No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R001

This document is applicable to OceanStor Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring the Internal Key Management Service

Configuring the Internal Key Management Service

After enabling and configuring the internal key management service, keys of the self-encrypting disk domain will be saved in the internal database of the storage system.

Prerequisites

A self-encrypting disk has been configured on the storage system. The AutoLock status of the self-encrypting disk is Disable.

To query the AutoLock status of the self-encrypting disk, you can log in to the CLI of the storage system and run the show disk general command.

admin:/>show disk general  
ID        Health Status  Running Status  Type  Capacity   Role       Disk Domain ID  Speed(RPM)  Health Mark  Bar Code              Item      AutoLock State     
--------  -------------  --------------  ----  ---------  ---------  --------------  ----------  -----------  --------------------  --------  --------------    
DAE000.0  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FB000131  02350LGX  OFF           
DAE000.1  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FB000124  02350LGX  OFF           
DAE000.2  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FB000238  02350LGX  OFF           
DAE000.3  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FA000228  02350LGX  OFF           
DAE000.4  Normal         Online          SSD-SED   371.965GB  Free Disk  --              --          --           2102350LGX10FA000227  02350LGX  OFF           
DAE000.5  Normal         Online          SSD-SED   371.965GB  Free Disk  --              --          --           2102350LGX10FA000187  02350LGX  OFF           
DAE100.0  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FA000159  02350LGX  OFF           
DAE100.1  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FA000161  02350LGX  OFF           
DAE100.2  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10G3000505  02350LGX  OFF          
 DAE100.3  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FA000182  02350LGX  OFF           
DAE100.4  Normal         Online          SSD-SED   371.965GB  Free Disk  --              --          --           2102350LGX10G3000511  02350LGX  OFF        

If AutoLock State is OFF, disk encryption is disabled.

Procedure

  1. Log in to DeviceManager.
  2. Enable and configure the internal key service.

    1. Choose Settings > Storage Settings > Value-added Service Settings > Key Service.

      The Key Service dialog box is displayed.

    2. Select Enable the internal key management service.
    3. Optional: Configure a key backup policy.

      When a key changes, the storage system automatically backs up the key's information on the backup server, ensuring that the key can be recovered if it is damaged.

      Before using the key backup function, ensure that the backup server has been successfully configured and communicates properly with the storage system. Table 2-1 lists the SSH key exchange algorithms supported by the storage system. When deploying the backup server, use SFTP server tools that support these key exchange algorithms, such as xlight FTP.

      Table 2-1 SSH key exchangealgorithms

      Item

      Default Value

      KexAlgorithms

      • ecdh-sha2-nistp256
      • ecdh-sha2-nistp384
      • ecdh-sha2-nistp521
      • diffie-hellman-group-exchange-sha256
      • diffie-hellman-group-exchange-sha1
      • diffie-hellman-group14-sha1
      NOTE:

      For details about how to use xlight FTP, see 2.5.1 Using the xlight FTP Tool to Deploy the FTP Backup Server.

      1. Click Enable after Key Backup to enable the key backup.
      2. Set parameters related to the key backup policy, as shown in Table 2-2.
        Table 2-2 Parameters Related to the Key Backup

        Parameter

        Description

        Setting

        Protocol

        Used by the storage system to back up information about keys to the backup server.

        You can choose the SFTP and FTP.

        NOTE:

        The storage systems support FTP for compatibility concerns. You are advised to use SFTP, however, to ensure data transmission security.

        Address of the backup server

        Used to back up the IP address or domain name of the key's SFTP or FTP server

        [Example]

        192.168.20.3

        Path for saving information on the backup server

        Used to save information about keys on the backup server.

        [Example]

        innerkey_backup

        Username

        Used to log in to the backup server

        [Example]

        admin

        Password

        Used to log in to the backup server

        [Example]

        Admin@123

        Port

        Port for communication between the backup server and the storage system.

        [Value range]

        From 1 to 65535

        [Example]

        20

      3. Click Test to test the connectivity between the backup server and the storage system.
      4. Click Save to save information about configurations of the internal key service.
        • If Key Backup is not enabled, the security alert dialog box is displayed. Select I have read and understand the consequences associated with performing this operation and click OK. The Execution Result dialog box is displayed, indicating that the operation succeeded.
        • If Key Backup is enabled, the Execution Result dialog box is displayed, indicating that the operation succeeded.

  3. Create a self-encrypting disk domain and automatically generate encryption keys on the storage system.

    1. Choose Provisioning > Disk Domain.
    2. Click OK.

      The Create Disk Domain dialog box is displayed, as shown in Figure 2-1.

      Figure 2-1 Creating a Disk Domain

    3. Name and describe the disk domain.
      1. In Name, enter a name for the disk domain.
        NOTE:
        • Each disk domain has a unique name.
        • A disk domain name can contain only letters, digits, underscores (_), hyphens (-), periods (.), and Chinese characters.
        • A disk domain name contains 1 to 31 characters (one Chinese character occupies three characters in length).
      2. In Description, enter the usage and properties of the disk domain. The descriptive information helps identify the disk domain.
    4. Set Encryption Type to Self-encrypting disk domain.
    5. Select the owning controller enclosure of the disks that constitute a disk domain, and set the Hot Spare Policy for the disk domain.
      • If you select Default settings, the storage system creates a disk domain using all disks owned by all controller enclosures.
      • If you select Manually select, you must manually select the owning controller enclosure.
      NOTE:

      You can create multiple disk domains.

    6. Click OK.

      A message is displayed indicating that the operation succeeded.

    7. Click OK to finish creating the disk domain.

      After creating the disk domain, choose Provisioning > Disk Domain to check that the AutoLock status of disks in the current disk domain is Enable.

  4. Export the encryption key.

    1. Settings > Storage Settings > Value-added Service Settings > Key Service
    2. Click Export Internal Keys and manually export the key file using the browser.
    NOTE:

    Save the exported key file properly and do not make any change. When the key is damaged, this file can be used for recovery.

Follow-up Procedure

  • After creating the self-encrypting disk domain, you can create LUNs to allocate the storage space to application servers. For details, see Basic Storage Service Configuration Guide of the corresponding product model.
NOTE:

You can log in to Huawei's technical support website (http://support.huawei.com/enterprise/) and enter the product model + document name in the search box to search for, browse, and download the desired documents.

  • When updating self-encrypting disk domain keys, export keys in time.
Translation
Download
Updated: 2018-11-01

Document ID: EDOC1000159246

Views: 32953

Downloads: 199

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next