Overview

OceanStor Dorado V6 series storage systems support disk encryption, which provides secure storage services without impacting storage performance.

The disk encryption function has the following characteristics:

• Data in all disks is encrypted transparently without affecting other features such as mirroring, snapshot, deduplication, and compression.
• Automatic key lifecycle management and the Key Management Interoperability Protocol (KMIP) are supported, ensuring the openness of key management systems.

If you enable Data Encryption when creating a storage pool, disk encryption is enabled. The storage system activates the AutoLock function on self-encrypting drives (SEDs) and uses the authentication keys (AKs) allocated by the key management server. SED access is protected by the AutoLock function and only the storage system itself can access its SEDs. When the storage system accesses an SED, it acquires an AK from the key management server. If the AK's hash value is consistent with that on the SED, the SED decrypts the data encryption key (DEK) for data encryption/decryption. If the AKs' hash values are different, all read and write operations will fail.

If you do not enable Data Encryption when creating a storage pool, disk encryption is disabled and the AutoLock function of SEDs is deactivated. In this case, the SEDs use the default AKs and access to the SEDs is not restricted. The SEDs can be read and written normally. Data written to the SEDs is encrypted using DEKs, regardless of whether Disk Encryption is enabled.

Key management is critical for disk encryption. OceanStor Dorado V6 series storage systems support internal key management.

You cannot use internal and external key management at the same time. When you change from one method to the other, you must delete original services and re-create self-encrypting storage pools. Otherwise, disk encryption cannot take effect.