No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Disk Encryption User Guide

OceanStor V5 Series V500R007

This document is applicable to OceanStor 5110 V5, 5110F V5, 5300 V5, 5300F V5, 5500 V5, 5500F V5, 5600 V5, 5600F V5, 5800 V5, 5800F V5, 6800 V5, 6800F V5, 18500 V5, 18500F V5, 18800 V5, and 18800F V5. It introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).


The OceanStor V5 storage systems support disk encryption, which provides secure storage services without impacting storage performance.

The disk encryption function has the following characteristics:

  • The storage performance is not affected. The encryption/decryption rate reaches the disk interface's limit speed. Therefore, during data protection, no additional delay is caused.
  • Data in all disks is encrypted transparently without affecting other features such as mirroring, snapshot, deduplication, and compression.
  • Automatic key life cycle management and the Key Management Interoperability Protocol (KMIP) are supported, ensuring the openness of key management systems.

When you enable disk encryption, the storage system activates the AutoLock function on self-encrypting drives (SEDs) and uses the authentication keys (AKs) allocated by the key management server. SED access is protected by the AutoLock function and only the storage system itself can access its SEDs. When the storage system accesses an SED, it acquires an AK from the key management server. If the AK is consistent with the SED's, the SED decrypts the data encryption key (DEK) for data encryption/decryption. If the AKs do not match, all read and write operations will fail.

Key management is critical for disk encryption. The OceanStor V5 storage systems support internal and external key management.

  • Internal key management stores keys in the storage system's database.
  • External key management stores keys on third-party external key management servers.
Table 1-1 shows the external third-party key management servers supported by the storage system.
Table 1-1 External third-party key management servers



Reference Link



Configuring and Managing the Key Management Server (keyAuthority)



Configuring and Managing the Key Management Server (KeySecure)


The key management server has passed FIPS certification and provides key storage and management functions. The server can be connected to storage systems to provide interfaces and functions required by the KMIP protocol. The storage systems can invoke these interfaces to create, update, destroy, and query keys required by the disk encryption service.

Table 1-2 shows the comparison between internal and external key management.

Table 1-2 Comparison between internal and external key management

Management Mode

Whether the Third-Party External Key Management Server Is Used


Whether the Management of Multiple Devices' Keys Is Supported

Internal key management




External key management




You cannot use internal and external key management at the same time. When you change from one method to the other, you must delete original services and re-create self-encrypting disk domains. Otherwise, disk encryption cannot take effect.

Updated: 2019-07-11

Document ID: EDOC1000181504

Views: 23000

Downloads: 181

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next