Hitachi VSP G1000 Encryption License Key User Guide
Contents
1. HITACHI Inspire the Next Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Contents Product Version Getting Help MK 92RD8009 02 Hitachi Data Systems 2014 Hitachi Ltd All rights reserved No part of this publication may be reproduced or transmitted in any form or by any means electronic or mechanical including photocopying and recording or stored in a database or retrieval system for any purpose without the express written permission of Hitachi Ltd Hitachi Ltd reserves the right to make changes to this document at any time without notice and assumes no responsibility for its use This document contains the most current information available at the time of publication When new or revised information becomes available this entire document will be updated and distributed to all registered users Some of the features described in this document might not be currently available Refer to the most recent product announcement for information about feature and product availability or contact Hitachi Data Systems Corporation at https portal hds com Notice Hitachi Ltd products and services can be ordered only under the terms and conditions of the applicable Hitachi Data Systems Corporation agreements The use of Hitachi Ltd products is governed by the terms of your agreements with Hitachi Data Systems Corporation Notice on Export Controls The technical data and technology inherent2. 1 6 Use the following process to change the encryption license key for encrypted data 1 2 Create a new parity group Enable encryption with a new data encryption license key For details see Enabling data encryption at the parity group level on page 4 7 Format the LDEVs in the encrypted parity group For instructions see the Hitachi Virtual Storage Platform G1000 Provisioning Guide for Open Systems Migrate the source data to the new target LDEVs in the encrypted parity group When a drive is replaced the data encryption license keys that are allocated to that drive are deleted and new data encryption license keys are allocated when the new drive is added Encryption License Key Overview Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Encryption License Key Installation This chapter describes how to install the Encryption License Key feature O Workflow for Encryption License Key installation O System requirements O Enabling the Encryption License Key feature O Disabling the Encryption License Key feature Encryption License Key Installation 2 1 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Workflow for Encryption License Key installation Use the following process to install the Encryption License Key feature 1 Verify that your system meets the system requirements For details see System requirements on page 2 2 2 Enable the
3. Create Keys window on page A 10 Workflow for backing up secondary data encryption license keys The Hitachi Virtual Storage Platform G1000 automatically creates a primary backup of the data encryption license key You can also back up a secondary data encryption license The backup of the encryption key is performed to the existing DEK keys and CEK keys at the same time In addition it is recommended that you back up each key after you perform any of the following operations Creating encryption license keys Adding removing or replacing drives Adding removing or replacing disk adapters Updating CEK keys Updating KEK keys Use the following process to back up a secondary data encryption license key 1 Confirm that the Virtual Storage Platform G1000 is not processing other tasks You cannot back up a key while the Virtual Storage Platform G1000 is processing other tasks Use one of the following methods to back up the secondary data encryption license key o Back up the secondary data encryption license key as a file on the HCS management server or HDvM SN computer For details see Backing up keys as a file on page 4 4 o Back up the secondary data encryption license key to a key management server For details see Backing up keys to a key management server on page 4 4 Managing data encryption license keys 4 3 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Backing up k
4. Do not check Do not check Select Enable Check Do not check Do not check Select Enable Check Check Do not check Select Enable Check Check Key Management Server Connections Check Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide 3 8 Key Management Server Connections Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Managing data encryption license keys This chapter provides instructions for managing data encryption license keys using the Encryption License Key feature of the Hitachi Virtual Storage Platform G1000 storage system O Workflow for creating data encryption license keys O Editing the password policy Workflow for enabling data encryption on parity groups O Workflow for disabling data encryption at the parity group level Workflow for restoring data encryption license keys O Workflow for deleting data encryption license keys O Viewing encryption keys backed up on the key management server Exporting encryption license key table information O Rekeying key encryption keys Rekeying certificate encryption keys O Retrying Key Encryption Key Acquisition O Initialize the connection settings to the key management server Managing data encryption license keys 4 1 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Workflow for creating data encryption license ke
5. If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply The connection to the key management server is set up Related topics e Edit Encryption Environmental Settings window on page A 4 Settings in the Edit Encryption Environmental Settings window To manage encryption keys properly refer to the following flow chart and table and choose settings for the Edit Encryption Environmental Settings window accordingly 3 6 Key Management Server Connections Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide On storage system On the Storage avigator computer Where do you store encryption keys Nhere do you create encryption keys On key management On key management server On storage system Where do you protect key encryption keys On key management server Do you create encryption keys in the storage system Yes See 1 on table See 2 on table See 3 on table See 4 on table See 5 on table the the the the the Settings in the Edit Encryption Environmental Settings window Generate Encryption Keys on Key Key Management Server Protect the Key Encryption Key at the Key Select Disable Management Server Do not check Management Server Do not check Disable local key generation Do not check Select Enable Do not check
6. encryption keys e Free Number of free keys Number of keys that can be created The number of key encryption keys are not included Edit Encryption Environmental Settings Shows the Edit Encryption Environmental Settings window View Backup Keys on Server Encryption Keys tab Shows the View Backup Keys on Server window Use the Encryption Keys tab to view a list of the data encryption license key details and to select an unused data encryption license key to create The Encryption Keys tab displays only the created encryption keys and in descending order of the Last Update Date It also displays Perform the Edit Environmental Settings in the center of the window when the initialized settings are not performed and displays Perform the Retry Key Encryption Key Acquisition in the center of the window when the Key Encryption Key Acquisition operation has failed Item Description Key ID IDs of data encryption license keys A hyphen is displayed when the encryption key is CEK or KEK Created The date and time the data encryption license key was created or was last updated Attribute Displays the attribute CEK DEK KEK or Free of the encryption key When KEK for the key management server is displayed the format of KEK UUID is displayed with UUID Assigned to The resource to which the encryption key is assigned is displayed When the attribute is KEK a hyphen is dis
7. Click Finish 5 In the Confirm window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply The backup data encryption license key is restored Related topics e Restore Keys from Server window on page A 23 Workflow for deleting data encryption license keys 4 12 Delete a data encryption license key from a file on the HCS management server or HDvM SN computer or from a key management server Use the following process to delete a data encryption license key 1 Back up the secondary data encryption license key Managing data encryption license keys Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide For details see Workflow for backing up secondary data encryption license keys on page 4 3 Ensure the key is not allocated to the parity group See the Encryption Keys window on page A 2 and check the key allocation Delete the data encryption license key using one of the following methods o Delete the data encryption license key from a file on the HCS management server or HDvM SN computer For details see Deleting data encryption license keys on page 4 13 o Delete the backup key from the key management server For details see Deleting backup data encryption license keys from the server on page 4 14 Deleting data encryption license keys Delete data encryption license
8. Contacting the Hitachi Data Systems Support Center Troubleshooting 5 1 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Troubleshooting for Encryption License Key For troubleshooting information for the Hitachi Virtual Storage Platform G1000 see the Hitachi Virtual Storage Platform G1000 Hardware Guide For troubleshooting information for Hitachi Command Suite see the Hitachi Command Suite Administrator Guide For details about HCS error messages see Hitachi Command Suite Messages For troubleshooting information for Device Manager Storage Navigator see the Hitachi Virtual Storage Platform G1000 Mainframe System Administrator Guide For details about HDvM SN error messages see Hitachi Command Suite Messages The following table provides general troubleshooting information for Encryption License Key If you need technical assistance see Contacting the Hitachi Data Systems Support Center on page 5 3 Problem Action Cannot use the Encryption License Key Verify the following feature to back up or restore a key e The Encryption License Key software license is valid and installed You have the Security Administrator View amp Modify role If you backup and restore data encryption license keys with a key management server the connection to the key management server is available If you backup and restore data encryption license keys with a key management server the number of keys which
9. File Name The root certificate file for connecting to the key management server Secondary Server When the secondary server exists displays items same as the primary server Generate Encryption Keys on Displays whether encryption keys are created on a key Key Management Server management server or not e Yes Encryption keys are created on a key management server e No Encryption keys are not created on a key management server Protect the Key Encryption Displays whether key encryption keys are saved on key Key at the Key Management management servers or not Server e Yes Encryption keys are saved on key management servers e No Encryption keys are not saved on key management servers Disable local key generation Displays whether encryption keys are saved on key management servers and encryption keys cannot be created on the storage system e Yes Encryption keys are created on key management servers and encryption keys cannot be created on the storage system No Encryption keys are not created on key management servers Encryption keys are created on storage systems Encryption License Key GUI Reference A 9 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Create Keys wizard Use the Create Keys wizard to create keys and to backup keys to the key management server This wizard includes the following windows e Create Keys window e Confirm window Create Keys win
10. Policy Backup Encryption Keys wizard to confirm the changes to the password policy Encryption License Key GUI Reference A 13 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Edit Password Policy Backup Encryption Keys l Edit Password Policy Backup Eneryption Keys 2 Confirm Enter amp name for the task Confirm the settings and click Apply to add task in Tasks queue f Task Name Max 32 Characters Password Policy Minimum Humber of Characters Hurneric Uppercase Lowercase Symbols T Characters 0 9 Characters A Z Characters 5 2 i 2 3 4 Go to tasks window for status Back Item Description Numeric Characters 0 9 Displays the minimum number of numeric characters that should be used for this password Uppercase Characters A Z Displays the minimum number of alphabetical upper case characters that should be used for this password A 14 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Description Lowercase Characters a z Displays the minimum number of alphabetical lower case characters that should be used for this password Symbols Displays the minimum number of symbols that should be used for this password Total Displays the minimum number of characters for this password Backup Keys to File wizard Use the Backup Keys to File wizard to create backup data encryption licens
