted source data by encrypting the target LDEV. Migrate dataon a per-LDEV basis. As a best practice, match encrypted areas with otherencrypted areas. Do not mix encrypted and unencrypted areas.


Note: When migrating an encrypted LUSE LDEV, migrate all LDEVs within theLUSE volume so that you do not have encrypted and non-encrypted areas.

For more information about encrypting an LDEV, see Enabling Encryption onpage 4-7.

Audit logging of encryption eventsThe Hitachi Unified Storage VM storage system Audit Log feature providesaudit logging of events that happen in the system. The audit log recordsevents related to data encryption and data encryption keys.

For more information about audit logging, audit log events, and the Audit Logfeature, see the Hitachi Storage Navigator User Guide and the Hitachi AuditLog User Guide.

Encryption states and protectionMatch the encryption states of the primary (P-VOL) and secondary (S-VOL),pool (pool-VOL), or journal. The encryption states must match to copy dataor differential data and to protect the data. If the state of the P-VOL is“Encrypt”, then the state of all other LDEVs referenced by or associated withthe P-VOL should also be “Encrypt”.

This practice also applies to migration situations.

For more information about migration and encryption, see Migration practiceswith encryption on page 1-5.

Interoperability with other software applicationsUse the following table to determine the interoperability of softwareapplications with data encryption.

Software application Interoperability notes

ShadowImage and TrueCopy Encrypt the P-VOL and S-VOLs to ensure data security.

Thin Image Match the encryption states of the P-VOL and pool-VOL.If the P-VOL is encrypted, encrypt all of the pool-VOLs. Ifthe data pool contains non-encrypted pool-VOL, thedifferential data of the P-VOL is not encrypted.

Universal Replicator Match the encryption states of a P-VOL and S-VOL. If youencrypt the P-VOL only, the data copied on the S-VOL isnot encrypted is not protected.When you encrypt a P-VOL or S-VOL, use a journal towhich only encrypted LDEVs are registered as journalvolumes. If the encryption states of the P-VOL, S-VOL,and journal volumes do not match, the journal data inthe P-VOL is not encrypted, and the security of the datacannot be guaranteed.


Software application Interoperability notes

Volume Migration When encrypting the source volume, encrypt the targetvolume as well. Otherwise, data in the target volume isnot encrypted. In this case, the security of the datacannot be guaranteed. To move an encrypted LUSEvolume, move all LDEVs within the LUSE volume. If youmove only some volumes, the LUSE volume hasencrypted areas and unencrypted areas. In this case, thesecurity of the data cannot be guaranteed. When anLUSE volume is moved automatically, data is not copiedbetween the encrypted and unencrypted areas.

LUN Expansion (LUSE) Encrypt all LDEVs to ensure all areas are encrypted.For more information about LUSE LDEVs and migrationpractices, see Migration practices with encryption onpage 1-5.

Dynamic Provisioning andDynamic Tiering

When enabling encryption for data written to a data poolwith a V-VOL, use a data pool that consists of encryptedvolumes.Note: If encryption is set, encryption formatting for poolvolumes and virtual volumes is also required.



2Encryption License Key Installation

This chapter discusses how to install the Encryption License Key feature.

□ Encryption License Key installation workflow

□ System requirements

□ Enabling the Encryption License Key feature

□ Disabling the Encryption License Key feature

Encryption License Key Installation 2-1Hitachi Unified Storage VM Block Module Encryption License Key User Guide

Encryption License Key installation workflowUse the following workflow to install the Encryption License Key feature:

1. Ensure your system meets the system requirements.For more information about the system requirements, see Systemrequirements on page 2-2.

2. Ensure your product suite interoperates the way you want it to with theEncryption License Key feature.

3. Enable the Encryption License Key feature.For more information about enabling the Encryption License Key feature,see Enabling the Encryption License Key feature on page 2-2.

4. Assign the Security Administrator (View & Modify) role to theadministrator who creates, backs up, and restores data encryption keys.For more information about assigning roles, see the Hitachi StorageNavigator User Guide.

System requirementsThe following table lists the system requirements for using the EncryptionLicense Key feature.

Item Requirement

Hitachi Unified Storage VM • Microcode 73-03-0x and later.

Hitachi Storage Navigator • Encryption License Key software license.• Virtual LVI/LUN Manager software.• Security Administrator (View & Modify) role to

enable or disable data encryption and to back upor restore keys.

SVP (Web server) To connect to the key management server byspecifying the host name instead of IP address, youneed the DNS server settings. For SVP configuration,give your service representative the IP address of theDNS server.

Host platforms All open-systems platforms are supported.

Data volumes Volumes for open systems (OPEN-V emulation type)are supported.Supported volumes: Internal.

Disk blade A disk blade that enables the data encrypting.

Enabling the Encryption License Key featureEnable the Encryption License Key feature in Storage Navigator.

1. Log onto Storage Navigator.2. Type the software license key.

2-2 Encryption License Key InstallationHitachi Unified Storage VM Block Module Encryption License Key User Guide

If the Encryption License Key software license expires or ismissing, youcannot delete the encryption key.

Disabling the Encryption License Key featureYou can disable the Encryption License Key feature in Storage Navigator.

Caution: If you delete the software license key before performing Step 1 and2, you will need to type the software license key again and then perform Step1 and 2.

1. Disable data encryption at the parity-group level. For more informationabout disabling data encryption, see Workflow for disabling dataencryption at the parity-group level on page 4-9.

2. Initialize the encryption environmental settings. For more informationabout initializing the encryption environmental settings, see Initializingthe encryption environmental settings on page 4-19.

3. Delete the software license key.

Encryption License Key Installation 2-3Hitachi Unified Storage VM Block Module Encryption License Key User Guide

2-4 Encryption License Key InstallationHitachi Unified Storage VM Block Module Encryption License Key User Guide

3Key Management Server Connections

You can use an optional key management server with Hitachi Unified StorageVM storage systems. This chapter provides information on how to set up thekey management server.

□ Key management server requirements

□ Edit encryption environmental settings workflow

Key Management Server Connections 3-1Hitachi Unified Storage VM Block Module Encryption License Key User Guide

Key management server requirementsIf you are using a key management server, it must meet the followingrequirements:

• Protocol: Key Management Interoperability Protocol 1.0 (KMIP1.0)• Software: SafeNet KeySecure k460 6.1.0 or Thales keyAuthority 4.0.2• Certificates:

¢ Root certificate of the key management server (X.509)¢ Client certificate in PKCS#12 format

Root and client certificatesRoot and client certificates are required to connect to KMIP servers and toensure that the network access is good. You upload the certificates to theSVP.

To access the key management server, the client certificate must be currentand not have expired.

For more information about the client certificate password in PKCS#12format:

• Contact the key management server administrator.• See Client certificate password on page 3-2.

To get copies of the root and client certificates, contact the key managementserver administrator.

For more information about uploading the client certificates, see Convertingthe client certificate to the PKCS#12 format on page 3-4.

Root certificate on the key management server

If you use SafeNet KeySecure or Thales keyAuthority on the keymanagement server, create and put the root certificate on the server.

For more information about SafeNet KeySecure, see the SafeNet KeySecurek460 documentation. For more information about Thales keyAuthority, seethe Thales keyAuthority documentation.

The root certificate of the key management server must be in X.509 format.

Client certificate password

The password is a string of characters that can be zero up to 128 charactersin length. Valid characters are:

• Numbers (0 to 9)• Upper case (A-Z)• Lower case (a-z)• Symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

3-2 Key Management Server ConnectionsHitachi Unified Storage VM Block Module Encryption License Key User Guide

For more information about converting the client certificate to PKCS#12format, see Converting the client certificate to the PKCS#12 format on page3-4.

For more information about client certificates, see Root and client certificateson page 3-2.

Preparing the client certificate workflowUse the following process to prepare the client certificate, which includessetting the client certificate expiration date and password:

1. Download and install openssl.exe from http://www.openssl.org/ tothe C:\openssl folder.

2. Create the key file. You can create the following types of key files:

¢ Private key file.For more information about creating a private key file, see Creating aprivate SSL key file on page 3-3.

¢ Public key file.For more information about creating a public key file, see Creating apublic SSL key file on page 3-4.

3. Convert the client certificate to PKCS#12 format.For more information about converting the client certificate, seeConverting the client certificate to the PKCS#12 format on page 3-4.

4. Upload the root and client certificates to the SVP.For more information uploading the root and client certificate, seeConverting the client certificate to the PKCS#12 format on page 3-4.

Private key file creation workflow

(Windows Vista) Prepare private and public SSL key files to use with theEncryption License Key feature.

1. If the read-only attribute is set, release it from the c:\key folder.2. Create the private key file.

For more information about creating a private key file, see Creating aprivate SSL key file on page 3-3.

3. Create the public key file.For more information about creating public key files, see Creating a publicSSL key file on page 3-4.

Creating a private SSL key file

Create a private SSL key file to use with the Encryption License Key feature.A private key file has the extension (.key).

