If the key encryption key (KEK) was created on the key management server (KMS) and you want to migrate the KMS to another server, use the following procedure.
CAUTION:
Do not power off the storage system during this procedure. If either (or both) of the following encryption environmental settings is enabled and the storage system is powered off during this procedure, the KEK and the encryption keys that were backed up to the KMS cannot be obtained when the storage system is powered back on, and therefore the encrypted data cannot be decrypted.
- Protect the key encryption key at the KMS
- Delete internal encryption keys at PS OFF
CAUTION:
If SIM code 661000 or 661001 (Acquisition of encryption key from KMS failed) is reported, perform the following before you migrate the KMS:
- Restore the connection with the KMS used before migration.
- In the Edit Encryption Environmental Settings window, click Check in Server Configuration Test, and then confirm that the connection test ends successfully.
- Contact customer support to have the storage system restarted.
- You must have the Security Administrator (View & Modify) role.