11. Storage Platform G1000 Encryption License Key User Guide 2 4 Encryption License Key Installation Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Key Management Server Connections You can use an optional key management server with the Hitachi Virtual Storage Platform G1000 This chapter provides information on setting up the key management server O Key management server requirements O Workflow for edit encryption environmental settings Key Management Server Connections 3 1 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Key management server requirements The key management server must meet the following requirements e Protocol Key Management Interoperability Protocol 1 0 KMIP1 0 e Software SafeNet KeySecure k460 6 4 1 or Thales keyAuthority 4 0 2 e Certificates o Root certificate of the key management server X 509 o Client certificate in PKCS 12 format Root and client certificates Root and client certificates are required to connect to KMIP servers and to ensure that the network access is good You upload the certificates to the SVP To access the key management server the client certificate must be current and not expired For details about the client certificate password in PKCS 12 format e Contact the key management server administrator e See Client certificate password on page 3 2 To get copies of the root and client certificates contact the k
12. data encryption license keys to the key management server For more information see Settings in the Edit Encryption Environmental Settings window on page 3 6 and Backing up keys to a key management server on page 4 4 To connect to the key management server by host name instead of IP address send the IP address of the DNS server to your service representative and request that the service representative configure the SVP If the key management server is unavailable after you complete this task the settings may be incorrect Contact the server or network administrator Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 Select the Encryption Keys tab 3 Click Edit Encryption Environmental Settings 4 In the Edit Encryption Environmental Settings window select Enable or Disable on the Key Management Server 5 If you connect to the Key Management Server specify the primary server and the secondary server 6 If the key management server is already in use select Check to test the connection Error messages appear if the server c
13. keys from a file on the HCS management server or HDvM SN computer You can only delete encryption keys with a Free attribute can be deleted Encryption keys with the other attributes cannot be deleted Prerequisites 1 Required role Security Administrator View amp Modify In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys On the Encryption Keys tab select the key ID for the key you want to delete from the Encryption Keys table and click More Actions Delete Keys To back up encryption keys to the key management server click Next To back up encryption keys to the server see Backing up keys to a key management server on page 4 4 4 In the Delete Keys window click Finish In the Confirm window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply In the message that appears asking whether to apply the setting to the storage system click OK Managing data encryption license keys 4 13 Hitachi Virtual Storage Platform G1000 Encryption License Key Use
14. on the HCS management server or HDvM SN computer For details see Restoring keys from a file on page 4 11 o Restore the data encryption license key from the key management server For details see Restoring keys from a key management server on age 4 12 Restoring keys from a file Restore the data encryption license keys from a file backed up on the computer Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 On the Encryption Keys tab click Restore Keys gt From File 3 In the Restore Keys from File window click Browse and then click OK 4 In the Open dialog box select the backup file and click Open 5 In the Restore Keys from File window complete the following item and then click Finish o For File Name shows the name of the selected file View only Yes o For Password type the password for the data encryption license key that you typed when you backed up the selected data encryption license key 6 In the Confirm window confirm the settings and enter your task name in Task Name If you want th
15. problem Primary and secondary data encryption license keys The Hitachi Virtual Storage Platform G1000 automatically creates a primary backup of each data encryption license key and stores this backup on each MP package The Encryption License Key feature enables you to create secondary backups of the data encryption license keys for the Hitachi Virtual Storage Platform G1000 If the primary backup key is unavailable the secondary backup is required to restore the key A WARNING If the primary backup key becomes unavailable and no secondary backup key exists the system cannot decrypt the encrypted data It is strongly recommended that you back up each key or group of keys immediately after you create them and schedule regular weekly backups of all keys to ensure data availability You are responsible for storing the secondary backup keys securely It is also recommended that you back up each key after you perform any of the following operations e Adding removing or replacing drives e Adding removing or replacing disk adapters e Updating CEK keys e Updating KEK keys A Note The creation and secure storage of secondary backup encryption license keys must be included as part of your corporate security policy For details about backing up secondary data encryption license keys see Workflow for backing up secondary data encryption license keys on page 4 2 KMIP key management server support 1 4 Using
16. the Encryption License Key feature you can create backup and restore data encryption license keys on a key management server that supports Key Management Interoperability Protocol KMIP There are a limited number of keys you can back up on the key management server Therefore it is recommended that you delete unnecessary keys when possible For details about backing up data encryption license keys to a key management server see Backing up keys to a key management server on page 4 4 Encryption License Key Overview Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Audit logging of encryption events The Audit Log feature of the Hitachi Virtual Storage Platform G1000 provides audit logging of events that happen in the system The audit log records events related to data encryption and data encryption license keys For details about audit logging and audit log events see the Hitachi Command Suite Audit Log Reference Guide Interoperability requirements and considerations The following table provides the interoperability requirements and considerations for Encryption License Key operations Functions Interoperability requirements and considerations ShadowImage TrueCopy Encrypt both the P VOL and S VOLs S VOL and T VOLs Compatible FlashCopy V2 for Compatible FlashCopy V2 of pairs to ensure data and Compatible XRC security Thin Image Match the encryption states of the P VOL and pool VOL I
17. the software license key for the Encryption License Key feature For instructions see the Hitachi Command Suite User Guide or the Hitachi Virtual Storage Platform G1000 Mainframe System Administrator Guide 2 2 Encryption License Key Installation Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide If the Encryption License Key software license expires or is missing you cannot delete the encryption key 2 Assign the Security Administrator View amp Modify role to the user who will be enabling or disabling data encryption and back up or restoring keys For details about assigning roles see the Hitachi Command Suite User Guide or the Hitachi Virtual Storage Platform G1000 Mainframe System Administrator Guide Disabling the Encryption License Key feature Caution You must perform steps 1 and 2 in the following procedure before A you delete the software license key 1 Disable data encryption at the parity group level For instructions see Disabling data encryption at the parity group level on page 4 9 2 Initialize the connection settings to the key management server For instructions see Initialize the connection settings to the key management server on page 4 17 3 Disable the software license key For instructions see the Hitachi Command Suite User Guide or the Hitachi Virtual Storage Platform G1000 Mainframe System Administrator Guide Encryption License Key Installation 2 3 Hitachi Virtual
18. to File wizard 44a LL a La LL a La LL LL LL La A 15 Backup Keys to File window 0 000 cece La La La La La La La A 15 Backup Keys to File confirmation window llle A 18 Backup Keys to Server wizard La La a La La a La La La La A 18 Backup Keys to Server window 4 444 eu ees A 19 Backup Keys to Server confirmation window 4 4 LL LL A 20 Restore Keys from file wizard 4 44 La LL a La LL LL LL La A 20 Restore Keys from File window leen A 21 Restore Keys confirmation window leen A 22 Restore Keys from Server wizard 4 444 La a La LL a La LL La A 22 Restore Keys from Server wiINdOW 4 4 4 ee A 23 Restore Keys from Server confirmation window A 24 Delete Keys wizard Less de lm ada tat betwee etGe sav PERLES ER ER A 24 Delete Keys WINDOW 202206055 eds Goede see eae dw bbe ae nas does A 25 Delete Keys confirmation window 0 a A 26 Delete Backup Keys on Server window ees A 26 View Backup Keys on Server window 4 4 La La La La LL La La A 27 Edit Encryption wizard escoiesesisiueassicameseituussesigssaiess A 29 Edit Encryption WINDOW 44 444 dw rm EE ED GE a ce ox mee RC RC s A 30 Edit Encryption confirmation window llle A 34 Rekey Certificate Encryption Keys window eee ee LL a La A 35 Rekey Key Encryption Key win
19. you can back up on the key management server is not exceeded If you backup and restore data encryption license keys with a key management server a time out has not occurred due to the increase in the number of keys on the key management server The latest key is restored the key will not be updated after a secondary backup has been performed Cannot create or delete data encryption Make sure that license keys e The Encryption License Key software license is valid and installed You have the Security Administrator View amp Modify role If you have backed up and restored data encryption license keys with a key management server that the connection to the key management server is available Cannot enable encryption for a parity Make sure that group e The Encryption License Key software license is valid and installed e All LDEVs in the parity group are in the blocked status Cannot disable encryption for a parity Make sure that all LDEVs in the parity group are in the blocked group status 5 2 Troubleshooting Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Problem Action Server configuration test failed Check the following key management server connection settings e Host name e Port number e Client certificate file e Root certificate file If the communication failure is due to the length of time to connect to the server try changing these settings e T
20. 1000 Encryption License Key User Guide Item Description Encryption Shows the encryption setting for the parity group e Enable Encryption is enabled e Disable Encryption is disabled Format Type Shows the format types of the parity group You do not need to format volumes when there are none selected in the parity group Therefore the format type in the Selected Parity Groups list becomes a hyphen regardless of the status of the format type Removes parity groups from the Selected Parity Groups table Edit Encryption confirmation window Use the Confirm window to confirm the changes to the data encryption license key and to view a list of the selected parity groups related to the data encryption license key EET ITI Four aplican cannot accent the dete after adiing Deopption Wa ns pou ere Es continue is si Mas PE Cheriw Pas 10 fus Farm uu mago pasa Drys Rectan forme Lapai Tyee a Hir idih di LET AE i anla Medi Hip 5720 01 cu HO 7 alla padi Ti HF ehh 17 IAL T Tk I7 isa heh 3304203 3470 74 BARAT Tk Tonite Tuih Pee eer A 34 Encryption License Rey GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Selected Parity Groups table Use the Selected Parity Groups table to view a list of the selected parity groups related to the data encryption license key Item Description Parity Group ID Shows parity gr
21. Disable o For Format Type choose the format type Managing data encryption license keys 4 9 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide The parity group you selected from the Available Parity Groups list is added to the Selected Parity Groups list Note When you click Add Format Type becomes inactive and you A cannot select the format type If you vvant to change the format type delete all parity groups in the Selected Parity Groups list and then select the format type again You do not need to format volumes vvhen there is no volume in the selected parity group Therefore the format type in the Selected Parity Groups list becomes a hyphen regardless of the status of Format Type 4 In the Edit Encryption window click Finish 5 Inthe Confirm window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply 6 In the confirmation message that appears asking whether to apply the setting to the storage system click OK Encryption is disabled for the parity group Related topics e Edit Encryption window on page A 30 Encryption formatting at the parity group level The LDEV formatting operation writes zero data to the entire area of all drives in the parity group or overwrites an LDEV This process is also referred to as encryption formatting Workflow for