1. Open a command prompt.2. Move the current directory to the folder where you have saved the key file

(for example, c:\key).


http://www.openssl.org/

3. From a command prompt, run the following command:c:\key > c:\openssl\bin\openssl genrsa -out server.key 1024

Creating a public SSL key file

Create a public SSL key file to use with the Encryption License Key feature. Apublic key file has the extension (.csr).

1. Open a command prompt.2. Move the current directory to the folder where you have saved the key file

(for example, c:\key).3. From a command prompt, run the following command:

c:\key > c:\openssl req -sha256 -new -key server.key -configc:\openssl\bin\openssl.cfg -out server.csr

4. Complete the following information:

¢ Country Name (two-letter code)¢ Email Address¢ (Optional) Challenge password¢ (Optional) Common name - To obtain a signed and trusted certificate,

ensure that the server name is the same as the host name of thestorage device.

¢ State or Province Name¢ Locality Name¢ Organization Name¢ Organization Unit Name¢ Common Name

5. Send the public key to the Certificate Authority (CA) of the keymanagement server, and request that the CA issue a signed certificate.Use the signed certificate as the client certificate.For more information, see the SafeNet KeySecure or Thales keyAuthoritydocumentation.

Converting the client certificate to the PKCS#12 format

Convert the client certificate to the PKCS#12 format, which includesuploading the client certificate in the PKCS#12 format to the 200 StorageVirtualization System (SVP).

1. From an open command prompt, change the current directory to thefolder where you want to save the client certificate in the PKCS#12format.

2. Move the private SSL key file (.key) and the client certificate to the folderin the current directory, and run the command.The following is an example for an output folder of c:\key, private keyfile (client.key), and a client certificate file (client.crt:


C:\key>c:\openssl\bin\openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12

3. Upload the client certificate in the PKCS#12 format to the SVP and typethe client certificate password.For more information about uploading the client certificate, seeConverting the client certificate to the PKCS#12 format on page 3-4.

Uploading the root and client certificate

As part of configuring the connection settings to the key management server,you'll need to upload the root certificate and the client certificate.

1. On the menu bar, click Settings > Environmental Setting > View KeyManagement Server Properties.

2. In the View Key Management Server Properties window, click SetupKey Management Server.If you have not set the connection to the key management server, amessage is displayed. Click OK.

3. In the Setup Key Management Server window, upload the certificates.

Edit encryption environmental settings workflowTo use a key management server, you must configure the connection andnetwork settings. You can also set the encryption settings such as disablingthe local key generations and storing key encryption key to DKC.

For more information about the appropriate connection settings, contact thekey management server administrator. For more information about thenetwork settings, contact your network administrator.

Caution: Encryption keys backed up on the key management server aremanaged with the client certificate. If the client certificate is lost, and the SVPis replaced due to a failure, you cannot restore the encryption keys that werebacked up before the replacement.When the connection settings are backed up to the key management server,the system does not back up the client certificate. Make sure that you backup a copy of the connection settings to the key management server and savea copy of the client certificate separately. Refer to your corporate securitypolicy for procedures related to backups.To protect the key encryption key at the key management server, the keymanagement server must be configured using two clustered servers. For thisreason, select Enable for Secondary Server.


Note: To restore connection to the key management server after replacingthe SVP, restore the connection settings to the key management server youhave backed up.Before replacing SVP, if the Edit Encryption Environmental Settingswindow is set as #2 through #5 of the table in Choosing settings in the EditEncryption Environmental Settings window on page 3-8, first restore theconnection settings to the key management server you have backed up. Thenconfigure the client certificate and the root certificate of the key managementserver you have stored.If you have not backed up the connection settings, configure them again. Ifyou have not stored the client certificate, create a new client certificate, andthen configure the client certificate and the root certificate of the keymanagement server.When the window is set as #4 and #5 of the table in Choosing settings in theEdit Encryption Environmental Settings window on page 3-8, if you havereplaced SVPs and created a new client certificate, update the key encryptionkey after configuring the connection settings to the key management server.Since the old key encryption key cannot be deleted from the keymanagement server as a result deletion will fail. But the key encryption keycan be successfully updated.

1. Ensure the client and root certificates are uploaded to the keymanagement server. If the certificates are not uploaded:

¢ Contact the key management server administrator.¢ See Converting the client certificate to the PKCS#12 format on page

3-4 and Uploading the root and client certificate on page 3-5.2. Configure the connection settings to the key management server.

For more information about configuring these settings, see Uploading theroot and client certificate on page 3-5.

3. Back up the connection settings to the key management server.For more information about the tasks related to backing up theconnection settings, see your corporate security policy.

4. Confirm that you can connect to the key management server.5. Check with the key management server administrator, then save a back

up copy of the client certificate.6. Save a copy of the configuration files.

For more information on how to save a configuration file, see the StorageSystems Settings section of the Hitachi Storage Navigator User Guide.

Configuring the connection settings to the key management serverConfigure the connection settings to the key management server to set upthe key management server and to back up the data encryption keys to thekey management server.

To connect to the key management server by host name instead of IPaddress, send the IP address of the DNS server to your service representativeand request that the service representative configure the SVP.


If the key management server is unavailable after you complete this task, thesettings may be incorrect. Contact the server or network administrator.

1. In the Administration tree, select Encryption Keys.2. In the top window, select the Encryption Keys tab.3. In the Settings menu, select Security > Encryption Key > Edit

Encryption Environmental Settings.4. In the Edit Encryption Environmental Settings window, select Enable

or Disable on the Key Management Server.5. If you connect to the Key Management Server, specify the primary server

and the secondary server.

¢ If the key management server is already in use, click Check to testthe connection. Otherwise, click Finish.Error messages appear if the server configuration test fails.

6. If the key management server is already in use, select Check to test theconnection. Error messages appear if the server configuration test fails.

7. Create an encryption key:

¢ To generate an encryption key on the key management server, selectGenerate Encryption Keys on Key Management Server. To storethe encryption key on the key management server, select DisableLocal Key Generation, then I Agree.

Caution: If you have selected Protect the Key Encryption Key onthe Key Management Server in Generate Encryption Keys onKey Management Server, the storage system will try to back upencryption the key to the key management server once the storagesystem is turned on. Therefore, it is recommended that you confirmthat the SVP is connected to the key management server properlybefore turning the storage system on.

¢ To generate an encryption key on the key management serverwithout creating an encryption key in the storage system, selectDisable Local Key Generation. Confirm the Warning that displaysand select I Agree.

Caution: When you select the Disable local key generation and IAgree check-boxes in Generate Encryption Keys on KeyManagement Server and finished the settings, you cannot undo thisaction.

8. To backup data encryption keys to the key management server, clickNext. Otherwise, click Finish.

9. In the Confirm window, complete the following and then click Apply:

¢ Confirm the settings.¢ For Task Name, type a name or description for this task.¢ Select Go to tasks window for status to open the Tasks window.

The connection to the key management server is set up.


For more information, see Choosing settings in the Edit EncryptionEnvironmental Settings window on page 3-8 and Backing up keys to a keymanagement server on page 4-5.

Choosing settings in the Edit Encryption Environmental Settingswindow

To manage encryption keys properly, refer to the following flow chart andtable and choose settings for the Edit Encryption Environmental Settingswindow accordingly.

Settings in the Edit Encryption Environmental Settings window

Key MgntServer

Server Settings GenerateEncryption

Keys on KeyMgnt Server

Protect the KeyEncryption Keyat the Key Mgnt

Server

Disablelocal key

generationPrimar

yServer

Secondary

Server

#1 SelectDisable

Do notset

Do notset

Clear Clear Clear

#2 SelectEnable

Set SelectEnableto use

Clear Clear Clear

#3 SelectEnable

Set SelectEnableto use

Select Clear Clear


Settings in the Edit Encryption Environmental Settings window

Key MgntServer

Server Settings GenerateEncryption

Keys on KeyMgnt Server

Protect the KeyEncryption Keyat the Key Mgnt

Server

Disablelocal key

generationPrimar

yServer

Secondary

Server

#4 SelectEnable

Set SelectEnable*

Select Select Clear

#5 SelectEnable

Set SelectEnable*

Select Select Select

* To protect the key encryption key at the key management server, select Enable forSecondary Server because the key management server must be configured using twoclustered servers.



4Managing data encryption keys

This chapter provides information on how to manage data encryption keys.Managing the keys includes ensuring availability of keys and accessibility tothe encrypted or decrypted data. Manage data encryption keys using theEncryption License Key feature in the Hitachi Unified Storage VM storagesystem.

You must have the Security Administrator (View & Modify) role to managedata encryption keys.

