No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Disk Encryption User Guide

OceanStor Dorado V3 Series V300R001

This document is applicable to OceanStor Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


OceanStor Dorado V3 series storage systems support the disk encryption function that provides secure storage services without impacting storage performance.

The disk encryption function has the following characteristics:

  • Data in all disks is encrypted transparently without affecting other features such as mirroring, snapshot, deduplication, and compression.
  • Automatic key life cycle management and the KMIP protocol are supported, ensuring the openness of key management systems.

When you enable disk encryption, the storage system activates the AutoLock function on self-encrypting drives (SEDs) and uses the authentication keys (AKs) allocated by the key management server. SED access is protected by the AutoLock function and only the storage system itself can access its SEDs. When the storage system accesses an SED, it acquires an AK from the key management server. If the AK is consistent with the SED's, the SED decrypts the data encryption key (DEK) for data encryption/decryption. If the AKs do not match, all read and write operations will fail.

The management of keys is an important factor in realizing the disk encryption feature. OceanStor Dorado V3 series storage systems support internal and external key management.


The internal key management is only applicable to V300R001C21 and later versions.

  • Internal key management is a method that uses system databases to store information about keys.
  • External key management is a method that uses third-party external key management servers to store information about keys.

    Table 1-1 shows the external third-party key management servers supported by the storage system.

Table 1-1 List of external third-party key management servers



Reference link



Configuring and Managing the Key Management Server (keyAuthority)



Configuring and Managing the Key Management Server (KeySecure)


The key management server is a kind of server that has passed FIPS certification and provides key storage and management functions. The server can be connected to storage systems and provide interfaces and functions required by the KMIP protocol. Therefore, the storage system can invoke these interfaces to create, update, destroy, and query keys required by the disk encryption service.

Table 1-2 shows the comparison between internal and external key management.

Table 1-2 Comparison between internal and external key management

Management mode

Whether the third-party external key management server is used


Whether the management of multiple devices' keys is supported

Internal key management




External key management




You cannot use internal and external key management at the same time. When you transfer from one method to the other, you need to delete original services and create self-encrypting disk domains. Otherwise, the disk encryption feature cannot take effect.

Updated: 2018-11-01

Document ID: EDOC1000159246

Views: 33012

Downloads: 199

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next