22. Encryption License Key feature For details see Enabling the Encryption License Key feature on page 2 2 3 Assign the Security Administrator View amp Modify role to the administrator who creates backs up and restores data encryption license keys For details see Enabling the Encryption License Key feature on page 2 PA System requirements The following table lists the system requirements for the Encryption License Key feature Item Requirement Hitachi Virtual Storage Platform Microcode 80 01 2x and later G1000 Hitachi Command Suite Encryption License Key software license Hitachi Device Manager Security Administrator View amp Modify role to Storage Navigator enable or disable data encryption and to back up or restore keys Storage Administrator provisioning role to format volumes SVP Web server To connect to the key management server by specifying the host name instead of IP address you need the DNS server settings For SVP configuration give your service representative the IP address of the DNS server Host platforms All open systems and mainframe host platforms are supported Data volumes All volume types and emulations are supported open systems mainframe and multiplatform Supported volumes Internal Disk adapter A disk adapter that provides data encryption Enabling the Encryption License Key feature To enable the Encryption License Key feature 1 Enable
23. Haee Rapt Certificate Fila Hara Eucendamy Samari aj Enable CJ Disable Host Mami im fdenbfimr ig Pus i IPug 10 223 75 115 Port Humkar SE SE Timacut rac 1 a93 1 654331 1 959 Retry Intarval see ji 1 Humber of Farrias 3 1 601 1 56 Clhant Certificate Fila Haee Root Certificats Fila Harc Server Configueakion Test hack Rarult Generate Encraption Kays Back ih ay Enoypbon Kag at tha E Hansgamani Serve en Kay Management Saver Key Management Server Select whether to use the key management server e Enable default key management server is used e Disable key management server is not used Encryption License Key GUI Reference A 5 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Item Description Server Setting When you use the key management server the following items display e Primary server e Secondary server e Server Configuration test Primary Server Specify the primary server information e Host Name Enter the host name of the key management server Identifier Enter the host identifier IPv4 Enter the host IPv4 address IPv6 Enter the host IPv6 address Port number Enter the port number of the key management server Values 1 to 65535 Default 5696 Timeout sec Enter the time until the connection attempt to the key management server times out Values 1 to 999 Default 60 Retry Interval sec Enter the interval to retry the co
24. I Reference A 19 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Backup Keys to Server confirmation window Backup Keys to Server Enter a name for the task Confirm the settings in the list and dick Apply to add task in Taal Max 32 Characters Dasecripitoen storage Geo te taiki window for V LUI B nck Hext b OOo o o e es O Description Shows the description for the backup data encryption license key Restore Keys from file wizard Use the Restore Keys wizard to restore data encryption license keys from a file you backed up on the HCS management server or HDvM SN computer This wizard includes the following windows e Restore Keys from File window e Confirm window A 20 Encryption License Rey GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Restore Keys from File window Restore Keys from File 1 Restore Keys from File This wizard lets you replace uncreated keys with the backup keys Input a password for the f and then select s Restore Keys executable file Click Finish to confirm File Nara HMZN200163 ekf Password de de de de de de de 6 255 Characters Item Description File Name File name of the selected backup file Browse Select the backup file ekf The name of the selected file is shown for File Name Password The password that you typed when you created the backup data encryption license key Encr
25. LDKC number CU number and LDEV number An LDEV formatted for use by mainframe hosts is called a logical volume image LVI An LDEV formatted for use by open system hosts is called a logical unit LU logical unit LU An LDEV that is configured for use by open systems hosts for example OPEN V logical volume image LVI An LDEV that is configured for use by mainframe hosts for example 3390 3 P parity group A redundant array of independent drives RAID that have the same capacity and are treated as one group for data storage and recovery A parity group contains both user data and parity information which allows the user data to be accessed in the event that one or more of the drives within the parity group are not available The RAID level of a parity group determines the number of data drives and parity drives and how the data is striped across the drives P VOL primary volume A C jm Ir l U In IQ Ic I lt ix IN Glossary 2 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide S service information message SIM Message generated by the RAID storage system when an error or service requirement is detected SIMs are reported to hosts and displayed on Device Manager Storage Navigator Storage Administrator User role in Hitachi Command Suite and Hitachi Device Manager Storage Na
26. a encryption license keys 4 2 Creating data encryption license keys llle 4 2 Workflow for backing up secondary data encryption license keys 4 3 Backing Up keys as a file ss NG NS NG ns ede eee ee lis es 4 4 Backing up keys to a key management server 4 4a 4 4 Opening the Backup Keys to Server window using the Encryption window 4 5 Opening the Backup Keys to Server window using the View Backup Keys on Server WINDOW deesses messi e TY WA wows eee YNG ee se x 4 6 Editing the password policy 0 cece eee ee ees 4 6 Workflow for enabling data encryption on parity groups 4 7 Enabling data encryption at the parity group level 4 7 Workflow for disabling data encryption at the parity group level 4 8 Disabling data encryption at the parity group level 4 9 Encryption formatting at the parity group level 4 10 Workflow for restoring data encryption license keys 4 10 Restoring keys from a file llle 4 11 Restoring keys from a key management server 4 12 Workflow for deleting data encryption license keys 4 12 Deleting data encryption license keys ees 4 13 Deleting backup data encryption license keys from the server 4 14 Viewing encryption keys backed up on the key managem
27. achi Virtual Storage Platform G1000 Encryption License Key User Guide Related topics Edit Password Policy Backup Encryption Keys window on page A 12 Workflow for enabling data encryption on parity groups The Encryption License Key feature provides data encryption at the parity group level to protect data on LDEVs Use the following process to set up for data encryption and enable data encryption on parity groups 1 Backup the secondary data encryption license key For details see Workflow for backing up secondary data encryption license keys on page 4 3 Block the LDEVs at the parity group level For details see the Hitachi Virtual Storage Platform G1000 Provisioning Guide for Mainframe Systems or Hitachi Virtual Storage Platform G1000 Provisioning Guide for Open Systems Enable data encryption on the parity group For details see Enabling data encryption at the parity group level on page 4 7 Format the LDEVs at the parity group level For details see Workflow for enabling data encryption on parity groups on page 4 7 Enabling data encryption at the parity group level Data encryption is enabled at the parity group level Prerequisites 1 Required role Security Administrator View amp Modify Required role to format volumes Storage Administrator Provisioning In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Exp
28. acked up to the key management server the system does not back up the client certificate Make sure that you back up a copy of the connection settings to the key management server and save a copy of the client certificate separately Refer to your corporate security policy for procedures related to backups 1 Ensure the client and root certificates are uploaded to the key management server If the certificates are not uploaded o Contact the key management server administrator o See Converting the client certificate to the PKCS 12 format on page 3 3 and Uploading the root and client certificate on page 3 3 2 Configure the connection settings to the key management server For details see Configuring the connection settings to the key management server on page 3 5 3 Confirm that you can connect to the key management server 4 Check with the key management server administrator then save a back up copy of the client certificate 5 Back up the connection settings to the key management server For instructions see the Hitachi Command Suite User Guide or the Hitachi Virtual Storage Platform G1000 Mainframe System Administrator Guide 3 4 Rey Management Server Connections Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Configuring the connection settings to the key management server Configure the connection settings to the key management server to set up the key management server and to back up the
29. al terms used in this document Click the letter links below to navigate A AES Advanced Encryption Standard C CU control unit ECB Electronic Code Book emulation type Indicates the type of LDEV for example OPEN V 3390 9 Encryption Administrator User role in Hitachi Command Suite and Hitachi Device Manager Storage Navigator with permission to perform Encryption License Key operations Compare with Storage Administrator encryption key The data encryption license key is used to encrypt and decrypt data on the Hitachi Virtual Storage Platform G1000 P Io Im mn l U In IQ Ic lt X Z Glossary 1 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide external volume A volume whose data is stored on drives that are physically outside of the RAID storage system Universal Volume Manager is used to manage external storage Compare with internal volume I internal volume A volume whose data is stored on drives that are physically within the RAID storage system Compare with external volume L logical device LDEV An individual logical device on multiple drives in a RAID configuration in the storage system An LDEV may or may not contain any data and may or may not be defined to any hosts Each LDEV has a unique identifier or address within the storage system composed of the
30. and the target storage system and then select Parity Groups In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Storage Systems in Explorer and select Parity Groups Inthe Parity Groups table select a specific parity group on which you want to enable encryption and then click Edit Encryption In the tree that is shown Internal or External is displayed To select an internal LDEV select Internal Otherwise click the Parity Groups tab Managing data encryption license keys 4 7 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide 4 In the Parity Groups table select a specific parity group on which you want to enable encryption and then click Actions gt Parity Group gt Edit Encryption Note If you do not select a specific parity group data encryption is enabled on all of the parity groups in the list In the Edit Encryption window complete the following and then click Add o For Available Groups select the parity group for which you want to enable data encryption o For Encryption select Enable to enable data encryption or select Disable to disable data encryption at the parity group level o For Format Type select the format type Values Quick Format Normal Format or No Format Default Quick Format The parity group you selected from the Available Parity Groups table is added to the Sel
31. arity group e If you click Enable data encryption select will be enabled e If you click Disable data encryption select will be disabled Format Type Select the format types of the parity group You do not need to format volumes when there are none selected in the parity group Therefore the format type in the Selected Parity Groups list becomes a hyphen regardless of the status of the format type Add Use this button to move a selected parity group in the Available Parity Groups table to the Selected Parity Groups table Selected Parity Groups table Use the Selected Parity Groups table to remove the parity group from the list A 32 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Selected Parity Groups Select All Fages Options w Parity RAID Drive Foren at E Capacity Encryption Group ID Level Type RPM Tipe Remove Selected D of O Item Description Parity Group ID Shows parity group IDs RAID Level Shows the RAID level of the parity group For an interleaved parity group the interleaved number appears after the RAID level Example 1 2D 2D 2 Capacity Shows the total capacity unit of the parity group Drive Type RPM Shows the drive types and RPM rotation per minute of the LDEV in the parity group Encryption License Key GUI Reference A 33 Hitachi Virtual Storage Platform G
