No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Administrator Guide 15

OceanStor 5300 V3, 5500 V3, 5600 V3, 5800 V3, and 6800 V3 Storage System V300R003

Routine maintenance activities are the most common activities for the storage device, including powering on or off the storage device, managing users, modifying basic parameters of the storage device, and managing hardware components. This document applies to the system administrators who are responsible for carrying out routine maintenance activities, monitoring the storage device, and rectifying common device faults.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Disk Encryption Service Overview

Disk Encryption Service Overview

Huawei OceanStor 5300 V3/5500 V3/5600 V3/5800 V3/6800 V3 storage system storage systems support the disk encryption function that provides secure storage services without impacting storage performance.

OceanStor 5300 V3/5500 V3/5600 V3/5800 V3/6800 V3 storage system storage systems use encrypted disks and independent key servers (keyAuthority) that accord with the FIPS 140-2 LEVEL3 security standard to implement disk encryption services and support two key servers in active-standby mode. Multiple encryption storage systems can share one key server to manage keys. Each key server can provide services for 500 encryption storage devices and 1 MB symmetrical keys. The storage array controller does not cache or store data encryption keys in a static state. As a key management agent for third-party key management servers and self-encrypting disks (SEDs), it only offers safe key transfer channels, ensuring security of keys and data.

Disk encryption services have the following characteristics:
  • The storage performance is not affected. Encryption/decryption rate reaches the disk interface line-speed. Therefore, during the protection, no additional time delay is caused.
  • Data in all disks is encrypted transparently without affecting other features such as mirroring, snapshot, deduplication, and compression.
  • Automatic key life cycle management and the KMIP protocol are supported, ensuring the openness of key management systems.
Figure 3-9 shows how to configure disk encryption services.
Figure 3-9  Process of configuring disk encryption services

NOTE:
  • For details about how to configure key servers (keyAuthority), see the Thales e-Security keyAuthority User Guide shipped with the key servers.
  • To ensure key server reliability and security, configure a key backup server for your key servers. For details, see chapter System backup in the Thales e-Security keyAuthority User Guide shipped with the key servers.
If the storage system requires disk encryption services, connect the key servers and key backup server to the storage network, shown in Figure 3-10.
Figure 3-10  System networking diagram of disk encryption services

NOTE:
  • Key servers do not support communications over IPv6.
  • In a clustered key server environment, if a key server or link is faulty, you cannot create or delete encrypted disk domains, expand disk domains, replace faulty encrypted disks, destroy data, or update keys in the storage array. In the mean time, key servers do not allow you to create or delete keys.
  • In a clustered key server environment, if links are intermittently disconnected and the intermittent frequency is lower than 30s, you may not be able to create or delete encrypted disk domains, expand disk domains, replace faulty encrypted disks, destroy data, or update keys.
  • When replacing a faulty key server, back up licenses in all environments because it will take a long time to obtain a license.
Translation
Download
Updated: 2019-04-17

Document ID: EDOC1000084191

Views: 85287

Downloads: 2297

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next