Workflow for restoring data encryption keys

Restore a data encryption key from the primary or secondary backup copy when all the LDEVs belonging to an encrypted parity group are blocked or if an existing data encryption key becomes unavailable or cannot be used (for example, due to a system failure).

Restoration is performed in a batch for the backed up data encryption license keys (including free keys, DEK, and CEK): 516 keys for VSP G200 models, 1,028 keys for VSP G400, G600 models and VSP F400, F600 models, and 2,064 keys for VSP G800 and VSP F800 models where key information is lost or deleted.

The system automatically restores data encryption keys from the primary backup. You must have Security Administrator (View & Modify) role to restore the data encryption key from a secondary backup data encryption key.

 When you restore the data encryption key, always restore the latest key. If a data encryption key is updated after a secondary backup is performed, and the restored key is not the latest key, drives and disk adapters will be blocked and will not be able to read data.

To restore the data encryption license key, the volumes belonging to the parity group for which the key is set must be blocked. In addition, after the restoration of the key, the volumes belonging to the parity group for which encryption key is set must be restored.

Procedure

1. Block the LDEVs associated to the encrypted parity group.

For details, see the Provisioning Guide for your storage system.

2. Restore the data encryption key from a primary or secondary backup copy. Do one of the following:

• Restore the data encryption key from a file backed up on the HCS management serverHDvM - SN computer.

For details, see Restoring keys from a file.

• Restore the data encryption key from the key management server.

For details, see Restoring keys from a key management server.