No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Disk Encryption User Guide

OceanStor Dorado V3 Series V300R002

This document is applicable to OceanStor Dorado3000 V3, Dorado5000 V3, Dorado6000 V3 and Dorado18000 V3. This document introduces how to install and configure key management servers connected to the storage systems that use self-encrypting disks.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Overview

Overview

OceanStor Dorado V3 series storage systems support disk encryption, which provides secure storage services without impacting storage performance.

The disk encryption function has the following characteristics:

  • Data in all disks is encrypted transparently without affecting other features such as mirroring, snapshot, deduplication, and compression.
  • Automatic key life cycle management and the Key Management Interoperability Protocol (KMIP) are supported, ensuring the openness of key management systems.

When you enable disk encryption, the storage system activates the AutoLock function on self-encrypting drives (SEDs) and uses the authentication keys (AKs) allocated by the key management server. SED access is protected by the AutoLock function and only the storage system itself can access its SEDs. When the storage system accesses an SED, it acquires an AK from the key management server. If the AK is consistent with the SED's, the SED decrypts the data encryption key (DEK) for data encryption/decryption. If the AKs do not match, all read and write operations will fail.

Key management is critical for disk encryption. OceanStor Dorado V3 series storage systems support internal and external key management.

  • Internal key management stores keys in the storage system's database.
  • External key management stores keys on third-party external key management servers.

    Table 1-1 shows the external third-party key management servers supported by the storage system.

Table 1-1 External third-party key management servers

Device

Vendor

Reference Link

KeySecure K250

Gemalto

NOTE:

It is formerly named SafeNet.

Configuring and Managing the Key Management Server (KeySecure)

KeySecure K460

Gemalto

For the connectivity between the storage system and these key management servers as well as the relevant configurations, refer to the user guide of the key management servers, or consult the technical support engineers of the product vendor.

KeySecure 150v for vmware

Gemalto

Vormetric DSM v6100

Thales

NOTE:

The key management server has passed FIPS certification and provides key storage and management functions. The server can be connected to storage systems to provide interfaces and functions required by the KMIP protocol. The storage systems can invoke these interfaces to create, update, destroy, and query keys required by the disk encryption service.

Table 1-2 shows the comparison between internal and external key management.

Table 1-2 Comparison between internal and external key management

Management Mode

Whether the Third-Party External Key Management Server Is Used

Cost

Whether the Management of Multiple Devices' Keys Is Supported

Internal key management

No

Low

No

External key management

Yes

High

Yes

You cannot use internal and external key management at the same time. When you change from one method to the other, you must delete original services and re-create self-encrypting disk domains. Otherwise, disk encryption cannot take effect.

Translation
Download
Updated: 2019-07-17

Document ID: EDOC1100049141

Views: 9483

Downloads: 63

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next