32. arre aT Tirage sd Gil Bia HOOD LIE Ad BOLA NA id 03 10 97 pex npo Cip Carixo j 17 ULA cic BANA Die SM Cai Contre j mm La NG Qarpgo ws Ofte mii Cap Carine EE SOLAR Li DALAN Es Lr Bash Canina 6 j u TLS 08110137 Dis pp Cur Cari EE Sorini 04118487 iz Brora 2 i Contre a m HL i DA 1037 Cis Li a Ca Conde ia 30L4 02 Li 00118237 BE mote Ci Corie n n Lae bb 04 14 87 Dir Ei a Bi Canine 6 j if Toba GAT prm edd Gilt Corie Gi Th BOLA bb Gaii y Cte SnD bs i Carbo Pu TOMA pe 00110431 Fra Gigih Cairn o a Bi di dire Geri 57 Pree Ea Cae a n LAA NG GALON Pron Pis Cone PE KOLA be 0011037 Wei Diib Caries i X FOSIE 04 13 02 Fran Dish Cardr o H mlatar is Bai Pisa Biik Carta j 5 TOMAS L acp Frese Dipl Corben ja Roba ii 6019 47 Vos B i baria 6 yr TOMA EU Qa 1S Prag Dir Canto bh Bases baie Pidi Dhi Carra j T8 TOLA Li DALAN Pra Tik Carnie e Summary on page A 2 e Encryption Keys tab on page A 3 Summary Use the Summary to view details about the number of data encryption license keys and to open the View Backup Keys on Server window A 2 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Description Number of Encryption Keys Shows the number of data encryption license keys e Data Encryption Key Number of data encryption keys e Certificate Encryption Key Number of certificate
33. ate Keys wizard Edit Password Policy Backup Encryption Keys wizard Backup Keys to File wizard Backup Keys to Server wizard Restore Keys from file wizard Restore Keys from Server wizard Delete Keys wizard Delete Backup Keys on Server window View Backup Keys on Server window Edit Encryption wizard Rekey Certificate Encryption Keys window Rekey Key Encryption Key window Retry Key Encryption Key Acquisition window Encryption License Key GUI Reference A 1 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Encryption Keys window Use the Encryption Keys window to create data encryption license keys Clicking Encryption Keys in the Administration tree opens this window lecryeten Keys TIC i i s Bumba pl Era maga Dana Decor ag 1T Cata PA aae B rmm IT Mar Meee SIT pary Kayi fier om Select Al Pagan Colera kmu Lope LO UO jp nan DE Taa akad 18 Se 4 VIP L4a nad Aere TOMA RU OA A cux DEAD Gish Cara Tiitii baini ein Esa b Bil Carb B TOM E 08712 04 cus e Cia Ceria Sanaa ik tiiit cin Ba Inh Dii Carte a BOLUP L 08112 04 CEE ae Cap arbre Toba eh Bae cw Ena id Eae Cara 3014 93 14 GALLO E pape Bip paniro a POLAND id da iii AG cix sa i Diii Caper j NG TOL RC Dara T2 DEE EDI Dip Care s5 GL iri GA Els DALE Gi Contre B ka TOs 00110757 THE ed int Carre sa TOL id badan bir PEEL Biik arbre Bk POL NG 08110257 Di De Qus C
34. au dea bera wod ack gp haya ta bap epee passes Chi injak ba oe Hu dada DON DIL CXII Bi aag BI ETT LL 2 Selected Revi ca TO EE Key ID IDs of data encryption license keys Encryption License Key GUI Reference A 25 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Delete Keys confirmation window Peete baya ws be dalated des vera usa bh demes Selected Kers ug IL Lon 1023 LORI LOG Oooo a ee ee Key ID The identifiers for the data encryption license keys Delete Backup Keys on Server window Use the Delete Backup Keys on Server window to confirm the deletion of a backup key This window includes the Selected Backup Keys table A 26 Encryption License Rey GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Delete Backup Keys on Server 1 Confirm Selected backup keys willbe deleted Are you sure to continue Task Name E REIR II AIL Max 32 Characters Selected Backup Keys OUID Backup Date 1T Description BE4E2C33 2014 01 21 15 06 10 Storage ACSBTSAAA z014 01 21 14 38 35 storage FIBASS 989 2014 01 17 20 50 07 zU0140117 Test i Go to tasks window for status Bach Next P A Item Description UUID Shows the UUID of the data encryption license key you backed up on the key management server Backup Date Shows the time when you backed up the data encryption license key on the k
35. be set as the items of the primary server Server Configuration Test Select Check to start a server connection test for the key management server based on the specified settings Check Start a server connection test for the key management server based on the specified settings Result Shows the result of the server connection test for the key management server Generate Encryption Keys on Key Management Server Checks when encryption keys are created on a key management server Protect the Key Encryption Key at the Key Management Server Specifies when key encryption keys are saved on key management servers If Warning is displayed confirm the content of the warning and select I Agree Disable local key generation Checks when encryption keys are saved on key management servers and encryption keys cannot be created on the storage system If Warning is displayed confirm the content of the warning and select I Agree Caution If you finish the setting you cannot restore the setting so it is recommended that you confirm there are no problems before selecting I Agree Initialize Encryption Environmental Settings Encryption License Key GUI Reference Select to initialize the connection settings to the key management server Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Edit Encryption Environmental Settings confirmation window Edit Encryption Ensironme
36. d Parity Groups table For details see Selected Parity Groups table on page A 32 Available Parity Groups table Use the Available Parity Groups table on the Edit Encryption window to view a list of the available parity groups A 30 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Party Group Available Parity Groups Select All Pages Options w Je J RAID Diwa Bp ag Energptiarn Tupa RPM 5i 3D 1P 1610 41 8457 10k Dir ablad 5 3D 1P 3220 83 amp AS 10k Dinablad SA JOR 8208 17 FAST 2k Disabled 1 204701 S470 76 SAS T 2k Disabled Add P Selected O of 4 Encryption Enable i Disable Format Typ Quick Format Item Description Parity Group ID Shows the parity group IDs RAID Level Shows the RAID level of the parity group For an interleaved parity group the interleaved number appears after the RAID level Example 1 2D 2D 2 Capacity Shows the total capacity unit of the parity group Drive Type RPM Shows the drive types and RPM rotation per minute of the LDEV in the parity group Encryption Shows the encryption setting for the parity group Enable Encryption is enabled Disable Encryption is disabled Encryption License Key GUI Reference A 31 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Description Encryption Select the encryption setting for the p
37. d and integrated key management that does note require specialized key management infrastructure Encryption License Key support specifications The following table lists the support specifications for Encryption License Key Item Specification Hardware specifications Encryption algorithm Advanced Encryption Standard AES 256 bit Encryption mode XTS mode LDEVs that you can encrypt Volume type Open mainframe multiplatform Emulation type All emulation types Internal external LDEVs Internal LDEVs only LDEV with existing data Supported Requires data migration Encryption License Key Overview Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Specification Managing data Creating data encryption Use the Hitachi storage management encryption license keys software to create data encryption license keys license keys Deleting data encryption Use the Hitachi storage management license keys software to delete data encryption license keys However you cannot delete data encryption license keys that are allocated to implemented drives Unit of encryption Parity group Data encryption license decryption keys are used per HDD Scope of data encryption 4 096 data encryption license keys per license keys storage system You can create 4 096 Free keys or DEK keys You can create 32 CEK keys and one KEK key Therefore the total n
38. dow serene A 36 Retry Key Encryption Key Acquisition window leere A 37 Glossary Index v Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide vi Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Preface This document describes and provides instructions for installing and using the Encryption License Key feature of the Hitachi Virtual Storage Platform G1000 storage system Please read this document carefully to understand how to use this product and maintain a copy for reference purposes El El Intended audience Product version Document revision level Changes in this revision Referenced documents Document conventions Accessing product documentation Getting hel Comments Preface vii Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Intended audience This document is intended for system administrators Hitachi Data Systems representatives and authorized service providers who install configure and operate the Hitachi Virtual Storage Platform G1000 Readers of this document should be familiar with the following e Data processing and RAID storage systems and their basic functions e The Hitachi Virtual Storage Platform G1000 and the Hitachi Virtual Storage Platform G1000 Product Guide e The Hitachi storage management software for the Hitachi Virtual Storage Platform G1000 Hitachi Command Suite or Hitac
39. dow Use the Create Keys window to create a data encryption license key This window includes the Selected Keys table The end lada ques Cente bass aca back op bans te the hey NAGANA veres Ch Poh te ardore dr dah et F piu wel te baib ep begi te thee bay Magar parye arikan ad rris TE hea SEA Number of Specifies the number of encryption keys 1 4 096 4 096 is the Encryption Keys maximum number of encryption keys This window shows the value that subtracted the number of created DEK and Free keys from 4 096 Create Keys confirmation window The following is the Confirm window in the Create Keys wizard A 10 Encryption License Rey GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide has nama Fer Ba tek Cer es pegs pred dh disais Na adi tad ss Tcr d prera bis da ana Mas J Tiin ag des bari eps Papi a a Se Number of Displays the number of encryption keys Encryption Keys Related topics e Workflow for creating data encryption license keys on page 4 2 e Creating data encryption license keys on page 4 2 Edit Password Policy Backup Encryption Keys wizard Use the Edit Password Policy Backup Encryption Keys wizard to edit the password policy for backup keys This wizard includes the following windows e Edit Password Policy Backup Encryption Keys window e Confirm window Encryption License Key GUI Reference A 11 Hitachi Virtual Storage Platfor
40. e Encryption License Key Overview The chapter describes the Encryption License Key feature of the Hitachi Virtual Storage Platform G1000 storage system O Encryption License Key benefits O Encryption License Key support specifications When are data encryption license keys needed L Primary and secondary data encryption license keys KMIP key management server support O Audit logging of encryption events O Interoperability requirements and considerations O Workflow for enabling data encryption O Workflow for encrypting existing data O Workflow for disabling encryption O Workflow for changing the encryption license key Encryption License Key Overview 1 1 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Encryption License Key benefits To guarantee the security of data use the Encryption License Key feature to encrypt the data stored on the Hitachi Virtual Storage Platform G1000 Encrypting data can prevent information loss and leaks for example when a drive is physically removed from the storage system due to failure or theft The Encryption License Key feature provides the following benefits e Hardware based AES 256 encryption in XTS mode for open and mainframe systems e You can apply encryption to some or all of the internal drives without throughput or latency impacts for data I O and little to no disruption to existing applications and infrastructure e Simplifie
41. e Refers to all supported software products for the Hitachi Virtual management software Storage Platform G1000 unless otherwise noted e Hitachi Command Suite e Hitachi Device Manager Storage Navigator This document uses the following typographic conventions Convention Description Bold Indicates text on a window such aS menus menu options buttons text boxes and labels Example Click OK Italic Indicates a variable which is a placeholder for actual text provided by the user or system Example copy source file target file Note Angled brackets lt gt also indicate variables screen code Indicates text that is displayed on screen or typed by the user Example pairdisplay g oradb lt gt angled brackets Indicates a variable which is a placeholder for actual text provided by the user or system Example pairdisplay g lt group gt Note Italic font also indicates variables square brackets Indicates optional values Example a b means that you can choose a b or nothing braces Indicates required values Example a b means that you must choose either a or b vertical bar Indicates that you have a choice between two or more options or arguments Example a b means that you can choose a b or nothing Underline Indicates the default value Example a b This document uses the following icons to draw attention to information M
