Regular encryption key backups

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17

The Encryption License Key feature supports periodic encryption key backup operations to the key management server. These operations are called regular backup operations. To use this function, you must designate a specific user as the regular backup user and then enable the Encryption Key Regular Backup option on the Edit Encryption Environmental Settings window. Regular backup operations are performed automatically even when the designated regular backup user is not logged in.

Important: Performing regular backups is a supplemental function available only when the key management server is used and the Encryption Key Regular Backup option is enabled.
  • If the key management server is used but you do not enable the regular backup option, the encryption keys are backed up automatically after they are created.
  • If the key management server is not used, you must perform manual backups, especially immediately after you create encryption keys.

How regular backups are queued and performed

At the specified time for a regular backup, the regular backup operation is queued as a task. You can verify queued tasks in the Tasks window. If other tasks are already in the queue, the regular backup will not start until after the other tasks already in the queue are complete. Because of this, the time that the regular backup begins might be different from the time you specified. In addition, if the key management server has the latest backup, the regular backup task is skipped because it is not necessary to back up the same encryption keys again.

At the specified time for a regular backup, if the previous regular backup has not yet been performed because another queued task is still in progress, a second regular backup task is not added to the task queue, and only the first regular backup is performed. For example, if you specify 00:00 and 02:00 for regular backups, and a task started before 00:00 completes at 03:00, the 02:00 regular backup is not queued, and only the regular backup for 00:00 is performed at 03:00.

Note:
  • When the SVP stops, regular backup operations are not performed. After the SVP is restarted, regular backups will resume queueing as a task.
  • During a regular backup, your service representative cannot perform SVP operations or maintenance of the storage system. If a regular backup will occur during planned maintenance, you can revise the regular backup schedule or cancel the regular backup task temporarily.

Verifying regular backups

You should verify, on a regular basis, that regular backups are being performed successfully. You can verify the regular backup task results in the Tasks window. To view details about a regular backup task, you must have the System Administrator (System Resource Management) role, or you must be logged in as the designated regular backup user. You can also verify the regular backup task results in the audit log. The audit log records the regular backup user name for the regular backup tasks.

If a regular backup task is skipped (for example, because the key management server already has the latest backup), the skipped task is not output to the Tasks window or to the audit log. If a necessary regular backup task is not performed, the task is regarded as failed. You can check the details of the failed task in the audit log.

Discontinuing regular backups

If you want to discontinue regular backups, you can disable the Enable Encryption Key Regular Backup to Key Management Server option in the Edit Encryption Environmental Settings window.

Managing the number of backed up encryption keys

A regular backup deletes the old encryption key. Because of this, the number of encryption keys to be backed up regularly is always one. In the same way as manually backed up keys, the status of a regular backup encryption key can be viewed, and the key itself can be restored or deleted.

When you manually back up encryption keys, the old keys are not deleted. The number of keys that can be backed up on a key management server is limited. Make sure to delete unnecessary keys from the key management server whenever possible.