Support specifications for Encryption License Key and FMD Encryption License Key

The following table lists the support specifications for Encryption License Key.

Item

Specification

Hardware specifications

Encryption algorithm

Advanced Encryption Standard (AES) 256-bit

Encryption mode

XTS mode

Encryption module standard

Encryption License Key:

  • VSP G/F350, VSP G/F370: Compliant to FIPS 140-2 Level 1
  • VSP G/F700, VSP G/F900: Compliant to FIPS 140-2 Level 2*

*To use encryption modules compliant to FIPS 140-2 Level 2, contact customer support.

FMD Encryption License Key (VSP F1500 and VSP G1500 only): FIPS 140-2 Level 2 (certification pending)

LDEVs that you can encrypt

Volume type

Open, mainframe, multiplatform

Emulation type

All emulation types

Internal/external LDEVs

Internal LDEVs only

LDEV with existing data

Requires data migration

Managing encryption keys

Creating encryption keys

Use Device Manager - Storage Navigator (HDvM - SN) to create encryption keys.

Deleting encryption keys

Use Device Manager - Storage Navigator to delete encryption keys.

Note: You cannot delete encryption keys that are allocated to implemented drives. You can delete the encryption key allocated to a drive and allocate a new encryption key only when encryption is disabled for the parity group.

Unit of encryption/decryption

Encryption is applied to the parity group.

Data encryption keys (DEKs) are used per drive.

Number of encryption keys

  • VSP G/F350, VSP G/F370: Up to 1,024 Free keys or DEKs can be created per storage system. In addition, you can create 4 certificate encryption keys (CEKs) and one key encryption key (KEK), so the total maximum number of encryption keys, including DEKs, CEKs, and KEKs, is 1,029.
  • VSP G/F700: Up to 4,096 Free keys or DEKs can be created per storage system. In addition, you can create 8 CEKs and one KEK, so the total maximum number of encryption keys, including DEKs, CEKs, and KEKs, is 4,105.
  • VSP G/F900: Up to 4,096 Free keys or DEKs can be created per storage system. In addition, you can create 16 CEKs and one KEK, so the total maximum number of encryption keys, including DEKs, CEKs, and KEKs, is 4,113.
  • VSP G1x00, VSP F1500: Up to 4,096 encryption keys can be created per storage system. In addition, you can create up to 32 CEKs, 2,304 DEKs, and 1,728 PINs.

    For Encryption License Key, the encryption keys are set in the following units:

    • DEK: One key for each (non-FMD-HDE) drive
    • CEK: Four keys for each EBED

    For FMD Encryption License Key, the encryption keys are set in the following units:

    • PIN: Three keys for each FMD-HDE drive

Attribute of encryption keys

Keys used for Encryption License Key are created with the Free attribute, and then another attribute is assigned according to the usage. The attributes for the encryption keys are:

  • Free Unused data encryption key that has not yet been allocated.
  • DEK Data encryption key. The key for the encryption of the stored data.
  • CEK Certificate encryption key. The key for the encryption of the certificate and the key for the encryption of DEK per drive.
  • PIN Certificate encryption key for FMD-HDE. The key is used to certify FMD-HDE for FMD Encryption License Key.
  • KEK Key encryption key. The key for encrypting a key in a storage system with an attribute other than KEK for Encryption License Key.

    All keys except KEK is referred to as encryption keys.

Backup/restore functionality

Redundant (primary and secondary) backup/restore copies

Parent Topic