□ Workflow for creating data encryption keys

□ Enabling Encryption

□ Encryption formatting at the parity-group level

□ Unblocking LDEVs at the parity-group level

□ Workflow for moving unencrypted data to an encrypted environment

□ Workflow for restoring data encryption keys

□ Workflow for changing data encryption keys

□ Workflow for deleting data encryption keys

□ Viewing encryption keys backed up on the key management server

□ Exporting encryption key table information

□ Rekeying certificate encryption keys

□ Rekeying key encryption keys

Managing data encryption keys 4-1Hitachi Unified Storage VM Block Module Encryption License Key User Guide

□ Retrying Key Encryption Key Acquisition

□ Initializing the encryption environmental settings

4-2 Managing data encryption keysHitachi Unified Storage VM Block Module Encryption License Key User Guide

Workflow for creating data encryption keysCreate a data encryption key to use with the Encryption License Key feature.

Use the following process to create a data encryption key:

1. Create the data encryption key or group of keys.For more information about creating keys, see Creating data encryptionkeys on page 4-3.

2. Back up a secondary data encryption key.Schedule regular backups of all of your data encryption keys at the sametime one time every week to ensure data availability.For more information about backing up secondary keys, see Workflow forbacking up encryption keys on page 4-4.

Creating data encryption keysIf you need to change a data encryption key, create a new data encryptionkey. 1,524 Free keys or DEK keys are created when you configure encryptionenvironmental settings on the Edit Encryption Environmental Settings windowfor the first time. After that, you can create 1,536 Free keys or DEK keys. Youcan create up to 1,536 encryption keys per storage system.

Encryption keys are commonly created in the storage system. However, whenthe key management server is in use, and Generate Encryption Keys onKey Management Server is checked in the Edit EncryptionEnvironmental Settings window, encryption keys will be created on the keymanagement server, and used in the storage system.

After creating data encryption keys, it is recommended that you back up eachkey.

1. In the Administration tree, select Encryption Keys.2. In the top window, select the Encryption Keys tab.3. From the Settings menu, select Security > Encryption Keys > Key

Generation.4. In the Key Generation window, specify the number of encryption keys

you want to create. The encryption keys with the attribute of Free will beset. The key IDs will be automatically assigned.

5. To backup data encryption keys to the key management server, clickNext. Otherwise, click Finish.


¢ Confirm the settings.¢ For Task Name, type the task name.¢ (Optional) Select Go to tasks window for status to open the Tasks

window.The new data encryption key is created.


Relate topics

• Backing up keys to a key management server on page 4-5• Encryption Keys window on page A-3• Create Keys wizard on page A-9

Workflow for backing up encryption keysThe Hitachi Unified Storage VM storage system automatically creates aprimary backup of the encryption key. Create a secondary data encryptionkey immediately after creating a key, and also regularly to ensure dataavailability.

Caution: Securely store the secondary backup data encryption key. If theprimary backup encryption key becomes unavailable and the secondarybackup encryption key does not exist, the system cannot decrypt encrypteddata.

You must have the Security Administrator (View & Modify) role to back upsecondary encryption keys.

In addition, it is recommended that you back up each key after you performany of the following operations:

• Creating encryption keys.• Increasing, decreasing, or replacing drives.• Replacing disk blades.• Updating CEK.• Updating KEK.

Encryption keys you created are backed up in a batch.

Use the following process to back up the encryption key:

1. Confirm that Storage Navigator is not processing other tasks. You cannotback up the keys while Storage Navigator is processing other tasks. Inaddition, you cannot back up data encryption keys without creatingencryption keys.

2. Use one of the following methods to create a secondary backup of anencryption key:

¢ Back up the encryption key as a file on the Storage Navigatorcomputer.For more information about backing up encryption keys as files, seeBacking up keys as a file on page 4-5.

¢ Back up the encryption keys to a key management server.For more information about backing up keys on key managementservers, see Backing up keys to a key management server on page4-5.


Backing up keys as a file

Back up encryption keys as a file on the Storage Navigator computer. Backup the file and the password since the file and password are not automaticallybacked up.

1. In the Administration tree, click Encryption Keys.2. In the Encryption Keys window, click the Encryption Keys tab.3. Complete one of the following:

¢ Click Settings > Security > Encryption Keys > Backup Keys toFile.

¢ Click Backup Keys > To File.4. In the Backup Keys to File window, complete the following and then

click Finish:

¢ For Password, type 6 to 255 characters as the key restorationpassword.For the password, you can use all alphanumeric characters and thefollowing 32 symbols: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^_ ` { | } ~The minimum number of characters is displayed if it is set in the EditPassword Policy window.

¢ For Re-enter Password, retype the password.5. Click Finish. The Confirm window opens.6. In the Confirm window, complete the following and then click Apply:

¢ Confirm the settings.¢ For Task Name, type a task name.¢ (Optional) Select Go to tasks window for status to open the Tasks

window.7. In the message that appears, click OK.8. Select the location to which to save the backup file, and then type the

backup file name using the extension .ekf.9. Click Save.

The data encryption key is backed up as a file on the Storage Navigatorcomputer.

For more information, see Encryption Keys window on page A-3 andBackup Keys to File wizard on page A-13.

Backing up keys to a key management server

Back up encryption keys to a key management server. The data encryptionkeys that you back up to a key management server are managed with theclient certificate.

There are a limited number of keys you can back up on the key managementserver. Therefore, it is recommended that you delete unnecessary keys whenpossible.


When you back up to a key management server, the server uses anotherdata encryption key to encrypt the original keys. Both keys reside on theserver.

1. In the Administration tree, click Encryption Keys.2. In the Encryption Keys window, click the Encryption Keys tab.3. Complete one of the following:

¢ Click Settings > Security > Encryption Keys > Backup Keys toServer.

¢ Click Backup Keys > To Server.4. (Optional) In the Backup Keys to Server window, for Description, type

a description.5. Click Finish. The Confirm window opens.6. In the Confirm window, complete the following and then click Apply:


window.A secondary backup data encryption key is saved.

For more information, see Encryption Keys window on page A-3 andBackup Keys to Server wizard on page A-16.

Viewing backup data encryption keys

View a list of the data encryption keys that you have backed up on the keymanagement server, which are shown in a list in the View Backup Keys onServer window.

1. In the Administration tree, click Encryption Keys.2. In the top window, on the right side of the window, click View Backup

Keys on Server.The View Backup Keys on Server window opens.

Editing the password policyYou can set the minimum number of characters required for passwords.

1. From the Settings menu, select Security > Encryption Key > EditPassword Policy.

2. In the Edit Password Policy window, set the minimum number ofcharacters.

3. Click Finish.4. In the Confirm window, complete the following and then click Apply:

¢ Confirm the settings.¢ For Task Name, type the task name.


¢ (Optional) Select Go to tasks window for status to open the Taskswindow.

For more information, see Edit Password Policy wizard on page A-11.

Enabling EncryptionEncryption can be enabled only when the volumes in a parity group areblocked, or a parity group has no volume. Encryption cannot be enabled if aparity group has an unblocked volume.

In addition, as shown in the flowchart below, the procedure is different if youenable encryption of virtual volumes. For details about operations of poolsand virtual volumes, see the Provisioning Guide for your storage system.

Workflow for enabling data encryption on parity groupsThe Encryption License Key feature provides data encryption at the parity-group level to protect data on LDEVs.

Use the following process to set up for data encryption and enable dataencryption on parity groups:

1. Back up the data encryption key.For more information about backing up encryption keys, see Workflow forbacking up encryption keys on page 4-4.

2. Block the LDEVs at the parity-group level. Do one of the following:

¢ Block the LDEV using a file on the Storage Navigator computer.For more information about blocking LDEVs using a file, see BlockingLDEVs using a file on page 4-13.

¢ Block the LDEV on the key management server.For more information about blocking LDEVs on the key managementserver, see Blocking LDEVs on the key management server on page4-13.

3. Enable data encryption on the parity group.For more information about enabling data encryption on parity groups,see Enabling data encryption at the parity group-level on page 4-7.

4. Format the LDEVs at the parity-group level.For more information about formatting LDEVs in the parity group, seeEncryption formatting at the parity-group level on page 4-11.

Enabling data encryption at the parity group-levelEnable data encryption at the parity-group level. The Security Administrator(View & Modify) role is required to enable encryption. If you want to formatthe volumes at the same time, the Storage Administrator (Provisioning) roleis also required.

1. In the Storage Systems tree, click Parity Groups.


In the tree that is shown, Internal or External is displayed.2. To select an internal LDEV, select Internal. Otherwise, click the Parity

Groups tab.3. In the Parity Groups table, select a specific parity group on which you

want to enable encryption and then click Actions > Parity Group > EditEncryption.

Note: If you do not select a specific parity group, data encryption isenabled on all of the parity groups in the list.

4. In the Edit Encryption window of the Edit Encryption wizard, completethe following and then click Add:

¢ For Available Groups, select the parity group for which you want toenable data encryption.

¢ For Encryption, select Enable to enable data encryption at theparity-group level.

¢ For Format Type, select the format type.Values: Quick Format, Normal Format, or No FormatDefault: Quick Format

The parity group you selected from the Available Parity Groups table isadded to the Selected Parity Groups list.