42. e Task window to open after you click Apply select Go to tasks window for status Click Apply The backup data encryption license key is restored Managing data encryption license keys 4 11 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Related topics e Restore Keys from File window on page A 21 Restoring keys from a key management server Restore a data encryption license key from the key management server You can restore up to 4 128 data encryption license keys at a time The client certificate is required to restore backed up data encryption license keys from a key management server A Caution If you do not have the client certificate and the system administrator replaces the SVP due to a failure you cannot restore the backed up data encryption license keys Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 On the Encryption Keys tab click Restore Keys gt From Server 3 In the Restore Keys from Server window select the data encryption license key you want to restore 4
43. e keys as files on the HCS management server or HDvM SN computer This wizard includes the following windows e Backup Keys to File window e Confirm window Backup Keys to File window When the password policy is edited in the Edit Password Policy Backup Encryption Keys window you will see the following figure Encryption License Key GUI Reference A 15 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Backup Keys to File L Bbackup Keyrt Fila Add a parieord for tha Backup Keys operation and dick Finish to confirm Password 10 255 characters with l Or more numeric characters 2 or more uppercare characters d or more lowercage characters 4 or more zymbols Re enter Pariwordi When the password policy is not edited in the Edit Password Policy Backup Encryption Keys window you will see the following figure A 16 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Backup Keys to File 1 Backup Keys to File gt 2 Confirm Add a password for the Backup Keys operation and dick Finish ta confirm Password 6 255 characters Re enter Password Item Description Password The password for the backup data encryption license key Character limits 6 to 255 Valid characters e Numbers 0 to 9 e Upper case A Z e Lower case a z e Symbols amp lt gt a ee Re enter Passw
44. eaning Description Provides helpful information guidelines or suggestions for performing tasks more effectively Calls attention to important and or additional information Preface IX Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Icon Meaning Description i zaution Warns the user of adverse conditions and or consequences e g disruptive operations NARNING Warns the user of severe conditions and or consequences e g destructive operations Accessing product documentation The Hitachi Virtual Storage Platform G1000 user documentation is available on the Hitachi Data Systems Portal https portal hds com Check this site for the most current documentation including important updates that may have been made after the release of the product Getting help The Hitachi Data Systems customer support staff is available 24 hours a day seven days a week If you need technical support log on to the Hitachi Data Systems Portal for contact information https portal hds com Comments Please send us your comments on this document doc comments hds com Include the document title and number including the revision level for example 05 and refer to specific sections and paragraphs whenever possible All comments become the property of Hitachi Data Systems Corporation Thank you x Preface Hitachi Virtual Storage Platform G1000 Encryption License Key User Guid
45. ected Parity Groups list When you click Add Format Type becomes inactive and you cannot select the format type If you want to change the format type delete all parity groups in the Selected Parity Groups list and then select the format type again You do not need to format volumes when there is no volume selected in the parity group Therefore the format type in the Selected Parity Groups list becomes a hyphen regardless of the status of the format type Click Finish In the Confirm window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply In the message that appears click OK Data encryption is enabled on the parity group Related topics Edit Encryption window on page A 30 Workflow for disabling data encryption at the parity group level Disable encryption or decrypt data at the parity group level 1 4 8 Backup the secondary data encryption license key For details see Workflow for backing up secondary data encryption license keys on page 4 3 Managing data encryption license keys Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide 2 Block the LDEVs at the parity group level For details see the Hitachi Virtual Storage Platform G1000 Provisioning Guide for Mainframe Systems or Hitachi Virtual Storage Platform G1000 Provisioning Guide for Open System
46. ed Related topics e Encryption Keys window on page A 2 e Backup Keys to File window on page A 15 Backing up keys to a key management server Back up data encryption license keys to a key management server The data encryption license keys that you back up to a key management server are managed with the client certificate Managing data encryption license keys Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide There is a limited number of keys you can back up on the key management server Therefore it is recommended that you delete unnecessary keys when possible When you back up to a key management server the server uses another data encryption license key to encrypt the original keys Both keys reside on the server Prerequisites 1 Required role Security Administrator View amp Modify In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys On the Encryption Keys tab click View Backup Keys on Server to open the Backup Keys to Server window Optional In the Backup Keys to Server window for Description type a description and then click Finish In the Confirm
47. ent server 4 14 Exporting encryption license key table information 4 15 Rekeying key encryption keyS LL eee La La La La 4 15 Rekeying certificate encryption keys LL llle 4 16 Retrying Key Encryption Key Acquisition 4 4 a 4 17 Initialize the connection settings to the key management server 4 17 TEDUDIBSHOCUD wes edad ae d Rm OR Sw Rem FCR aca RO C 5 1 Troubleshooting for Encryption License Key 4 44 4 5 2 Contacting the Hitachi Data Systems Support Center 5 3 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide A Encryption License Key GUI Reference A 1 Encryption Keys WINGOW maa kw hones Ii rS Uma cee bee RES RR cd A 2 Edit Encryption Environmental Settings wizard LL LL A 4 Edit Encryption Environmental Settings window A 4 Edit Encryption Environmental Settings confirmation window A 8 Create Keys wizard essa ed eho as Deedee eh 5 eet tuse sc ES aran A 10 Create Keys window leeren hr A 10 Create Keys confirmation window La La LL La LL La A 10 Edit Password Policy Backup Encryption Keys wizard A 11 Edit Password Policy Backup Encryption Keys window A 12 Edit Password Policy Backup Encryption Keys confirmation window A 13 Backup Keys
48. ey management server administrator For details about uploading the client certificates see Uploading the root and client certificate on page 3 3 Root certificate on the key management server If you use SafeNet KeySecure or Thales keyAuthority on the key management server create and put the root certificate on the server For details about SafeNet KeySecure see the SafeNet KeySecure k460 documentation For details about Thales keyAuthority see the Thales keyAuthority documentation The root certificate of the key management server must be in X 509 format Client certificate password The password can be from 0 to 128 characters in length The valid characters for the password are e Numbers 0 to 9 e Upper case letters A Z e Lower case letters a z e The following symbols amp 7 lt gt 4_ AXE For details about converting the client certificate to PKCS 12 format see Converting the client certificate to the PKCS 12 format on page 3 3 Key Management Server Connections Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide For details about client certificates see Root and client certificates on page del Workflow for preparing the client certificate Use the following process to prepare the client certificate which includes setting the client certificate expiration date and password 1 Download and install openss1 exe from http www openssl org to the c openss1 fo
49. ey management server Description Shows the description you typed when you backed up the data encryption license key on the key management server View Backup Keys on Server window Use the View Backup Keys on Server window to view a list of the backup data encryption license keys on the server This window includes the Backup Keys table Encryption License Key GUI Reference A 27 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide View Backup Keys on Server amp Fiker om GA select All Pages How A 28 UUD Backup Date 1T 4BE4E2C33 2014 01 21 15 06 10 ACE BANA 2014 01 21 14 38 35 F18435983 2014 01 17 20 50 07 Backup Keys table Options re Dadeription Storage storage 20140117 Tast01 Delete Backup Keys on Server Backup Keys te Server Restore Kays from Server The Backup Keys table is shown on the View Backup Keys on Server window This table lists the backup data encryption license keys Item Description UUID Shows the UUID of the backup data encryption license key on the key management server Backup Date Shows the time you backed up the data encryption license key on the key management server Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Description Description Shows the description you typed when you backed up the data encryption license key on
50. eys as a file Back up a secondary data encryption license keys as a file on the computer Back up the file and the password since the file and password are not automatically backed up Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 Select the Encryption Keys tab 3 In the Encryption Keys table select the key ID for the data encryption license key you want to back up and Click Backup Keys gt To File 4 In the Backup Keys to File window complete the following and then click Finish o For Password type the key restoration password Case sensitive Yes o For Re enter Password retype the password 5 In the Confirm window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply 6 In the message that appears click OK 7 Select the location to which to save the backup file and then type the backup file name using the extension ekf 8 Click Save The secondary backup encryption license key is sav
51. f the P VOL is encrypted encrypt all of the pool VOLs If the data pool contains non encrypted pool VOL the differential data of the P VOL is not encrypted Universal Replicator Match the encryption states of a P VOL and S VOL If you encrypt the P VOL only the data copied on the S VOL is not encrypted and therefore not protected When you encrypt a P VOL or S VOL use a journal to which only encrypted LDEVs are registered as journal volumes If the encryption states of the P VOL S VOL and journal volumes do not match the journal data in the P VOL is not encrypted and the security of the data cannot be guaranteed Dynamic Provisioning When enabling encryption for data written to a data pool Dynamic Tiering Dynamic with a V VOL use a data pool that consists of encrypted Provisioning for Mainframe volumes and Dynamic Tiering for Mainframe Workflow for enabling data encryption Use the following process to set up for and enable data encryption 1 Create a secondary backup of the data encryption license key For details see Workflow for backing up secondary data encryption license keys on page 4 3 2 Enable data encryption at the parity group level For details see Enabling data encryption at the parity group level on page 4 7 3 Format the LDEVs in the encrypted parity group The data to be stored on these new LDEVs will be encrypted For instructions on formatting LDEVs see the Hitachi Virtual Stora
52. ge Platform G1000 Provisioning Guide for Open Systems Encryption License Key Overview 1 5 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Workflow for encrypting existing data To encrypt existing data you must migrate the data to an encrypted parity group Use the following process to encrypt existing data 1 2 3 Create a new parity group Enable data encryption on the parity group For details see Enabling data encryption at the parity group level on page 4 7 Format the LDEVSs in the encrypted parity group For instructions see the Hitachi Virtual Storage Platform G1000 Provisioning Guide for Open Systems Migrate the existing data to the LDEVs in the encrypted parity group For details about data migration contact your Hitachi Data Systems account team Workflow for disabling encryption Use the following process to disable encryption 1 2 Back up the data in the parity group Disable data encryption at the parity group level For details see Workflow for disabling data encryption at the parity group level on page 4 8 Format the LDEVs in the parity group For instructions see the Hitachi Virtual Storage Platform G1000 Provisioning Guide for Open Systems Workflow for changing the encryption license key To change the encryption license key for existing encrypted data you must migrate the data to an encrypted parity group that has a different encryption license key
