Configuring the Internal Key Management Service

Prerequisites

SEDs have been configured on the storage system. The AutoLock status of the SEDs is Disable.

To query the AutoLock status of the SEDs, you can log in to the CLI of the storage system and run the show disk general command.

admin:/>show disk general  
  ID      Health Status  Running Status  Type      Capacity   Role       Disk Domain ID  Speed(RPM)  Health Mark  Bar Code              Item      AutoLock State  Key Expiration Time   
  ------  -------------  --------------  --------  ---------  ---------  --------------  ----------  -----------  --------------------  --------  --------------  ------------------- 
DAE000.0  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FB000131  02350LGX  OFF  --           
DAE000.1  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FB000124  02350LGX  OFF  --           
DAE000.2  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FB000238  02350LGX  OFF  --         
DAE000.3  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FA000228  02350LGX  OFF  --         
DAE000.4  Normal         Online          SSD-SED   371.965GB  Free Disk  --              --          --           2102350LGX10FA000227  02350LGX  OFF  --         
DAE000.5  Normal         Online          SSD-SED   371.965GB  Free Disk  --              --          --           2102350LGX10FA000187  02350LGX  OFF  --         
DAE100.0  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FA000159  02350LGX  OFF  --         
DAE100.1  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FA000161  02350LGX  OFF  --         
DAE100.2  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10G3000505  02350LGX  OFF  --          
 DAE100.3  Normal         Online          SSD-SED   366.965GB  Free Disk  --              --          --           2102350LGX10FA000182  02350LGX  OFF  --           
DAE100.4  Normal         Online          SSD-SED   371.965GB  Free Disk  --              --          --           2102350LGX10G3000511  02350LGX  OFF  --       

If AutoLock State is OFF, disk encryption is disabled.

Procedure

1. Log in to DeviceManager and create a storage pool.
   Figure 2-1 Creating a storage pool
   

   Use either of the following methods to go to the Create Storage Pool page:

   • When you log in to the storage system for the first time, you can create a storage pool in Custom mode in the initial configuration wizard. For details, see "Initially Configuring a Storage Device" in the initialization guide specific to your product model.
   • On the menu bar, choose System > Storage Pools and then click Create.

2. Enable and configure the internal key service.
   1. Select Advanced. Enable Data Encryption and click key service configuration. Disk encryption is enabled for all SEDs in the storage pool.
      Figure 2-2 Configuring the key service
      

      Alternatively, you can choose Settings > Key Service from the menu bar.

   2. In the function pane on the right, click Modify. Then select Enable the internal key service.
   3. Configure a key backup policy.

      When a key changes, the storage system automatically backs up the key's information on the backup server. If all keys and backup keys on the storage system are damaged or lost, you can obtain the latest backup keys from the backup server and import them to the storage system for restoration.

      The keys uploaded to the backup server are encrypted and signed to prevent disclosure and tampering.

      Before using the key backup function, ensure that the backup server has been successfully configured and communicates properly with the storage system. Table 2-1 lists the SSH key exchange algorithms supported by the storage system. When deploying the backup server, use SFTP server tools that support these key exchange algorithms, such as xlight FTP.

      Table 2-1 SSH key exchange algorithms

      Item	Default Value
      KexAlgorithms	ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

      For details about how to use xlight FTP, see Using the xlight FTP Tool to Deploy the FTP Backup Server.

      1. Enable Automatic Key Backup.
      2. Set the parameters listed in Table 2-2.
         Table 2-2 Key backup parameters

         Parameter	Description	Setting
         Protocol	Used by the storage system to back up keys to the backup server.	You can choose SFTP or FTP. NOTE: The storage systems support FTP for compatibility concerns. You are advised to use SFTP, however, to ensure data transmission security.
         Backup Server Address	IP address or domain name of the SFTP or FTP server used to back up keys	[Example] 192.168.20.3
         Port	Port for communication between the backup server and the storage system	[Value range] From 1 to 65535 [Example] 20
         Backup Server Storage Path	Path for saving keys on the backup server	[Example] innerkey_backup
         Username	Used to log in to the backup server	[Example] admin
         Password	Used to log in to the backup server	[Example] Admin@123

         Figure 2-3 Key backup parameters
         

         Alternatively, you can choose Settings > Key Service from the menu bar and click Modify.

      3. Click Test to test the connectivity between the backup server and the storage system.
   4. Click Save to save the configurations of the internal key service.
      • If Key Backup is not enabled, a security alert dialog box is displayed. Select I have read and understand the consequences associated with performing this operation and click OK. The Execution Result dialog box is displayed, indicating that the operation succeeded.
      • If Key Backup is enabled, the Execution Result dialog box is displayed, indicating that the operation succeeded.

3. Set other parameters of the storage pool. After the self-encrypting storage pool is created, the storage system automatically generates encryption keys.
   Table 2-3 describes the parameters.

