No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R002

This document is applicable to OceanStor Dorado3000 V3, Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Can I Recover Encryption Key Files of Disks?

How Can I Recover Encryption Key Files of Disks?

Question

How can I recover encryption key files of disks?

Answer

Some operations must be performed in developer and minisystem modes on the CLI. Therefore, it is recommended that you contact Huawei technical support engineers to recover encryption key files of disks.

  1. Export the latest encryption key files of disks on the storage system.

    1. Log in to DeviceManager.
    2. Choose Settings > Storage Settings > Value-added Service Settings > Key Service.
    3. Click Export Internal Keys to export the key files manually on a browser.

  2. Obtain the encryption key files locally exported on the storage system and backed up on the backup server.

    NOTE:

    If Key Backup is not selected on the storage system, you can only obtain locally exported encryption key files.

    • Obtain the local encryption key files on the storage system.
      1. Log in to the CLI and enter the minisystem mode.
      2. Run the ls command to view the path where encryption key files are saved (/OSM/coffer_data/omm/kmm).
      3. Run the mv command to move the encryption key files to /OSM/export_import.
        NOTE:

        This directory varies with the product models.

        admin:/>change user_mode current_mode user_mode=developer 
        developer:/>minisystem 
        Command is executable now. 
         
        developer:/>minisystem 
        -----------------System Information----------------- 
        |  Product Version     |   VXXXRXXXC10             | 
        |  System  Version     |   3.20.06.300             | 
        |  Patch   Version     |                           | 
        |  Release Time        |   2017-08-31_00:42:58     | 
        ---------------------------------------------------- 
        Storage: minisystem> ls /OSM/coffer_data/omm/kmm 
        23879060714312975121_KMM_IKMS_KEY_20170901150217_1.dat 
        Storage: minisystem> mv /OSM/coffer_data/omm/kmm/23879060714312975121_KMM_IKMS_KEY_20170901150217_1.dat /OSM/export_import 
        Storage: minisystem> 
      4. Log in to the FTP server as the user admin to obtain the encryption key files.
    • Obtain the encryption keys on the backup server.

      Use the user name and password configured in Configuring the Internal Key Management Service to log in to the backup server and obtain the encryption key files from the set path.

  3. After analysis, select encryption key files that can be used for key recovery.
  4. Log in to the CLI and enter the developer mode. Run the import kms key command to import the encryption key files and recover keys.

    developer:/>import kms key ip=10.10.10.1 user=admin password=****** path=InnerKey.dat protocol=FTP 
    WARNING: You are about to import a key file of the internal key management service, which will overwrite the original key data. If the operation is inappropriate, it may cause the internal key management service to lose some key. 
    Suggestion:  
    1. Confirm that the key file to be imported is up-to-date, and back up the key of the internal key management service of the current system before the import. 
    2. During the key import, creating, updating, and deleting the disk domain of self-encrypting disks are all forbidden. 
    Have you read warning message carefully?(y/n)y 
      
    Are you sure you really want to perform the operation?(y/n)y 
    Password:************** 
    Command executed successfully.

    When keys are being recovered, do not perform any operation on self-encrypting disk domains.

Translation
Download
Updated: 2019-07-17

Document ID: EDOC1100049141

Views: 8953

Downloads: 57

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next