5. Click Finish.6. In the Confirm window, complete the following and then click Apply:


window.7. In the message that appears, click OK.

Data encryption is enabled on the parity group.

Enabling data encryption (for virtual volumes)To use virtual volumes, enable data encryption first, and then format thevirtual volumes.

1. Locate the pool where the parity group of which encryption you want toenable belongs.Confirm that the virtual volumes exist.

2. Block the virtual volumes.Block the virtual volumes in the pool you located in step 1.

3. Enable data encryption for the parity group.Perform the procedure described in Enabling data encryption at the paritygroup-level on page 4-7.

4. Format the virtual volumes.Format the virtual volumes belonging to the pool you located in step 1.


Disabling encryptionEncryption can be disabled only when the volumes in a parity group areblocked, or the parity group has no volume. Encryption cannot be disabled ifa parity group has an unblocked volume.

In addition, as shown in the flowchart below, the procedure is different if youdisable encryption of virtual volumes. For details about operations of poolsand virtual volumes, see the Provisioning Guide for your storage system.

Workflow for disabling data encryption at the parity-group levelDisable encryption, or decrypt data, at the parity-group level.

1. Back up the secondary data encryption key.For more information about backing up a secondary key, see Workflow forbacking up encryption keys on page 4-4.

2. Block the LDEV at the parity-group level.For more information about blocking LDEVs, see Blocking LDEVs at theparity-group level on page 4-11.

3. Disable data encryption at the parity-group level.For more information about disabling data encryption, see Workflow fordisabling data encryption at the parity-group level on page 4-9.

4. Format the LDEVs in the parity group for encryption.For more information about formatting LDEVs, see Encryption formattingat the parity-group level on page 4-11.

5. Unblock the LDEVs.For more information about unblocking LDEVs, see Unblocking LDEVs atthe parity-group level on page 4-11.


Disabling data encryption at the parity-group levelDisable data encryption at the parity-group level to perform (normal)formatting options on encrypted data, such as writing to or overwriting anLDEV. You must have Security Administrator (View & Modify) role to disableencryption. If you want to format the volumes at the same time, the StorageAdministrator (Provisioning) role is also required.

1. In the Storage Systems tree, click Parity Groups.In the tree, Internal or External is displayed.

2. To select an internal LDEV, select Internal. Otherwise, select the ParityGroups tab.

3. On the Encryption Keys tab, select the name for the parity group nameyou want to disable encryption and then complete one of the following:

¢ Click Actions > Parity Group > Edit Encryption.¢ Click More Actions > Edit Encryption.

4. In the Edit Encryption window, complete the following and then clickAdd:

¢ For Available Parity Groups, choose the parity group on which youwant to disable data encryption.

¢ For Encryption, select Disable.¢ For Format Type, choose the format type.The parity group you selected from the Available Parity Groups list isadded to the Selected Parity Groups list.

Note: If an LDEV is listed in the Selected Parity Groups list, format theLDEVs.For more information about formatting LDEVs, see Encryption formattingat the parity-group level on page 4-11.The format type in the Selected Parity Groups list changes to NoFormat regardless of the status of for format type.

5. In the Edit Encryption window, click Finish.6. In the Confirm window, complete the following and then click Apply:


window.7. In the confirmation message that appears asking whether to apply the

setting to the storage system, click OK.Encryption is disabled for the parity group.

Disabling data encryption (for virtual volumes)To use virtual volumes, disable data encryption first, and then format thevirtual volumes.


1. Locate the pool where the parity group of which encryption you want todisable belongs.Confirm that the virtual volumes exist.

2. Block the virtual volumes.Block the virtual volumes in the pool you located in step 1.

3. Disable data encryption for the parity group.Perform the procedure described in Workflow for disabling data encryptionat the parity-group level on page 4-9.

4. Format the virtual volumes.Format the virtual volumes belonging to the pool you located in step 1.

Blocking LDEVs at the parity-group levelBlock the LDEVs at the parity-group level so that you can disable dataencryption and format LDEVs. Blocked LDEVs in the parity group have astatus of “Blocked.”

Note: You cannot write to a blocked LDEV.

1. From the Storage Navigator main window, click Explorer > StorageSystem > volume (resource).

2. On the LDEVs tab, complete one of the following and then click BlockLDEVs:

¢ For Parity Group, select the parity group to which the LDEV isassociated.

¢ For Logical Device, select the LDEV you want to block.3. In the confirmation message that appears, click Apply.

The LDEV is blocked.

Encryption formatting at the parity-group levelThe LDEV formatting operation writes zero data to the entire area of all drivesin the parity group, or overwrites an LDEV. This process is also referred to asencryption formatting.

Unblocking LDEVs at the parity-group levelUnblock LDEVs at the parity-group level to protect the data after you formatan LDEV at the parity-group level. Unblocked LDEVs in the parity group havea status of “Unblocked”.


2. On the LDEVs tab, complete the following and then click UnblockLDEVs:



¢ For Logical Device, select the LDEV you want to unblock.3. In the confirmation message that appears, click Apply.

The LDEV is unblocked.

Workflow for moving unencrypted data to an encryptedenvironment

Migrate existing data to new LDEVs in an encrypted parity group.

If you are migrating existing unencrypted data to an environment withencryption, the process includes the following additional steps:

1. Move the unencrypted data from the Hitachi Unified Storage VM storagesystem to another storage system.For more information about moving unencrypted data, call the SupportCenter.

2. Create a new parity group. Your service representative creates paritygroups using the SVP.

3. Enable data encryption on the parity group.For more information about enabling data encryption on parity groups,see Enabling data encryption at the parity group-level on page 4-7.

4. Format the LDEVs in the encrypted parity group.For more information about formatting LDEVs, see Encryption formattingat the parity-group level on page 4-11.

5. Migrate the existing data to the new LDEVs in the encrypted parity group.For more information about migration practices with encryption, seeMigration practices with encryption on page 1-5.For more information about data migration services, call the SupportCenter.

Workflow for restoring data encryption keysRestore a data encryption key from the primary or secondary backup copywhen all the LDEVs belonging to an encrypted parity group are blocked or ifan existing data encryption key becomes unavailable or you cannot use it. Forexample, a system failure occurred.

The system automatically restores data encryption keys from the primarybackup. You must have Security Administrator (View & Modify) role to restorethe data encryption key from a secondary backup data encryption key.

Caution: When you restore the data encryption key, always restore thelatest key. If a data encryption key is updated after a secondary backup isperformed, and the restored key is not the latest key, drives and disk bladeswill be blocked and will not be able to read data.


Use the following process to restore a data encryption key:

1. Block the LDEVs associated to the encrypted parity group. Do one of thefollowing:

¢ Block the LDEV using a file on the Storage Navigator computer.For more information about blocking LDEVs using a file, see BlockingLDEVs using a file on page 4-13.

¢ Block the LDEV on the key management server.For more information about blocking LDEVs on the key managementserver, see Blocking LDEVs on the key management server on page4-13.

2. Restore an data encryption key from a primary or secondary backup copy.Do one of the following:

¢ Restore the data encryption keys from a file backed up on the StorageNavigator computer.For more information about \ from a file, see Restoring keys from afile on page 4-14.

¢ Restoring data encryption keys from the key management server.For more information about restoring keys from the key managementserver, see Restoring keys from a key management server on page4-14.

Blocking LDEVs using a fileBlock LDEVs at the parity-group level from a file on the Storage Navigatorcomputer.





The LDEV is blocked.

Blocking LDEVs on the key management serverBlock LDEVs at the parity-group level from the key management server.



¢ For Parity Group, select the parity group associated to the LDEV youwant to block.



The LDEVs is blocked.

Restoring keys from a fileRestore the data encryption keys from a file backed up on the StorageNavigator computer.

1. In the Administration tree, click Encryption Keys.2. In the top window, click the Encryption Keys tab.3. Complete one of the following:

¢ Click Settings > Security > Encryption Keys > Restore Keysfrom File.

¢ Click Restore Keys > From File.4. In the Restore Keys from File window, click Browse and then click OK.5. In the Open dialog box, select the backup file and click Open.6. In the Restore Keys from File window, complete the following item and

then click Finish:

¢ For File Name, shows the name of the selected file.View-only: Yes

¢ For Password, type the password for the data encryption key thatyou typed when you backed up the selected data encryption key.



window.The data encryption key is restored.

Restoring keys from a key management serverRestore a data encryption key from the key management server. You canrestore up to 1,544 data encryption keys at a time.

The client certificate is required to restore backed up data encryption keysfrom a key management server.

Caution: If you do not have the client certificate, and the systemadministrator replaces the SVP due to a failure, you cannot restore thebacked up data encryption keys.

1. In the Administration tree, click Encryption Keys.2. Select the data encryption key using one of the two following methods:


¢ Selecting the data encryption key from the Encryption Keys windowon page 4-15

¢ Selecting the data encryption key from the Restore Keys from Serverwindow on page 4-15



window.The backup data encryption key is restored.