53. he target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 On the Encryption Keys tab click View Backup Keys on Server 3 Click Backup Keys to Server Editing the password policy You can set the minimum number of characters required for passwords Prerequisites 1 4 6 Required role Security Administrator View amp Modify In Hitachi Command Suite a On the Administration tab click Security and then Password b In the Password window click Edit Settings c In the Password Policy window set the minimum number of characters In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b From the Settings menu select Security gt Encryption Key gt Edit Password Policy Backup Encryption Keys c Inthe Edit Password Policy Backup Encryption Keys window set the minimum number of characters In Hitachi Command Suite you can click OK In Device Manager Storage Navigator you can click Finish In the Confirm window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply Managing data encryption license keys Hit
54. hi Device Manager Storage Navigator and the software user manual Hitachi Command Suite User Guide or Hitachi Virtual Storage Platform G1000 Mainframe System Administrator Guide e The use of data encryption in a storage environment Product version This document revision applies to Hitachi Virtual Storage Platform G1000 microcode 80 02 0x or later Document revision level Revision Description MK 92RD8009 00 April 2014 Initial release MK 92RD8009 01 August 2014 Supersedes and replaces MK 92RD8009 00 MK 92RD8009 02 October 2014 Supersedes and replaces MK 92RD8009 01 Changes in this revision e Revised navigation steps in procedures Referenced documents Hitachi Virtual Storage Platform G1000 documents e Hitachi Virtual Storage Platform G1000 Hardware Guide MK 92RD8007 e Hitachi Virtual Storage Platform G1000 Mainframe System Administrator Guide MK 92RD8016 e Hitachi Command Suite User Guide MK 90HC172 e Hitachi Command Suite Audit Log Reference Guide MK 92HC213 e Hitachi Virtual Storage Platform G1000 Provisioning Guide for Mainframe Systems MK 92RD8013 e Hitachi Virtual Storage Platform G1000 Provisioning Guide for Open Systems MK 92RD8014 e Hitachi Command Suite Messages MK 90HC178 viii Preface Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Document conventions This document uses the following terminology conventions Convention Description Hitachi storag
55. imeout e Retry interval e Number of retries The Edit Encryption wizard operation The change of the status succeeds but the format of the failed but the status of encryption volume fails Confirm the message remove the error and enable or disable has changed format volumes again The storage system failed to get Complete the following tasks encryption keys backed up on the key e Restore the connection to the key management server management server and all volumes are blocked when the storage system is Retry key encryption key acquisition turned on The SIM code 661000 is e Contact the Hitachi Data Systems Support Center to returned restore the disk adapter and blocked drives or blocked volumes Editing encryption environmental If it is the first time you are configuring encryption settings has failed with the error environmental settings in the Edit Encryption 00002 058578 Environmental Settings window and it fails error message 00002 058578 complete the following tasks 1 Wait a few minutes then click File gt Refresh All to reread the configuration information Initialize the connection settings to the key management server 3 Configure the encryption environmental settings again If it is not the first time you are configuring encryption environmental settings in the Edit Encryption Environmental Settings window and it fails error message 00002 058578 complete the following tasks 1 Wai
56. in this Document may be subject to U S export control laws including the U S Export Administration Act and its associated regulations and may be subject to export or import regulations in other countries Reader agrees to comply strictly with all such regulations and acknowledges that Reader has the responsibility to obtain licenses to export re export or import the Document and any Compliant Products Hitachi is a registered trademark of Hitachi Ltd in the United States and other countries Hitachi Data Systems is a registered trademark and service mark of Hitachi Ltd in the United States and other countries Archivas Essential NAS Platform HiCommand Hi Track ShadowImage Tagmaserve Tagmasoft Tagmasolve Tagmastore TrueCopy Universal Star Network and Universal Storage Platform are registered trademarks of Hitachi Data Systems Corporation AIX AS 400 DB2 Domino DS6000 DS8000 Enterprise Storage Server ESCON FICON FlashCopy IBM Lotus MVS OS 390 RS 6000 S 390 System z9 System z10 Tivoli VM ESA z OS z9 z10 zSeries z VM and z VSE are registered trademarks or trademarks of International Business Machines Corporation All other trademarks service marks and company names in this document or website are properties of their respective owners Microsoft product screen shots are reprinted with permission from Microsoft Corporation Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Co
57. lder 2 Create the key file You can create the following types of key files o Private key file o Public key file 3 Convert the client certificate to PKCS 12 format For details see Converting the client certificate to the PKCS 12 format on page 3 3 4 Upload the root and client certificates to the SVP For details see Uploading the root and client certificate on page 3 3 Converting the client certificate to the PKCS 12 format Convert the client certificate to the PKCS 12 format which includes uploading the client certificate in the PKCS 12 format to the 200 Storage Virtualization System SVP 1 From an open command prompt change the current directory to the folder where you want to save the client certificate in the PKCS 12 format 2 Move the private SSL key file key and the client certificate to the folder in the current directory and run the command The following is an example for an output folder of c key private key file client key and a client certificate file client crt C key gt c openssl bin openssl pkcs12 export in client crt inkey client key out client p12 3 Type the client certificate password For details about the client certificate password see Client certificate password on page 3 2 Uploading the root and client certificate Before you configure the connection settings to the key management server you must upload the root certificate and the client certificate Prere
58. m G1000 Encryption License Key User Guide Edit Password Policy Backup Encryption Keys window Edit Password Policy Backup Encryption Keys 1 Edit Password Policy Backup Encryption Keys 2 Confine This wizard lets you edit the password policy for Backup Keys to File Select each minimum number of characters and click Finish te confirm Minimum Number of Characters Numeric Characters 0 9 0 255 Uppercase Characters A Z 2 0 255 Lowercase Characters a 2 3 0 255 Symbols 4 0 255 Total 10 6 255 A 12 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Description Numeric Characters 0 9 The minimum number of numeric characters that should be used for this password Values 0 to 255 Default 0 Uppercase Characters A Z The minimum number of alphabetical upper case characters that should be used for this password Values 0 to 255 Default 0 Lowercase Characters a z The minimum number of alphabetical lower case characters that should be used for this password Values 0 to 255 Default 0 The minimum number of symbols that should be used for this password Values 0 to 255 Default 0 The minimum number of characters for this password Values 6 to 255 Default 6 Edit Password Policy Backup Encryption Keys confirmation window Use the Confirm window in the Edit Password
59. n 4 4 aa La ee es 1 6 Workflow for changing the encryption license Rey cee 1 6 Encryption License Key Installation 2 1 Workflow for Encryption License Key installation 2 2 System requirements i da ye ERE TR ceeed wee Ske bbe baad ewe ee agra 2 2 Enabling the Encryption License Key feature 0000 eee eee 2 2 Disabling the Encryption License Key feature eee 2 3 iii Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Key Management Server Connections 444 La 3 1 Key management server requirements La La ee LL La 3 2 Root and client certificates lll llle 3 2 Root certificate on the key management server 3 2 Client certificate password 1 0 0 cc ees 3 2 Workflow for preparing the client certificate 3 3 Converting the client certificate to the PKCS 12 format 3 3 Uploading the root and client certificate ee 3 3 Workflow for edit encryption environmental settings 3 4 Configuring the connection settings to the key management server 3 5 Settings in the Edit Encryption Environmental Settings window 3 6 Managing data encryption license keys 4 1 Workflow for creating dat
60. ncryption license key is deleted Related topics View Backup Keys on Server window on page A 27 Delete Backup Keys on Server window on page A 26 Viewing encryption keys backed up on the key management server You can view encryption keys that are backed up on the key management server 4 14 Managing data encryption license keys Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 On the Encryption Keys tab click View Backup Keys on Server to view the backup keys on the key management server Related topics e Encryption Keys window on page A 2 e View Backup Keys on Server window on page A 27 Exporting encryption license key table information You can output encryption license key table information Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryp
61. nnection to the key management server Values 1 to 60 Default 1 Number of Retries Enter the number of times to retry the connection to the key management server Values 1 to 50 Default 3 Client Certificate File Name Select the client certificate file for connecting to the key management server Click Browse and select the file Browse Select the client certificate file The form of the client certificate is PKCS 3 12 For information about the client certificate file contact the server or network administrator The file name appears in the Client Certificate File Name field Password Enter the password for the client certificate Character limits O to 128 Valid characters Numbers 0 to 9 Upper case A Z Lower case a z Symbols amp lt gt 7 NJA Ow Root Certificate File Name Select the root certificate file for connecting to the key management server Click Browse and select the file Browse Select the root certificate file The form of the client certificate is X 509 If you do not know about the root certificate file contact the server administrator or the network administrator The name of the selected file appears in the Root Certificate File Name field Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Description Secondary Server When the secondary server is set to Enable the same items can
62. ntents IES GE RR GS dC DOGC OS US DES ECO SU AT vii Intended audience 4 4 4 La La La La La La La rn viii Product Vel SiO sa a BA NA beens Ehe E uo Dra ies dico ac i 9 NANG viii Document revision level seller nnn viii Changes In this FevisiOlia uk elbow SERE Run NA REGE xr Ow exei viii Referenced documents 00 cece eee hr viii Document CONVENTIONS cx cscactustecaniedeased se EGRE de wee dee nue ix Accessing product documentation 4 4 4 ea LL eee x Getting help desse vies cede gees abe eee ER sainkin exe dee ees X COMMENTS o ea sacrar 2666 eso Ta a A ah seers Ses E EN DA NA ATA wh ehh ones x Encryption License Key Overview 4 4 444 La La 1 1 Encryption License Key benefits eee ee rn 1 2 Encryption License Key support specifications 4 LL La 1 2 When are data encryption license keys needed 1 3 Primary and secondary data encryption license keys 1 4 KMIP key management server support eee La La La 1 4 Audit logging of encryption events s s s sasaaa anaa annaa nnana 1 5 Interoperability requirements and considerations 1 5 Workflow for enabling data encryption llle 1 5 Workflow for encrypting existing data aa 1 6 Workflow for disabling encryptio
63. on keys you can use the Rekey key Encryption Keys window to rekey key encryption keys A 36 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Rekey Key Encryption Key 1 Confirm Enter a name for the task Click Apply to add the task in the Tasks queue for execution Task Nama Max 32 Characters Go to tasks window for status 4 Back Next b CA CA Task Name You can enter up to 32 ASCII characters letters numerals and symbols in Task Name Task names are case sensitive Retry Key Encryption Key Acquisition window If you acquire the key encryption keys from the external key management server when the storage device starts retry key encryption key acquisition unless you can acquire them by some reasons Encryption License Key GUI Reference A 37 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Retry Key Encryption Key Acquisition 1 Confirm Enter a name for the task Click Apply to add the task in the Tasks queue for execution Task Hame Max 32 Characters jo to tasks window for status 4 Back Next b EE ee EE NENNEN Task Name You can enter up to 32 ASCII characters letters numerals and symbols in Task Name Task names are case sensitive A 38 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Glossary This glossary defines the speci
