Workflow for operations related to data encryption

REST API Reference Guide for Virtual Storage Platform 5000, Virtual Storage Platform E Series, and Virtual Storage Platform G/F Series

Version
93-07-0x
90-09-0x
88-08-10
Audience
anonymous
Part Number
MK-98RD9014-17
The workflow for using the REST API to perform operations to encrypt and use data stored in a volume of a storage system is as follows.

Specifying encryption environment settings

Specify settings for an environment used to encrypt data stored in a volume.

The following figure shows the workflow.

Installing software
Install the license key for the Encryption License Key software.
Installing the encryption disk board (DKB)
Install the encryption DKB.
Changing the encryption environment settings
Enable the encryption environment settings.
Backing up an encryption key
When you enable the encryption environment settings and create an encryption key, you need to back up the encryption key.

Encrypting new data

The following describes how to create a volume, and then encrypt data to be newly written to the volume.

Creating a parity group

Create a parity group for which data encryption is enabled (specify true for the attribute isEncryptionEnabled).

Creating a volume
Create a volume by specifying the parity group for which data encryption is enabled.
When using a DP volume
Creating a pool
Create a pool by specifying volumes whose data is encrypted.
Creating a volume
Create a DP volume by specifying a pool consisting only of volumes whose data is encrypted.
Setting the LU path

Specify the LU path from the host to the volume.

Encrypting existing data

The following describes how to encrypt the existing data stored in a volume.

Creating a parity group
Create a parity group for which data encryption is enabled (specify true for the attribute isEncryptionEnabled).
Creating a volume
Create a volume by specifying the parity group for which data encryption is enabled.
When using a DP volume
Creating a pool
Create a pool by specifying volumes whose data is encrypted.
Creating a volume
Create a DP volume by specifying a pool consisting only of volumes whose data is encrypted.
Creating a pair to be used for Volume Migration
Create a pair by specifying the volume whose data is to be encrypted as the source volume (P-VOL). For the target volume (S-VOL), specify a volume created from a parity group for which data encryption is enabled.
Performing migration
Perform migration to copy the data of the source volume (P-VOL) that is to be encrypted to the target volume (S-VOL).

Encrypting existing data without changing the drive configuration

The following describes how to encrypt the data in a volume in a parity group for which data encryption is disabled, without changing the drive configuration.

Creating a pair to be used for Volume Migration
Create a pair to which to back up the data to be encrypted, by specifying a volume in one parity group as the source volume (P-VOL). For the target volume (S-VOL), specify a volume in another parity group as the destination volume for the volume to be backed up.
Performing migration
Back up (migrate) the data of the source volume (P-VOL) to the target volume (S-VOL).
Deleting a parity group
Verify that the data has been migrated, and then delete the parity group.
Creating a parity group
Create a parity group for which data encryption is enabled (specify true for the attribute isEncryptionEnabled).
Creating a volume
Create a volume by specifying the parity group for which data encryption is enabled.
When using a DP volume
Creating a pool
Create a pool by specifying volumes whose data is encrypted.
Creating a volume
Create a DP volume by specifying a pool consisting only of volumes whose data is encrypted.
Creating a pair to be used for Volume Migration
Create a pair by specifying the migrated volume as the source volume (P-VOL) to be encrypted. For the target volume (S-VOL), specify a volume created from a parity group for which data encryption is enabled.
Performing migration
Restore (migrate) the data of the source volume (P-VOL) to be encrypted to the target volume (S-VOL).
Note:
Use the following method to check whether the data in a volume is encrypted.
  • To check a basic volume:

    Get information about the volume by running the API request for getting information about a specific volume.

    If ENCD is output for the attributes attribute, this indicates that the data in the volume is encrypted.

  • To check a DP volume:

    Get information about a list of volumes that make up a pool, by running the API request for getting volume information with the pool number specified for the query parameter poolId.

    If ENCD is output for the attributes attribute of each pool volume that makes up the pool, this indicates that the data in the DP volume is encrypted.