Selecting the data encryption key from the Encryption Keys window

1. Select the data encryption key you want to restore.2. Complete one of the following to open the Confirm window:

¢ Click Settings > Security > Encryption Keys > Restore Keysfrom Server.

¢ Click Restore Keys > From Server.

Selecting the data encryption key from the Restore Keys fromServer window

1. Complete one of the following to open the Restore Keys from Serverwindow window:

¢ Click Settings > Security > Encryption Keys > Restore Keysfrom Server.

¢ Click Restore Keys > From Server.2. Select the data encryption key you want to restore.3. Click Finish.

Workflow for changing data encryption keysEncrypt data with a different data encryption key.

Use the following process to change the data encryption key:

1. Create a new parity group.2. Enable encryption with the new data encryption key.

For more information about enabling data encryption at the parity-grouplevel, see Enabling data encryption at the parity group-level on page 4-7.

3. Format the LDEVs in the encrypted parity group.For more information about formatting LDEVs in the encrypted paritygroups, see Encryption formatting at the parity-group level on page 4-11.

4. Migrate the existing data to the new LDEVs in the encrypted parity group.


For more information about data migration services, call the SupportCenter.For more information about migration practices with encryption, seeMigration practices with encryption on page 1-5.

5. Encrypt the data with the new data encryption key on the Hitachi UnifiedStorage VM storage system.

Workflow for deleting data encryption keysDelete a data encryption key from a file on the Storage Navigator computeror from a key management server.

Use the following process to delete a data encryption key:

1. Back up the secondary data encryption key.For more information about backing up secondary data encryption keys,see Workflow for backing up encryption keys on page 4-4.

2. Ensure the key is not allocated to the parity group.For more information about checking the key allocation, see Creating dataencryption keys on page 4-3.

3. Delete the data encryption key using one of the following methods:

¢ Delete the key from a file on the Storage Navigator computer.For more information about deleting keys from the Storage Navigatorcomputer, see Deleting data encryption keys on page 4-16.

¢ Delete the backup key from the key management server.For more information about deleting backup keys from a keymanagement server, see Deleting backup data encryption keys fromthe server on page 4-17.

Deleting data encryption keysDelete data encryption keys from a file on the Storage Navigator computer.

You can only delete encryption keys with a Free attribute can be deleted.Encryption keys with the other attributes cannot be deleted.

1. In the Administration tree, click Encryption Keys.2. In the top window, click the Encryption Keys tab.3. From the Encryption Keys table, select the key ID for the data

encryption key you want to delete and then complete one of thefollowing:

¢ Click Settings > Security > Encryption Keys > Delete Keys.¢ Click More Actions > Delete Keys.

4. To backup encryption keys to the key management server, click Next. Toback up encryption keys to the server, see Backing up keys to a keymanagement server on page 4-5.


5. In the Delete Keys window, click Finish.6. In the Confirm window, complete the following and then click Apply:


window.The data encryption key is deleted from the file on the Storage Navigatorcomputer.

7. In the message that appears asking whether to apply the setting to thestorage system, click OK.

Deleting backup data encryption keys from the serverDelete a backup data encryption key from the key management server.

Caution: Before deleting a primary or secondary backup data encryption keyfrom the key management server, ensure that you have backed up anotherdata encryption key.

1. View the backup data encryption keys on the key management server.2. In the View Backup Keys on Server window, select the key ID for the

backup data encryption key you want to delete and then complete one ofthe following:

¢ Click Settings > Security > Encryption Keys > Delete Keys.¢ Click Delete Backup Keys on Server.

3. In the Delete Backup Keys on Server window, complete the followingand then click Apply:


window.4. In the message that appears asking whether to apply the setting to the

storage system, click OK.The system deletes the backup data encryption key.

Viewing encryption keys backed up on the key managementserver

You can view encryption keys that are backed up on the key managementserver.

1. Click Encryption Keys in the Administration tree.2. In the Encryption Keys window, select the Encryption Keys tab on the

right side of the window.


3. Click Settings > Security > Encryption Keys > View Backup Keyson Server or click View Backup Keys on Server to display the ViewBackup Keys on Server window.

Related topics

• Encryption Keys window on page A-3• View Backup Keys on Server window on page A-24

Exporting encryption key table informationYou can output encryption key table information.

1. In the Administration tree, click Encryption Keys.2. In the top window, click the Encryption Keys tab.3. From the Encryption Keys table, select the key ID for the data

encryption key information you want to output and then complete one ofthe following:

¢ Click Settings > Security > Encryption Keys > Export.¢ Click More Actions > Export.

Rekeying certificate encryption keysIf you change certificate encryption keys, use this procedure to rekeycertificate encryption keys.

After rekeying certificate encryption keys, it is recommended that you backup each key.

1. Select Encryption Keys in the Administration tree.2. In the Encryption Keys window, select the Encryption Keys tab.3. Select Settings > Security > Encryption Keys > Rekey Certificate

Encryption Keys or select Rekey Certificate Encryption Keys on thebottom right-hand corner of the window.

4. Confirm the settings and enter the task name in the Task Name field.5. Click Apply in the Confirm window to save the settings to the system.

If you selected the Go to tasks window for status check box, the Taskwindow will appear.

Rekeying key encryption keysIf you create key encryption keys on the key management server, use thisprocedure to rekey key encryption keys.

Also, after rekeying key encryption keys, it is recommended that you back upeach key.


Use the following procedure to rekey key encryption keys.

1. Select Encryption Keys in the Administration tree.2. In the Encryption Keys window, select the Encryption Keys tab.3. Select Settings > Security > Encryption Keys > Rekey Key

Encryption Keys or select Rekey Key Encryption Keys on the bottomright-hand corner of the window.



Retrying Key Encryption Key AcquisitionIf you acquire the key encryption keys from the key management serverwhen the storage device starts, retry key encryption key acquisition.

1. Select Encryption Keys in the Administration tree.2. In the Encryption Keys window, select the Encryption Keys tab.3. Select Settings > Security > Encryption Keys > Retry Key

Encryption Key Acquisition or select Retry Key Encryption KeyAcquisition on the bottom right-hand corner of the window.



Initializing the encryption environmental settingsDisable data encryption at the parity-group level before initializing theencryption environmental settings.

To initialize the encryption environmental settings:

1. Select Encryption Keys in the Administration tree.2. In the top window, select the Encryption Keys tab.3. Select Settings > Security > Encryption Keys > Edit Encryption

Environmental Settings or select Edit Encryption EnvironmentalSettings.

4. In the Edit Encryption Environmental Settings window, selectInitialize Encryption Environmental Settings.

5. Select Finish to display the Confirm window.6. Confirm the settings and the task name in the Task Name field.

Select Apply in the Confirm window.If you selected the Go to tasks window for status check box, the Taskwindow will appear.


Related topics

• Edit Encryption Environmental Settings wizard on page A-5


5Troubleshooting

Common problems using Encryption License Key include connectionproblems, license problems, and administrator permission problems.Managing or changing encryption settings is not possible if you cannotconnect, write to, or run the storage system.

□ Encryption events in the audit log

□ Problems and solutions

□ Contacting the customer support

Troubleshooting 5-1Hitachi Unified Storage VM Block Module Encryption License Key User Guide

Encryption events in the audit logThe Hitachi Unified Storage VM storage system audit log records eventsrelated to the Encryption License Key feature, including data encryption andEncryption License Key processes. You can export an audit log that containsencryption events in near real-time to an external syslog server.

For more information about the audit log and how to export log events, seethe Hitachi Storage Navigator User Guide and the Hitachi Audit Log UserGuide.

Encryption License Key processes that the audit log recordsThe audit log records all of the tasks that you do using the Encryption LicenseKey feature. The tasks are recorded as audit log notations.

The following table lists the audit log notations and their meaning.

Log notation Meaning

Backup Keys The system created a backup of a data encryption key.

Backup Keys to File The system created a backup of a data encryption key to a file.

Backup Keys to Serv The system created a backup of a data encryption key to a key managementserver.

Create Keys The system created one or more data encryption keys.

Delete Keys The system deleted one or more data encryption keys.

Delete Keys on Serv The system deleted one or more data encryption keys on a key managementserver.

Edit Encryption The system enabled or disabled encryption at the parity group level.

Restore Keys The system restored one or more data encryption keys.

Restore Keys fr File The system restored one or more data encryption keys from a file.

Restore Keys fr Serv The system restored one or more data encryption keys from a keymanagement server.

Setup Key Mng Serv The system set up a key management server.

Problems and solutionsFor troubleshooting information about the Hitachi Unified Storage VM storagesystem, see the Hitachi Virtual Storage Platform User and Reference Guide.

For troubleshooting information about Storage Navigator, see the HitachiStorage Navigator User Guide and Hitachi Storage Navigator Messages.

The following table lists common problems and solutions for encryptionfeatures.

