Encryption keys are commonly created in the storage system. However, when you use a key management server and enable the
Generate Encryption Keys on Key Management Server option (Edit Encryption Environmental Settings window), encryption keys are created on a key management server and used in the storage system.
When encryption keys are created in the storage system, you must manually back up the encryption keys to a file or to a key management server. When you back up encryption keys manually to a file, you must specify the key restoration password. If desired, you can specify additional requirements for the key restoration password (for example, increasing the minimum number of characters, specifying the minimum number of uppercase letters, and so on).
When encryption keys are created on a key management server, the keys are automatically backed up when they are created. In addition, you can optionally schedule regular backups to the key management server, and you can change the regular backup schedule as needed.
a performance-friendly AES-256-XTS encryption capability on the back-end I/O director. This capability protects data at rest on internal storage media (including disk drives and flash drives) attached to those directors. While many levels of encryption are available to the enterprise, protecting data at rest by using the array-level encryption of the storage system provides the following advantages: causes minimal to no performance impact within your operations, remains transparent to existing host servers and switches, shreds storage media by deleting the encryption key, simplifies key management to reduce the risk of the loss of encryption keys and data, and supports logging of encryption and key management events. In addition, many regulations encourage or require encryption of personally identifiable information (PII) and other sensitive data. Array-level encryption handles this type of data as well.
