When all of the LDEVs in an encrypted parity group are blocked, or if an existing data encryption key becomes unavailable or cannot be used (for example, due to a system failure), the encryption keys can be restored from the primary or secondary backup copy.
When key information is lost or deleted, restoration is performed in a batch for the backed-up encryption keys. The maximum number of backed up encryption keys are as follows:
VSP G/F350,
VSP G/F370: 1,028 keys
VSP G/F700: 4,104 keys
VSP G/F900: 4,112 keys
VSP G1x00,
VSP F1500: 4,096 keys
The storage system automatically restores encryption keys from the primary backup. Users restore encryption keys from the secondary backup using
Device Manager - Storage Navigator. If you need to restore an encryption key that is not the latest key from a secondary backup copy, you must have the
Security Administrator (View & Modify) and
Support Personnel (View & Modify) roles.
CautionWhen you restore the encryption key, always restore the latest key. If the backed up encryption key (secondary backup) is not the latest key, it cannot be restored.
To restore the encryption key, the volumes belonging to the parity group for which encryption is set must be blocked. In addition, after the restoration of the key, the volumes belonging to the parity group for which encryption is set must be restored.
The VSP Gx00 models and VSP Fx00 models provide a performance-friendly AES-256-XTS encryption capability on the back-end I/O director. This capability protects data at rest on internal storage media (including disk drives and flash drives) attached to those directors. While many levels of encryption are available to the enterprise, protecting data at rest by using the array-level encryption of the storage system provides the following advantages: causes minimal to no performance impact within your operations, remains transparent to existing host servers and switches, shreds storage media by deleting the encryption key, simplifies key management to reduce the risk of the loss of encryption keys and data, and supports logging of encryption and key management events. In addition, many regulations encourage or require encryption of personally identifiable information (PII) and other sensitive data. Array-level encryption handles this type of data as well.