5-2 TroubleshootingHitachi Unified Storage VM Block Module Encryption License Key User Guide

Problem Action

Cannot use the Encryption License Keyfeature to back up or restore a key.

Make sure that:• The Encryption License Key software

license is valid and installed.• You have the Security Administrator

(View & Modify) role.• If you back up and restore data

encryption keys with a keymanagement server, the connection tothe key management server isavailable.

• If you backup and restore dataencryption keys with a keymanagement server, the number ofkeys which you can back up on the keymanagement server is not exceeded.

Cannot create or delete data encryptionkeys.



(View & Modify) role.

Cannot enable encryption for a paritygroup.


license is valid and installed.• All LDEVs in the parity group are in the

blocked status.

Cannot disable encryption for a paritygroup.

Make sure that all LDEVs in the paritygroup are in the blocked status.

Cannot restore a data encryption key. Make sure that:• The Encryption License Key software


(View & Modify) role.• If you backup and restore data

encryption keys with a keymanagement server, the connection tothe key management server isavailable.

• The latest key is restored (the key willnot be updated after a secondarybackup is performed).

Server configuration test failed. Check the following key managementserver connection settings:• Host name• Port number• Client certificate file• Root certificate file

Troubleshooting 5-3Hitachi Unified Storage VM Block Module Encryption License Key User Guide

Problem Action

If the communication failure is due to thelength of time to connect to the server, trychanging these settings:• Timeout• Retry interval• Number of retries

The Edit Encryption wizard operationfailed, but the status of encryption (enableor disable) has changed.

The change of the status succeeds, but theformat of the volume fails. Confirm themessage, remove the error, and formatvolumes again.

Failed to initialize the encryptionenvironmental settings.

Complete the following tasks:1. Check if the disk blade (DKB) for

encryption is blocked.2. If it is blocked, open the Encryption

Keys window, and check theattributes.

3. If KEK, CEK, or KEK and CEK are listedunder the Attribute column, createFree keys up to the maximum numberfor each attribute.

4. Contact customer support to ask forthe restoration of the blocked diskblade (DKB).

Contacting the customer supportWhen contacting the customer support, provide as much information aboutthe problem as possible, including:

• The circumstances surrounding the error or failure.• The content of any error message(s) displayed on the host system(s).• The content of any error message(s) displayed on Storage Navigator.• The Storage Navigator configuration information (use the FD Dump Tool).• The service information messages (SIMs), including reference codes and

severity levels, that Storage Navigator displays.

The Hitachi Vantara customer support staff is available 24 hours a day, sevendays a week. If you need technical support, log on to Hitachi Vantara SupportConnect for contact information: https://support.hds.com/en_us/contact-us.html

5-4 TroubleshootingHitachi Unified Storage VM Block Module Encryption License Key User Guide

https://support.hds.com/en_us/contact-us.html

https://support.hds.com/en_us/contact-us.html

AEncryption License Key GUI Reference

This chapter includes descriptions of encryption-related Storage Navigatorwindows and dialog boxes for the Encryption License Key feature.

For more information about other Storage Navigator windows and dialogboxes, see the Hitachi Storage Navigator User Guide.

□ Encryption Keys window

□ Edit Encryption Environmental Settings wizard

□ Create Keys wizard

□ Edit Password Policy wizard

□ Backup Keys to File wizard

□ Backup Keys to Server wizard

□ Restore Keys from file wizard

□ Restore Keys from Server wizard

□ Delete Keys wizard

□ Delete Backup Keys on Server window

□ View Backup Keys on Server window

□ Edit Encryption wizard

□ Rekey Certificate Encryption Keys window

Encryption License Key GUI Reference A-1Hitachi Unified Storage VM Block Module Encryption License Key User Guide

□ Rekey Key Encryption Key window

□ Retry Key Encryption Key Acquisition window

A-2 Encryption License Key GUI ReferenceHitachi Unified Storage VM Block Module Encryption License Key User Guide

Encryption Keys windowUse the Encryption Keys window to create data encryption keys. ClickingEncryption Keys in the Administration tree opens this window.

• Summary on page A-3• Encryption Keys tab on page A-4

Summary

Use the Summary to view details about the number of data encryption keysand to open the View Backup Keys on Server window.

Item Description

Number of Encryption Keys Shows the number of data encryption keys:• Data Encryption Key: Number of data encryption

keys.• Certificate Encryption Key: Number of certificate

encryption keys.


Item Description

• Free: Number of keys that are not encrypted (Numberof keys that can be created).

Edit EncryptionEnvironmental Settings

Shows the Edit Encryption Environmental Settingswindow.

View Backup Keys onServer

Shows the View Backup Keys on Server window.

Encryption Keys tab

Use the Encryption Keys tab to view a list of the data encryption key detailsand to select an unused data encryption key to create.

The Encryption Keys tab displays only the created encryption keys and indescending order of the Last Update Date. It also displays Perform theEdit Environmental Settings in the center of the window when theinitialized settings are not performed, and displays Perform the Retry KeyEncryption Key Acquisition in the center of the window when the KeyEncryption Key Acquisition operation has failed.

Item Description

Key ID IDs of data encryption keys.A hyphen (-) is displayed when the encryption key is CEK orKEK.

Created The date and time the data encryption key was created orwas last updated.

Attribute Displays the attribute (CEK, DEK, KEK or Free) of theencryption key. When KEK for the key management serveris displayed, the format of “KEK (UUID)” is displayed withUUID.

Assigned to The resource to which the encryption key is assigned isdisplayed. When the attribute is KEK, a hyphen (-) isdisplayed.

Generated on The path in which the encryption key is created.

Number of Backups The number of times that a backup of a data encryption keyis created.When the attribute is KEK, a hyphen (-) is displayed.

Create Keys Click to open the Create Keys window.

Backup Keys Select To File to open the Backup Keys to File window.Select To Server to open the Backup Keys to Serverwindow.

Restore Keys Select From File to open the Restore Keys from Filewindow.Select From Server to open the Restore Keys fromServer window.


Item Description

More Actions Selecting Rekey Certificate Encryption Keys displays theRekey Certificate Encryption Keys window.Selecting Rekey Key Encryption Keys displays the RekeyKey Encryption Keys window.Select Delete Keys from the list to delete a selected dataencryption key.Selecting Retry Key Encryption Key Acquisition displaysthe Retry Key Encryption Key Acquisition window.Select Export from the list to open the window foroutputting table information.

Related topics

• Creating data encryption keys on page 4-3• Backing up keys as a file on page 4-5• Backing up keys to a key management server on page 4-5• Restoring keys from a file on page 4-14• Restoring keys from a key management server on page 4-14• Deleting data encryption keys on page 4-16• Deleting backup data encryption keys from the server on page 4-17• Viewing backup data encryption keys on page 4-6

Edit Encryption Environmental Settings wizardUse the Edit Encryption Environmental Settings wizard to edit theencryption environmental settings.

The Edit Encryption Environmental Settings wizard includes the followingwindows:

• Edit Encryption Environmental Settings window• Confirm window

Edit Encryption Environmental Settings windowItems displayed in the Edit Encryption Environmental Settings windowcan be changed under the following conditions:

• When the key management server is not in use• When local key generation is disabled.• When the key encryption key for the key management server is stored on

DKC.


Item Description

Key Management Server Select whether to use the key management server. Bydefault, no option is selected:• Enable: Key management server is used.• Disable: Key management server is not used.

Server Setting When you use the key management server, thefollowing items display:• Primary server• Secondary server• Server Configuration test

Primary Server Specify the primary server information.• Host Name: Enter the host name of the key

management server.• Identifier: Enter the host identifier.• IPv4: Enter the host IPv4 address.• IPv6: Enter the host IPv6 address.


Item Description

• Port number: Enter the port number of the keymanagement server. Values: 1 to 65535. Default:5696.

• Timeout (sec.): Enter the time until theconnection attempt to the key management servertimes out. Values: 1 to 120. Default: 60.

• Retry Interval (sec.): Enter the interval to retrythe connection to the key management server.Values: 1 to 60. Default: 1.

• Number of Retries: Enter the number of times toretry the connection to the key managementserver. Values: 1 to 50. Default: 3.

• Client Certificate File Name: Select the clientcertificate file for connecting to the keymanagement server. Click Browse and select thefile.

• Browse: Select the client certificate file. The formof the client certificate is PKCS#12. For informationabout the client certificate file, contact the server ornetwork administrator. The file name appears in theClient Certificate File Name field.

• Password: Enter the password for the clientcertificate.Character limits: 0 to 128.Valid characters: Numbers (0 to 9)Upper case: (A-Z)Lower case: (a-z)Symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @[ \ ] ^ _ ` { | } ~

• Root Certificate File Name: Select the rootcertificate file for connecting to the keymanagement server. Click Browse and select thefile.

• Browse: Select the root certificate file. The form ofthe client certificate is X.509. If you do not knowabout the root certificate file, contact the serveradministrator or the network administrator. Thename of the selected file appears in the RootCertificate File Name field.

