Support specifications for Encryption License Key

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17

The following table lists the support specifications for Encryption License Key.

Item Specification
Hardware specifications Encryption algorithm Advanced Encryption Standard (AES) 256-bit
Encryption mode XTS mode
Encryption module standard
  • VSP 5000 series: Compliant to FIPS 140-2 Level 2
  • VSP E990, VSP E1090: Compliant to FIPS 140-2 Level 2
  • VSP E590, VSP E790: Compliant to FIPS 140-2 Level 1
LDEVs that you can encrypt Volume type Open, mainframe, multiplatform
Emulation type All emulation types
Internal/external LDEVs Internal LDEVs only
LDEV with existing data Requires data migration
Managing encryption keys Creating and deleting encryption keys You can use Device Manager - Storage Navigator (HDvM - SN) to create and delete encryption keys. If your storage system does not have an SVP, you can use the REST API (see Using the REST API to perform encryption operations).

Note: Encryption keys that are allocated to implemented drives cannot be deleted. If you want to delete the encryption key allocated to an implemented drive and allocate a new encryption key, you must first disable encryption for the parity group to which the drive belongs.

Unit of encryption/decryption Encryption is applied to the parity group.

Data encryption keys (DEKs) are used per drive.

Number of encryption keys
  • VSP 5000 series: Up to 4,096 encryption keys can be created per storage system, including 2,304 DEKs, 48 certificate encryption keys (CEKs), and 1 key encryption key (KEK).
  • VSP E990: Up to 4,096 encryption keys can be created per storage system, including 96 DEKs, 16 CEKs, and 1 KEK.
  • VSP E1090: Up to 4,096 encryption keys can be created per storage system, including 1,056 DEKs, 16 CEKs, and 1 KEK.
  • VSP E590, VSP E790: Up to 4,096 encryption keys can be created per storage system, including 552 DEKs, 12 CEKs, and 1 KEK.
The encryption keys are set in the following units:
  • DEK: 1 key for each drive
  • CEK: 2 keys for each EBEM, 4 keys for each ECTL
When the encryption environmental settings are initialized, the following numbers of encryption keys are created:
  • VSP 5000 series: 4,072
  • VSP E1090:
    • 4,096 when no EBEMs are installed
    • 4,096 when 4 NVMe EBEMs are installed
    • 4,096 when 8 NVMe EBEMs are installed
    • 4,092 when 4 SAS EBEMs are installed
    • 4,088 when 8 SAS EBEMs are installed
  • VSP E990:
    • 4,096 when no EBEMs are installed
    • 4,096 when 4 NVMe EBEMs are installed
    • 4,096 when 8 NVMe EBEMs are installed
  • VSP E590, VSP E790:
    • 4,096 when no EBEMs are installed
    • 4,094 when 2 EBEMs are installed
Attribute of encryption keys Keys used for Encryption License Key are created with the Free attribute, and then another attribute is assigned according to the usage. The attributes for the encryption keys are:
  • Free: Unused data encryption key that has not yet been allocated.
  • DEK: Data encryption key. The key for the encryption of the stored data.
  • CEK: Certificate encryption key. The key for the encryption of the certificate and the key for the encryption of DEK per drive to register DEK on EBEM or ECTL.
  • KEK: Key encryption key. The key for encrypting a key in a storage system with an attribute other than KEK.

    All keys except the KEK are referred to as encryption keys.

If you reconfigure the encryption environmental settings, encryption keys and CEKs are not updated, and unused keys are not created. The encryption keys created when the encryption environmental settings were configured for the first time are used.

Backup/restore functionality Redundant (primary and secondary) backup/restore copies