Restoring encryption keys

Encryption License Key User Guide

Version
9.8.7
Audience
anonymous
Part Number
MK-98RD9017-17

When all of the LDEVs in an encrypted parity group are blocked, or if an existing data encryption key becomes unavailable or cannot be used (for example, due to a system failure), the encryption keys can be restored from the primary or secondary backup copy.

The storage system automatically restores encryption keys from the primary backup. Users can restore encryption keys from the secondary backup by using Device Manager - Storage Navigator. If you need to restore an encryption key that is not the latest key from a secondary backup copy, you must have the Security Administrator (View & Modify) and Support Personnel (View & Modify) roles.

When key information is lost, restoration is performed in a batch for the backed-up encryption keys (including free keys, DEKs, or CEKs). The following encryption keys are not restored:

  • Encryption keys that were deleted during operations such as maintenance for drives or back-end modules (also called disk boards or DKBs), decrypting parity groups, or rekeying CEKs.
  • Free keys that were explicitly deleted by manual operations.
CAUTION:
When you restore the encryption key, always restore the latest key. If the backed up encryption key (secondary backup) is not the latest key, it cannot be restored.

To restore the encryption key, the volumes belonging to the parity group for which encryption is set must be blocked. In addition, after the restoration of the key, the volumes belonging to the parity group for which encryption is set must be restored.