   Table 2-3 Storage pool parameters

   Parameter	Description
   Name	Name of the storage pool. [Value range] The name must be unique. The name can contain only letters, digits, periods (.), underscores (_), and hyphens (-). The name must contain 1 to 31 characters.
   Description	Description of the storage pool.
   Controller Enclosure	Controller enclosure to which the storage pool belongs.
   Storage Pool Capacity	Available storage pool capacity of the selected controller enclosure. The displayed information includes Capacity per Disk, Type, Total Disks, and Available Disks. You can specify the number of disks in Required Disks for creating the storage pool. NOTE: You can click Select to manually select disks.
   RAID Policy	RAID policy of the storage pool. Dynamic RAID is used. Dynamic RAID reconstruction uses the erasure coding (EC) algorithm, which dynamically adjusts the number of chunks in a chunk group under all-SSD configurations to ensure system reliability and capacity. If a chunk is faulty and no chunk is available from disks outside the disk domain, the system dynamically reconstructs the original N+M chunks to (N-1)+M chunks. When a new SSD is inserted, the system migrates data from the (N-1)+M chunks to the newly constructed N+M chunks for efficient disk usage. The RAID levels are defined as follows: RAID 5: Parity data is distributed on different chunks. In each chunk group, the parity data occupies the space of one chunk. RAID 5 is able to tolerate the failure on only one chunk. If two or more chunks fail, data in the chunk group cannot be recovered. RAID 6: Parity data is distributed on different chunks. In each chunk group, the parity data occupies the space of two chunks. RAID 6 is able to tolerate simultaneous failures on two chunks. If three or more chunks fail, data in the chunk group cannot be recovered. RAID-TP: Parity data is distributed on different chunks. In each chunk group, the parity data occupies the space of three chunks. RAID-TP is able to tolerate simultaneous failures on three chunks. If four or more chunks fail, data in the chunk group cannot be recovered.
   Hot Spare Policy	Hot spare policy of the storage pool. [Value range] None, Low (1 disk), High (2 disks), Custom (3 disks), Custom (4 disks), Custom (5 disks), Custom (6 disks), Custom (7 disks), and Custom (8 disks) NOTE: Hot spare capacity is provided by all member disks in each storage pool because the storage system uses RAID 2.0+ virtualization technology. For ease of understanding, the hot spare capacity is expressed in the number of hot spare disks on DeviceManager. Even if the hot spare space is used up, the system can use the free space of the storage pool to reconstruct data, ensuring storage system reliability.
   Capacity Alarm Threshold (%)	When the percentage of the storage pool's allocated capacity to its total capacity reaches this threshold, the system generates a capacity alarm. A proper capacity alarm threshold helps you monitor the capacity usage of a storage pool. [Value range] 1 to 95
   Capacity Used Up Alarm Threshold (%)	When the percentage of the storage pool's allocated capacity to its total capacity reaches this threshold, the system generates an alarm indicating that the capacity is being used up. The severity of this alarm is higher than that of the capacity alarm. [Value range] 2 to 99 NOTE: The value of Capacity Used Up Alarm Threshold (%) must be greater than that of Capacity Alarm Threshold (%).
   Protection Data Auto Deletion	Indicates whether to automatically delete earliest scheduled HyperCDP objects when the percentage of the protection capacity to the storage pool's total capacity reaches Protection Capacity Upper Limit (%). The automatic deletion stops when the percentage becomes less than Protection Capacity Lower Limit (%).
   Protection Capacity Lower Limit (%)	Lower limit for the percentage of the protection capacity to the storage pool's total capacity for the system to stop deleting earliest scheduled HyperCDP objects. NOTE: This parameter is available only when Protection Data Auto Deletion is enabled. [Value range] 1 to 95
   Protection Capacity Upper Limit (%)	Maximum allowable percentage of the protection capacity to the storage pool's total capacity. After this threshold is reached, the system automatically deletes earliest scheduled HyperCDP objects. NOTE: This parameter is available only when Protection Data Auto Deletion is enabled. The value of Protection Capacity Upper Limit (%) must be greater than that of Protection Capacity Lower Limit (%). [Value range] 2 to 99

   Parameters including Description, Data Encryption, RAID Policy, Capacity Alarm Threshold (%), Capacity Used Up Alarm Threshold (%), and Protection Data Auto Deletion are hidden. You can click Advanced to display them.

   Figure 2-4 Creating a storage pool
   

   Click OK and confirm your operation as prompted.

4. Export the encryption key.
   1. Choose Settings > Key Service. In the function pane, click Export Internal Keys.
   2. Export the key file using the browser.

   Save the exported key file properly and do not make any change. When the key is damaged, this file can be used for recovery.

Follow-up Procedure

• After creating the self-encrypting storage pool, you can create LUNs to allocate the storage space to application servers. For details, see Basic Storage Service Configuration Guide of the corresponding product model.

You can log in to Huawei's technical support website (https://support.huawei.com/enterprise/) and enter the product model + document name in the search box to search for, browse, and download the desired documents.

• When updating self-encrypting storage pool keys, export keys in time.