64. onfiguration test fails 7 Create an encryption key o To generate an encryption key on the key management server select Generate Encryption Keys on Key Management Server To store the encryption key on the key management server select Protect the Key Encryption Key on the Key Management Server then I Agree Caution If you have selected Protect the Key Encryption Key A on the Key Management Server in Generate Encryption Keys on Key Management Server the storage system will try to get encryption keys backed up on the key management server once the storage system is turned on Therefore it is recommended that you confirm that the SVP is connected to the key management server properly before turning the storage system on Key Management Server Connections 3 5 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide o To generate an encryption key on the key management server without creating an encryption key in the storage system select Disable Local Key Generation Confirm the Warning that displays and select I Agree Caution When you select the Disable local key generation and A I Agree check boxes in Generate Encryption Keys on Key Management Server and finished the settings you cannot undo this action 8 To backup data encryption license keys to the key management server click Next Otherwise click Finish 9 Inthe Confirm window confirm the settings and enter your task name in Task Name
65. ord Type the password again for confirmation Encryption License Key GUI Reference A 17 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Backup Keys to File confirmation window Backup Keys to File 1 Backup Keys to File gt 2 Confirm Enter a name for the task Click Apply for immediate execution Please input and save a file name after execution If the other tasks exists this action ca Tazk Marne Max 32 Characters BB Go to tasks window for status When you click Apply in the Confirm window a confirmation message will appear After you click OK a window for saving the file for encryption keys will appear Enter the backup file name with the extension of ekf and save the file Backup Keys to Server wizard Use the Backup Keys to Server wizard to backup data encryption license keys on the key management server This wizard includes the following windows e Backup Keys to Server window e Confirm window A 18 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Backup Keys to Server window Backup Keys to Server Add a description for the Backup Keys operation and cick Finish to confirm Dascription storage Max 256 characters or blank 4 Back Next P I eee Description Optionally enter a description for the backup data encryption license key Character limits 256 Encryption License Key GU
66. oup identifier RAID Level Shows the RAID level of the parity group For an interleaved parity group the interleaved number appears after the RAID level Example 1 2D 2D 2 Capacity Shows the total capacity of the parity group Drive Type RPM Shows the drive types and RPM rotation per minute of the LDEV in the parity group Encryption Encryption setting for the parity group e Enable encryption enabled e Disable no encryption Format Type Shows the format types of the parity group You do not need to format volumes when there is no volume in the selected parity group Therefore the format type in the Selected Parity Groups list becomes a hyphen regardless of the status of Format Type Rekey Certificate Encryption Keys window If you change certificate encryption keys you can use the RekeyCertificate Encryption Keys window to rekey certificate encryption keys Encryption License Key GUI Reference A 35 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Rekey Certificate Encryption Keys Enter a name for the task Click Apply to add the task in the Tasks queue for execution Task Name Max 32 Characters Go to tasks window for status 4 Back Next b Baa NN NES Task Name You can enter up to 32 ASCII characters letters numerals and symbols in Task Name Task namesare case sensitive Rekey Key Encryption Key window If you change key encrypti
67. played Generated on The path in which the encryption key is created Number of Backups The number of times that a backup of a data encryption license key is created When the attribute is KEK a hyphen is displayed Create Keys Click to open the Create Keys window Backup Keys Select To File to open the Backup Keys to File window Select To Server to open the Backup Keys to Server window Encryption License Key GUI Reference A 3 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Description Restore Keys Select From File to open the Restore Keys from File window Select From Server to open the Restore Keys from Server window More Actions Select Rekey Key Encryption Keys to display the Rekey Key Encryption Keys window Select Delete Keys from the list to delete a selected data encryption license key Select Retry Key Encryption Key Acquisition to display the Retry Key Encryption Key Acquisition window Select Export from the list to open the window for outputting table information Related topics e Creating data encryption license keys on page 4 2 e Backing up keys as a file on page 4 4 e Backing up keys to a key management server on page 4 4 e Restoring keys from a file on page 4 11 e Restoring keys from_a key management server on page 4 12 e Deleting data encryption license keys on page 4 13 e Deleting backup data encryption licen
68. ption Keys table 3 Click More Actions Rekey Key Encryption Keys 4 In the Rekey Key Encryption Key window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply Related topics e Rekey Key Encryption Key window on page A 36 Rekeying certificate encryption keys If you change certificate encryption keys use the following procedure to rekey the keys After rekeying certificate encryption license keys it is recommended that you back up each key Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 On the Encryption Keys tab select Rekey Certificate Encryption Keys 3 In the Rekey Certificate Encryption Keys window confirm the settings and enter your task name in Task Name 4 16 Managing data encryption license keys Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide If you want the Task window to open after you click Apply select Go to tasks window for status Click Appl
69. quisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems Key Management Server Connections 3 3 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 Click Edit Encryption Environmental Settings Upload the certificates in the Edit Encryption Environmental Settings window Workflow for edit encryption environmental settings To use a key management server you must configure the connection and network settings You can also set the encryption settings such as disabling the local key generations and storing key encryption key to DKC For more information about the appropriate connection settings contact the key management server administrator For more information about the network settings contact your network administrator managed with the client certificate If the client certificate is lost and the SVP is replaced due to a failure you cannot restore the encryption keys that were backed up before the replacement Caution Encryption keys backed up on the key management server are When the connection settings are b
70. r Guide The data encryption license key is deleted Related topics Delete Keys window on page A 25 Deleting backup data encryption license keys from the server Delete a backup data encryption license key from the key management server Caution Before deleting a primary or secondary backup data encryption A license key from the key management server ensure that you have backed up another data encryption license key Prerequisites 1 Required role Security Administrator View amp Modify In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys On the Encryption Keys tab click View Backup Keys on Server In the View Backup Keys on Server window select the key ID for the backup data encryption license key you want to delete and then click Delete Backup Keys on Server In the Delete Backup Keys on Server window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply In the message that appears asking whether to apply the setting to the storage system click OK The data e
71. restoring data encryption license keys 4 10 Restore a data encryption license key from the primary or secondary backup copy when all the LDEVs belonging to an encrypted parity group are blocked or if an existing data encryption license key becomes unavailable or cannot be used for example due to a system failure The system automatically restores data encryption license keys from the primary backup You must have Security Administrator View amp Modify role to restore the data encryption license key from a secondary backup data encryption license key Caution When you restore the data encryption license key always restore the latest key If a data encryption license key is updated after a secondary backup is performed and the restored key is not the latest key drives and disk adapters will be blocked and will not be able to read data Use the following process to restore a data encryption license key 1 Block the LDEVs associated to the encrypted parity group Managing data encryption license keys Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide For details see the Hitachi Virtual Storage Platform G1000 Provisioning Guide for Open Systems or the Hitachi Virtual Storage Platform G1000 Provisioning Guide for Mainframe Systems 2 Restore the data encryption license key from a primary or secondary backup copy Do one of the following o Restore the data encryption license key from a file backed up
72. s Disable data encryption at the parity group level For details see Disabling data encryption at the parity group level on page 4 9 Format the LDEVs in the parity group for encryption For details see Encryption formatting at the parity group level on page 4 10 Disabling data encryption at the parity group level Disable data encryption at the parity group level to perform normal formatting options on encrypted data such as writing to or overwriting an LDEV Prerequisites 1 Required role Security Administrator View amp Modify Required role to format volumes Storage Administrator Provisioning In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Parity Groups c In the table that is shown Internal or External are displayed In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Storage Systems in Explorer and select Parity Groups c In the tree that is shown Internal or External are displayed Select the name for the parity group name you want to disable encryption and then click Edit Encryption In the Edit Encryption window complete the following and then click Add o ForAvailable Parity Groups choose the parity group on which you want to disable data encryption o For Encryption select
73. s checked in the Edit Encryption Environmental Settings window encryption keys will be created on the key management server and used in the storage system After creating data encryption license keys it is strongly recommended that you back up each key Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 Select the Encryption Keys tab 3 Click Create Keys Managing data encryption license keys Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide 4 In the Create Keys window specify the number of encryption keys you want to create The encryption keys with the attribute of Free will be set The key IDs will be automatically assigned To backup data encryption license keys to the key management server click Next Otherwise click Finish Inthe Confirm window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply The new data encryption license key is created Related topics
74. scription UUID Shows the UUID of the data encryption license key that you backed up on the key management server Backup Date Shows the time you backed up the data encryption license key on the key management server Description Shows the description you typed when you backed up the data encryption license key on the key management server Encryption License Key GUI Reference A 23 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Restore Keys from Server confirmation window Restore Keys from Server i Restore Keys from Server Max 32 Characters Selected Backup Keys DHI Backup Date Description 4BE4E2C33 2014 01 21 15 06 10 storage Go to tasks window for status Item Description UUID Shows the UUID of the data encryption license key you backed up on the key management server Backup Date Shows the time when you backed up the data encryption license key on the key management server Description Shows the description you typed when you backed up the data encryption license key on the key management server Delete Keys wizard Use the Delete Keys wizard to delete keys and backup data encryption license keys This wizard includes the following windows e Delete Keys window e Confirm window A 24 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Delete Keys window Delete Keys Tha wud baha g