Secondary Server When the secondary server is set to Enable, the sameitems can be set as the items of the primary server.Caution: When Disable is selected for SecondaryServer, the Protect the Key Encryption Key at theKey Management Server and Disable local keygeneration check boxes cannot be selected.

Server Configuration Test Select Check to start a server connection test for thekey management server based on the specified settings.

Check Start a server connection test for the key managementserver based on the specified settings.


Item Description

Result Shows the result of the server connection test for thekey management server.

Generate Encryption Keys onKey Management Server

Checks when encryption keys are created on a keymanagement server.

Protect the Key Encryption Keyat the Key Management Server

Specifies when key encryption keys are saved on keymanagement servers. If Warning is displayed, confirmthe content of the warning, and select I Agree.Caution: When Disable is selected for SecondaryServer, this check box cannot be selected.

Disable local key generation Checks when encryption keys are created on keymanagement servers and encryption keys cannot becreated on the storage system. If Warning is displayed,confirm the content of the warning, and select I Agree.Caution: If you finish the setting, you cannot restorethe setting, so it is recommended that you confirm thereare no problems before selecting I Agree.Caution: When Disable is selected for SecondaryServer, this check box cannot be selected.

Initialize EncryptionEnvironmental Settings

Select to initialize the encryption environmentalsettings.

Confirm window in the Edit Encryption Environmental Settingswizard

Item Description

Primary Server Displays the primary server information.• Key Management Server: Shows whether the key

management server is used.¢ Enable: key management server is used.¢ Disable: key management server is not used.¢ Not Set: Initialize the encryption

environmental settings.• Host Name: The host name of the key

management server.• Port number: The port number of the key

management server.


Item Description

• Timeout (sec.): The time until the connectionattempt to the key management server times out.

• Retry Interval (sec.): The interval to retry theconnection to the key management server.

• Number of Retries: The number of times to retrythe connection to the key management server.

• Client Certificate File Name: The client certificatefile for connecting to the key management server.

• Password: The password for the client certificate isdisplayed as ****** (six asterisks).

• Root Certificate File Name: The root certificatefile for connecting to the key management server.

Secondary Server When the secondary server exists, the same items canbe set as the items of the primary server.

Generate Encryption Keys onKey Management Server

Displays whether encryption keys are created on a keymanagement server or not.• Yes: Encryption keys are created on a key

management server.• No: Encryption keys are not created on a key

management server.

Protect the Key Encryption Keyat the Key Management Server

Displays whether key encryption keys are saved on keymanagement servers or not.• Yes: Encryption keys are saved on key

management servers.• No: Encryption keys are not saved on key

management servers.

Disable local key generation Displays whether encryption keys are created on keymanagement servers and encryption keys cannot becreated on the storage system.• Yes: Encryption keys are created on key

management servers and encryption keys cannotbe created on the storage system.

• No: Encryption keys are not created on keymanagement servers. Encryption keys are createdon storage systems.

Create Keys wizardUse the Create Keys wizard to create keys and to backup keys to the keymanagement server.

This wizard includes the following windows:

• Create Keys window• Confirm window


Create Keys windowUse the Create Keys window to create a data encryption key. This windowincludes the Selected Keys table.

Item Description

Number ofEncryption Keys

Specifies the number of encryption keys (1-1,536). 1,536 is themaximum number of encryption keys. This window shows thevalue that subtracted the number of created DEK and Free keysfrom 1,536.

Confirm window in the Create Keys wizardThe following is the Confirm window in the Create Keys wizard.


Item Description

Number ofEncryption Keys

Displays the number of encryption keys.

Related topics

• Workflow for creating data encryption keys on page 4-3• Creating data encryption keys on page 4-3

Edit Password Policy wizardUse the Edit Password Policy wizard to edit the password policy for backupkeys.


• Edit Password Policy window• Confirm window

Edit Password Policy window

Item Description

Numeric Characters (0-9) The minimum number of numeric characters that shouldbe used for this password.


Item Description

Values: 0 to 255Default: 0

Uppercase Characters (A-Z) The minimum number of alphabetical upper casecharacters that should be used for this password.Values: 0 to 255Default: 0

Lowercase Characters (a-z) The minimum number of alphabetical lower casecharacters that should be used for this password.Values: 0 to 255Default: 0

Symbols The minimum number of symbols that should be usedfor this password.Values: 0 to 255Default: 0

Total The minimum number of characters for this password.Values: 6 to 255Default: 6

Confirm window in the Edit Password Policy wizardUse the Confirm window in the Edit Password Policy wizard to confirm thechanges to the password policy.


Item Description

Numeric Characters (0-9) Displays the minimum number of numeric charactersthat should be used for this password.

Uppercase Characters (A-Z) Displays the minimum number of alphabetical uppercase characters that should be used for this password.

Lowercase Characters (a-z) Displays the minimum number of alphabetical lowercase characters that should be used for this password.

Symbols Displays the minimum number of symbols that shouldbe used for this password.

Total Displays the minimum number of characters for thispassword.

Backup Keys to File wizardUse the Backup Keys to File wizard to create backup data encryption keysas files on Storage Navigator.


• Backup Keys to File window• Confirm window

Backup Keys to File windowWhen the password policy is edited in the Edit Password Policy window,you will see the following figure.


When the password policy is not edited in the Edit Password Policywindow, you will see the following figure.


Item Description

Password The password for the backup data encryption key.Character limits: 6 to 255Valid characters:• Numbers (0 to 9)• Upper case (A-Z)• Lower case (a-z)• Symbols: ! " # $ % & ' ( ) * + , - . / : ; < = > ? @

[ \ ] ^ _ ` { | } ~

Re-enter Password Type the password again for confirmation.


Confirm window in the Backup Keys to File wizard

When you click Apply in the Confirm window, a confirmation message willappear. After you click OK, a window for saving the file for encryption keyswill appear. Enter the backup file name with the extension of “.ekf” and savethe file.

Backup Keys to Server wizardUse the Backup Keys to Server wizard to backup data encryption keys onthe key management server.


• Backup Keys to Server window• Confirm window


Backup Keys to Server window

Item Description

Description Optionally, enter a description for the backup dataencryption key.Character limits: 256


Confirm window in the Backup Keys to Server wizard

Item Description

Description Shows the description for the backup data encryptionkey.

Restore Keys from file wizardUse the Restore Keys wizard to restore data encryption keys from a file youbacked up on the Storage Navigator computer.


• Restore Keys from File window• Confirm window


Restore Keys from File window

Item Description

File Name File name of the selected backup file.

Browse Select the backup file (.ekf). The name of the selectedfile is shown for File Name.

Password The password that you typed when you created thebackup data encryption key.


Confirm window in the Restore Keys wizard

Item Description

Item Item of the data encryption key to restore.

Value Value of the data encryption key to restore.

Restore Keys from Server wizardUse the Restore Keys from Server wizard to restore data encryption keysfrom the key management server.


• Restore Keys from Server window• Confirm window


Restore Keys from Server window

Item Description

UUID Shows the UUID of the data encryption key that youbacked up on the key management server.

Backup Date Shows the time you backed up the data encryption keyon the key management server.

Description Shows the description you typed when you backed upthe data encryption key on the key management server.


Confirm window in the Restore Keys from Server wizard

Item Description

UUID Shows the UUID of the data encryption key you backedup on the key management server.

Backup Date Shows the time when you backed up the dataencryption key on the key management server.


Delete Keys wizardUse the Delete Keys wizard to delete keys and backup data encryption keysin Storage Navigator.


• Delete Keys window• Confirm window


Delete Keys window

Item Description

Key ID IDs of data encryption keys.

Confirm window in the Delete Keys wizard


Item Description

Key ID The identifiers for the data encryption keys.

Delete Backup Keys on Server windowUse the Delete Backup Keys on Server window to confirm the deletion of abackup key in Storage Navigator.

This window includes the Selected Backup Keys table.

Item Description

UUID Shows the UUID of the data encryption key you backedup on the key management server.

Backup Date Shows the time when you backed up the dataencryption key on the key management server.


View Backup Keys on Server windowUse the View Backup Keys on Server window to view a list of the backupdata encryption keys on the server.

This window includes the Backup Keys table.


Backup Keys table

The Backup Keys table is shown on the View Backup Keys on Serverwindow. This table lists the backup data encryption keys.

Item Description

UUID Shows the UUID of the backup data encryption key onthe key management server.

Backup Date Shows the time you backed up the data encryption keyon the key management server.


Delete Backup Keys on Serverbutton

Opens the Delete Backup Keys on Server window.

Backup Keys to Server button Open the Backup Keys to Server window.

Restore Keys from Serverbutton

Opens the Restore Keys from Server window.


Edit Encryption wizardUse the Edit Encryption wizard to do the following:

• Enable data encryption on a parity group.• Edit or associate the data encryption key to the LDEV.• Edit the format type for the parity group.


