Hp 3Par Peer Motion Software; Data Encryption - HP 3PAR StoreServ 7200 2-node Manual

HP 3PAR Peer Motion Software

HP 3PAR Peer Motion Software controls the migration of a host and its data from a source system
to a destination system with as little disruption to the host as possible. With peer motion, you can
copy the virtual volumes and system configuration information to a new system with no changes
to host configurations, no loss of access by a host to its data in an online migration, and only a
minimal outage during a minimally disruptive migration.

Data Encryption

Beginning with HP 3PAR OS 3.1.2 MU2, HP 3PAR encrypted storage systems provide data
encryption by using self-encrypting drives (SEDs) with a local key manager (LKM).
Data encryption prevents data exposure that might result from the loss of physical control of disk
drives when disk drives are:
Decommissioned at their end of life.
Returned for warranty or repair.
Lost or stolen.
The HP 3PAR StoreServ Data Encryption solution uses SED technology to encrypt all data on the
physical drives and prevent unauthorized access to data-at-rest (DAR). When encryption is enabled,
the SED will lock when power is removed, and it will not be unlocked until the matching key from
the HP 3PAR StoreServ system is used to unlock it.
SEDs contain special firmware and an application-specific integrated circuit (ASIC) that provides
encryption. Each SED has a number of bands that control access to different areas of the drive.
Each band has an internal encryption key that is not exposed outside of the drive itself. This
encryption key is always used to encrypt and decrypt all data stored on that band. All data
encryption is handled at the physical disk layer. System features, such as thin provisioning and
dynamic optimization, work independently of encryption.
Each band has a single authentication key that controls access to data on the band. In the HP
3PAR StoreServ data-encryption implementation, the entire disk is in one band. Access to data is
controlled by setting the authentication key, which locks and unlocks the drive.
The LKM, which is part of the HP 3PAR OS that runs on each node in a cluster, maintains the
authentication key. You must back up and protect the keystore file; HP does not have access to
the key.
All drives in the same array will have the same authentication key. The disks become locked
whenever they lose power, which guarantees that any disk removed from an HP 3PAR Storage
system will not be accessible except in its original array. When the drive is unlocked, all I/O to
the drive behaves exactly as it would on a non-SED, and encryption and decryption happen at full
interface speed, without data delays.
There is a minimal delay for booting (since each drive must be unlocked before the system becomes
operational) and for data encryption management functions (since each disk must be updated
whenever keys are changed on the system). Each of these operations takes up to 3 seconds per
disk, but happens in several threads. On a system with 160 disks, for example, enabling encryption
58 Enhanced Storage Applications