Key Management Server Linkage; Table 25 Functional Comparison Between The Sed Authentication Key (Common Key) And Key Management Server - Fujitsu ETERNUS AF250 Design Manual
All-flash arrays
Hide thumbs
Also See for ETERNUS AF250:
- Setup manual (12 pages) ,
- User manual (423 pages) ,
- Configuration manual (171 pages)
Table of Contents
Advertisement
1.
Function
Data Encryption
The encryption method for encrypted volumes cannot be changed. Encrypted volumes cannot be changed
•
to unencrypted volumes.
To change the encryption method or cancel the encryption for a volume, back up the data in the encrypted
volume, delete the encrypted volume, and restore the backed up data.
If a firmware encrypted pool (TPP or FTRP) or volume exists, the encryption method cannot be changed re-
•
gardless of whether the volume is registered to a pool.
•
It is recommended that the copy source volume and the copy destination volume use the same encryption
method for Remote Advanced Copy between encrypted volumes.
•
When copying encrypted volumes (using Advanced Copy or copy operations via server), transfer perform-
ance may not be as good as when copying unencrypted volumes.
•
SDPVs cannot be encrypted after they are created. To create an encrypted SDPV, set encryption when creat-
ing a volume.
TPVs cannot be encrypted individually. The encryption status of the TPVs depends on the encryption status
•
of the TPP to which the TPVs belong.
FTVs cannot be encrypted individually. The encryption status of the FTVs depends on the encryption status
•
of the FTRP to which the FTVs belong.
The firmware data encryption function cannot be used for volumes that are configured with SEDs.
•
The volumes in a RAID6-FR RAID group cannot be converted to encrypted volumes.
•
When creating an encrypted volume in a RAID6-FR RAID group, specify the encryption setting when creating
the volume.
Key Management Server Linkage
Security for authentication keys that are used for authenticating encryption from Self Encrypting Drives (SEDs)
can be enhanced by managing the authentication key in the key server.
Key life cycle management
•
A key is created and stored in the key server. A key can be obtained by accessing the key server from the
ETERNUS AF when required. A key cannot be stored in the ETERNUS AF. Managing a key in an area that is
different from where an SED is stored makes it possible to manage the key more securely.
Key management consolidation
•
When multiple ETERNUS AF storage systems are used, a different authentication key for each ETERNUS AF can
be stored in the key server.
The key management cost can be reduced by consolidating key management.
Key renewal
•
A key is automatically renewed before it expires by setting a key expiration date. Security against information
leakage can be enhanced by regularly changing the key.
The key is automatically changed after the specified period of time. Key operation costs can be reduced by
changing the key automatically. Also, changing the key by force can be performed manually.
The following table shows functions for SED authentication keys and key management server linkage.
Table 25 Functional Comparison between the SED Authentication Key (Common Key) and Key Management Serv-
er Linkage
Function
Key creation
Key storage
SED authentication key
In the storage system
In the storage system
FUJITSU Storage ETERNUS AF250 S2, ETERNUS AF250 All-Flash Arrays Design Guide (Basic)
Copyright 2019 FUJITSU LIMITED
Key Management Server Linkage
Key server
Key server
68
P3AG-1822-09ENZ0
Advertisement
Table of Contents