• Edit Encryption window• Confirm window

Edit Encryption window

The Edit Encryption window includes the following items:

• Available Parity Groups tableFor more information about this table, see Available Parity Groups tableon page A-26.

• Selected Parity Groups tableFor more information about this table, see Selected Parity Groups tableon page A-28.

Available Parity Groups table

Use the Available Parity Groups table on the Edit Encryption window toview a list of the available parity groups.


Item Description

Parity Group ID Shows the parity group IDs.

RAID Level Shows the RAID level of the parity group.For an interleaved parity group, the interleaved numberappears after the RAID level.Example: 1(2D+2D)*2

Capacity Shows the total capacity (unit) of the parity group.

Drive Type/RPM Shows the hard disk drive types and RPM (rotation perminute) of the LDEV in the parity group.

Encryption Shows the encryption setting for the parity group:• If you click Enable, data encryption, select will be

enabled.• If you click Disable, data encryption, select will be

disabled.

Format Type Shows the format types of the parity group.The format type shows No Format regardless of thestatus of format type you selected from the FormatType list.

Add

Use this button to move a selected parity group in the Available ParityGroups table to the Selected Parity Groups table.


Selected Parity Groups table

Use the Selected Parity Groups table to remove the parity group from thelist.

Item Description

Parity Group ID Shows parity group IDs.

RAID Level Shows the RAID level of the parity group.For an interleaved parity group, the interleaved numberappears after the RAID level. Example: 1(2D+2D)*2

Capacity Shows the total capacity (unit) of the parity group.


Encryption Shows the encryption setting for the parity group:• If you click Enable, data encryption, select will be

enabled.• If you click Disable, data encryption, select will be

disabled.

Format Type Shows the format types of the parity group.The format type shows No Format regardless of thestatus of format type you selected from the FormatType list.

Remove Removes parity groups from the Selected ParityGroups table.

Confirm window in the Edit Encryption wizardUse the Confirm window to confirm the changes to the data encryption keyand to view a list of the selected parity groups related to the data encryptionkey.


Selected Parity Groups table

Use the Selected Parity Groups table to view a list of the selected paritygroups related to the data encryption key.

Item Description

Parity Group ID Shows parity group identifier.

RAID Level Shows the RAID level of the parity group.For an interleaved parity group, the interleaved numberappears after the RAID level.Example: 1(2D+2D)*2

Capacity Shows the total capacity of the parity group.


Encryption Encryption setting for the parity group:• Enable - encryption enabled• Disable - no encryption

Format Type Shows the format types of the parity group.

Rekey Certificate Encryption Keys windowIf you change certificate encryption keys, you can use the Rekey CertificateEncryption Keys window to rekey certificate encryption keys.


Item Description

Task Name You can enter up to 32 ASCII characters (letters,numerals, and symbols) in Task Name. Task names arecase-sensitive.

Rekey Key Encryption Key windowIf you change key encryption keys, you can use the Rekey key EncryptionKeys window to rekey key encryption keys.

Item Description

Task Name You can enter up to 32 ASCII characters (letters,numerals, and symbols) in Task Name. Task names arecase-sensitive.

Retry Key Encryption Key Acquisition windowIf you acquire the key encryption keys from the external key managementserver when the storage device starts, retry key encryption key acquisitionunless you can acquire them by some reasons.


Glossary

This glossary defines the special terms used in this document. Click the letter links below tonavigate.

A

AESAdvanced Encryption Standard

C

CUcontrol unit

E

ECBElectronic Code Book

emulation typeIndicates the type of LDEV: Open-system emulation types include OPEN-V and OPEN-3.

Encryption AdministratorUser role in Storage Navigator with permission to perform Encryption License Keyoperations. Compare with Storage Administrator.

encryption keyThe data encryption key is used to encrypt and decrypt data on the Hitachi UnifiedStorage VM storage system.

# A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Glossary-1Hitachi Unified Storage VM Block Module Encryption License Key User Guide

external volumeA volume whose data is stored on drives that are physically outside of the RAID storagesystem. Universal Volume Manager is used to manage external storage. Compare withinternal volume.

I

internal volumeA volume whose data is stored on drives that are physically within the RAID storagesystem. Compare with external volume.

L

logical device (LDEV)An individual logical device (on multiple drives in a RAID configuration) in the storagesystem. An LDEV may or may not contain any data and may or may not be defined toany hosts. Each LDEV has a unique identifier, or address, within the storage systemcomposed of the LDKC number, CU number, and LDEV number.An LDEV formatted for use by mainframe hosts is called a logical volume image (LVI).An LDEV formatted for use by open-system hosts is called a logical unit (LU).

logical unit (LU)An LDEV that is configured for use by open-systems hosts (for example, OPEN-V).

logical volume image (LVI)An LDEV that is configured for use by mainframe hosts (for example, 3390-3).

P

parity groupA redundant array of independent drives (RAID) that have the same capacity and aretreated as one group for data storage and recovery. A parity group contains both userdata and parity information, which allows the user data to be accessed in the event thatone or more of the drives within the parity group are not available. The RAID level of aparity group determines the number of data drives and parity drives and how the datais “striped” across the drives.



primary volume (P-VOL)The volume in a copy pair that contains the original data to be replicated. The data onthe P-VOL is duplicated synchronously or asynchronously on the secondary volume(s)(S-VOL).The following Hitachi products use the term P-VOL: Copy-on-Write Snapshot,ShadowImage, ShadowImage for Mainframe, TrueCopy, Universal Replicator, UniversalReplicator for Mainframe, and High Availability Manager.See also secondary volume.

P-VOLSee primary volume.

S

service information message (SIM)Message generated by the RAID storage system when an error or service requirement isdetected. SIMs are reported to hosts and displayed on Storage Navigator.

secondary volume (S-VOL)The volume in a copy pair that is the copy of the original data on the primary volume.The following Hitachi products use the term “secondary volume”: ShadowImage,ShadowImage for Mainframe, TrueCopy, Universal Replicator, Universal Replicator forMainframe, and High Availability Manager.See also primary volume.

source volume (S-VOL)In the previous version of the Storage Navigator GUI, this is the volume containing theoriginal data that is duplicated on the target volume (T-VOL). The following Hitachiproducts use the term source volume: ShadowImage for Mainframe, DatasetReplication, Compatible FlashCopy® V2.In the latest version of the GUI, “source volume” and “S-VOL” are replaced with“primary volume”.

Storage AdministratorUser role in Storage Navigator with permission to perform data encryption operations.Compare with Encryption Administrator.

S-VOLSee secondary volume or source volume (S-VOL).



T

target volume (T-VOL)In the previous version of the Storage Navigator GUI, this is the copy of the originaldata on the source volume (S-VOL). The following Hitachi products use the term targetvolume: ShadowImage for Mainframe, Dataset Replication, and Compatible FlashCopy®V2.In the latest version of the GUI, “target volume” and “T-VOL” are replaced with“primary volume”.See also source volume (S-VOL).

T-VOLSee target volume (T-VOL).

U

USP V/VMHitachi Universal Storage Platform V/VM

V

HUS VMHitachi Unified Storage VM

X

XRCExtended Remote Copy

XTSXEX-based Tweaked CodeBook mode (TCB) with CipherText Stealing (CTS)

Z

zero dataThe number 0 (zero). A zero-formatting operation is a formatting operation that writesthe number 0 (zero) to the entire disk area.



Index

A

AES-256 1-2audit logging 1-6, 5-2

B

blocking volumes 4-11, 4-13

D

data encryption operationsaudit logging of 1-6disabling encryption 1-5, 4-9enabling encryption 1-4, 4-7, 4-11encrypting existing data 1-4, 1-5, 4-15troubleshooting 5-2

decrypting data 4-9disabling encryption 4-9

E

emulation types 1-2enabling data encryption workflow 4-7encryption key operations

audit logging of 1-6, 5-2backing up the key 1-3, 4-4restoring the key 4-12troubleshooting 5-2

encryption setting status A-27, A-28, A-29external volumes 2-2

L

license key 2-2

P

primary backup key 1-3, 4-4

R

requirements 2-2host platforms 2-2license key 2-2microcode 2-2password for encryption key A-15Storage Navigator 2-2volume types 2-2

T

technical support 5-4troubleshooting 5-2

U

unblocking volumes 4-11

V

volume types 1-2volumes

blocking 4-11, 4-13unblocking 4-11

Index-1Hitachi Unified Storage VM Block Module Encryption License Key User Guide

X

XTS mode 1-2

Index-2Hitachi Unified Storage VM Block Module Encryption License Key User Guide

Hitachi Vantara

Corporate Headquarters

2845 Lafayette Street

Santa Clara, CA 95050-2639 USA

HitachiVantara.com | community.HitachiVantara.com

Contact Information

USA: 1-800-446-0744

Global: 1-858-547-4526

HitachiVantara.com/contact

https://www.linkedin.com/company/hitachi-vantara

https://twitter.com/hitachivantara

https://www.facebook.com/HitachiVantara

https://www.youtube.com/user/HDScorp