75. se keys from the server on page 4 14 e Viewing encryption keys backed up on the key management server on page 4 14 Edit Encryption Environmental Settings wizard Use the Edit Encryption Environmental Settings wizard to edit the encryption environmental settings The Edit Encryption Environmental Settings wizard includes the following windows e Edit Encryption Environmental Settings window on page A 4 e Edit Encryption Environmental Settings confirmation window on page A 8 Edit Encryption Environmental Settings window Items to be configured in the Edit Encryption Environmental Settings window can be changed under the following conditions e When the key management server is not in use e When local key generation is disabled e When the key encryption key for the key management server is stored on DKC Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Edit Encryption Environmental Settings L Edit Encrugtesn als a Dn Dis TEE Lo Dess E i This uicard leti wou adit tha anicrjyptiari enviromental settings Enter the informaben required and adit the arcryption eneironenan Kay Management Server 9 nxhla CJ Dirakla Server Settings Primary Server Host Hame LJ fdenbfiar IPug i Pd 10 213 73 115 Port HurnEwr SES Timasut rae 1 a99 L 6337 1 975 Retry Inkarwal 70t ji 1 Hurmnbar of Fratrias 3 1 601 1 56 Cliant Certificate Fila
76. stal Settings Ere p rene foo Ha aako Cordi tea patirega in ha kat arad diah Appir te add Hes dask ir tha Tibr quaus fer eee Faik marr Mara 1G Thai Encryption Eenironreental EL remers Bazar Basa Katy tae Ear igan Hadi Pan Tata grae Ruban of Cited Tanta fot Cerone Tika tae Baryga erg Borba ina iem hi Bata W Marea Barra Bam de abdi 15 233 ET ss 1 5 chara pit kakak LIES Esa A 8 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Item Description Primary Server Displays the primary server information e Key Management Server Shows whether the key management server is used Enable key management server is used Disable key management server is not used Not Set Initialize the connection settings to the key management server Host Name The host name of the key management server Port number The port number of the key management server Timeout sec The time until the connection attempt to the key management server times out Retry Interval sec The interval to retry the connection to the key management server Number of Retries The number of times to retry the connection to the key management server Client Certificate File Name The client certificate file for connecting to the key management server Password The password for the client certificate is displayed as six asterisks Root Certificate
77. t a few minutes then click File gt Refresh All to reread the configuration information 2 Configure the encryption environmental settings again Contacting the Hitachi Data Systems Support Center When contacting the Hitachi Data Systems Support Center provide as much information about the problem as possible including e The circumstances surrounding the error or failure e The content of any error messages displayed on the host systems e The content of any error messages displayed on Device Manager Storage Navigator e The Device Manager Storage Navigator configuration information use the FD Dump Tool Troubleshooting 5 3 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide 5 4 e The service information messages SIMs including reference codes and severity levels displayed by Device Manager Storage Navigator The Hitachi Data Systems Support Center is available 24 hours a day seven days a week If you need technical support log on to the Hitachi Data Systems Support Portal for contact information https portal hds com Troubleshooting Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Encryption License Key GUI Reference This chapter provides descriptions of the Device Manager Storage Navigator windows and dialog boxes for the Encryption License Key feature Encryption Keys window Edit Encryption Environmental Settings wizard Cre
78. the key management server Delete Backup Keys on Server Opens the Delete Backup Keys on Server window button Backup Keys to Server button Open the Backup Keys to Server window Restore Keys from Server Opens the Restore Keys from Server window button Edit Encryption wizard Use the Edit Encryption wizard to do the following e Enable data encryption on a parity group e Edit or associate the data encryption license key to the LDEV e Edit the format type for the parity group This wizard includes the following windows e Edit Encryption window e Confirm window Encryption License Key GUI Reference A 29 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Edit Encryption window Dalit Enery pti Thea wuasd alk pru io ect thee accyptan patte and lost Tees Ir pep gece alert the anap o sacer and armat typt ralact a parity group Prem tha Beedle Park Ge bat kd Ram cick Ad Cho dak ba cordi Colored Panty Groupi lilen dl Bango Parity mana naag Da 5 Gres ID Lak Pare Ta jp 1 4 HL Py 1410 44 BERII Dinakaad poa SL 3120 41 Bimi tied j 3 4 ee dix LT BAS T 2k EH naked j r3 3018201 3470 78 BAIT Hk EH a abid Adi p Walemadi wa rarahan a Brumbun Lj Sal atthe iu Format Tepa 1 oath Barra m k The Edit Encryption window includes the following items e Available Parity Groups table For details see Available Parity Groups table on page A 30 e Selecte
79. tion Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 On the Encryption Keys tab select the key ID for the data encryption license key information you want to output from the Encryption Keys table 3 Click More Actions Export 4 When the Ready to Download message appears click OK Rekeying key encryption keys If you create key encryption keys on the key management server use the following procedure to rekey key encryption keys After rekeying key encryption license keys it is recommended that you back up each key Use the following procedure to rekey key encryption keys Managing data encryption license keys 4 15 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 On the Encryption Keys tab select the key ID for the data encryption license key information you want to output from the Encry
80. umber of data encryption license keys will be 4 129 when including CEK keys and KEK keys Attribute of encryption The following attributes will be set for the license keys encryption license keys Free The unused key before allocating the encryption license key DEK The encryption license key The key for the encryption of the stored data CEK The certificate encryption key The key for the encryption of the certificate and the key for the encryption of DEK per HDD KEK Key Encryption Key The key for the encryption of the CEK Backup Restore Redundant primary and secondary functionality backup restore copies When are data encryption license keys needed After you have completed the encryption environmental settings you will need data encryption license keys to perform the following operations e Adding drives A Free key is needed for each drive to allocate a DEK key e Replacing drives A Free key is needed for each drive to change a DEK key e Adding or replacing disk adapters Six Free keys are needed for each disk adapter to create four CEK keys and two keys to register CEK keys e Updating CEK keys Encryption License Key Overview 1 3 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Four Free keys for each disk adapter 32 Free keys per storage system are needed to change CEK keys If a problem occurs during an operation extra keys might be needed to recover from the
81. up level before initializing the connection settings to the key management server Prerequisites e Required role Security Administrator View amp Modify Managing data encryption license keys 4 17 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide 4 18 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys On the Encryption Keys tab select Edit Encryption Environmental Settings In the Edit Encryption Environmental Settings window select Initialize Encryption Environmental Settings 4 Select Finish to display the Confirm window In the Confirm window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply Related topics Edit Encryption Environmental Settings window on page A 4 Managing data encryption license keys Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Troubleshooting This chapter provides troubleshooting information for Encryption License Key O Troubleshooting for Encryption License Key O
82. vigator with permission to perform data encryption operations Compare with Encryption Administrator S VOL secondary volume source volume for Hitachi Compatible FlashCopy T T VOL target volume U USP V VM Hitachi Universal Storage Platform V VM V VSP G1000 Hitachi Virtual Storage Platform G1000 X XRC Extended Remote Copy XTS XEX based Tweaked CodeBook mode TCB with CipherText Stealing CTS Z zero data The number O zero A zero formatting operation is a formatting operation that writes the number O zero to the entire disk area P Io E L P S T U V X Z Glossary 3 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide A C jm Ir l U In IQ Ic I lt IX IN Glossary 4 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide A AES 256 1 2 audit logging 1 5 D data encryption operations audit logging of 1 5 disabling encryption 1 6 4 8 enabling encryption 1 5 4 7 4 10 encrypting existing data 1 5 1 6 troubleshooting 5 2 decrypting data 4 8 disabling encryption 4 8 emulation types 1 2 enabling data encryption workflow 4 7 encryption key operations audit logging of 1 5 backing up the key 1 4 4 3 restoring the key 4 10 troubleshooting 5 2 encr
83. window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply The secondary backup encryption license key is saved Related topics Encryption Keys window on page A 2 Backup Keys to Server window on page A 19 Opening the Backup Keys to Server window using the Encryption window Prerequisites 1 Required role Security Administrator View amp Modify In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys Managing data encryption license keys 4 5 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide 2 On the Encryption Keys tab select the key ID for the data encryption license key you want to back up from the Encryption Keys table and click Backup Keys gt To Server Opening the Backup Keys to Server window using the View Backup Keys on Server window Prerequisites d Required role Security Administrator View amp Modify In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand t
84. y Related topics e Rekey Certificate Encryption Keys window on page A 35 Retrying Key Encryption Key Acquisition If you acquire the key encryption keys from the key management server when the storage device starts retry key encryption key acquisition Prerequisites e Required role Security Administrator View amp Modify 1 In Hitachi Command Suite a On the Resources tab click Storage Systems and then expand All Storage Systems b Expand the target storage system and then select Encryption Keys In Device Manager Storage Navigator mainframe only environment a Display the Device Manager Storage Navigator main window b Select Administration in Explorer and select Encryption Keys 2 On the Encryption Keys tab select More Actions Retry Key Encryption Key Acquisition 3 In the Retry Key Encryption Key Acquisition window confirm the settings and enter your task name in Task Name If you want the Task window to open after you click Apply select Go to tasks window for status Click Apply You need to restore the disk adapter and blocked drives or blocked volumes after retrying key encryption key acquisition Contact the Hitachi Data Systems Support Center to restore the disk adapter and blocked drives or blocked volumes Related topics e Retry Key Encryption Key Acquisition window on page A 37 Initialize the connection settings to the key management server Disable data encryption at the parity gro
85. yption License Key GUI Reference A 21 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Restore Keys confirmation window Restore Keys from File 1Restore Keyz from Fila gt 2 Contirn Enter a name for the task Confirm the settings and click Apply to add task in Tasks queue 1 Task Mame ENE BU E nil Max 32 Characters Selected Backup Keys Item Value HMSH200163 ekf File Nama ME Go to tasks window for status a a a Item Item of the data encryption license key to restore Value Value of the data encryption license key to restore Restore Keys from Server wizard Use the Restore Keys from Server wizard to restore data encryption license keys from the key management server This wizard includes the following windows e Restore Keys from Server window e Confirm window A 22 Encryption License Key GUI Reference Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Restore Keys from Server window Restore Keys from Server i Restore Keys from Server 2 Confirm This wizard lets you replace the uncrested keys with the backup keys Select backup keys from the Available Backup Keys list Click Finish ta confirm Available Backup Keys WUTC Backup Date Description C 4BEAEZ C33 2014 01 21 15 06 10 storage ACSBISASA 2014 01 21 14 38 35 storage FiBASS9 5 2014 01 17 20 30 07 20140117 Tast01 C 4 Back Haxt P Item De
86. yption setting status A 32 A 34 A 35 external volumes 2 2 L license key 2 2 P primary backup key 1 4 4 3 R requirements 2 2 host platforms 2 2 license key 2 2 microcode 2 2 password for encryption key A 17 Remote Web Console 2 2 Storage Navigator 2 2 volume types 2 2 Index T technical support 5 3 troubleshooting 5 2 V volume types 1 2 X XTS mode 1 2 Index 1 Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Index 2 Hitachi Virtual Storage Platform G1000 Encryption License Rey User Guide Hitachi Virtual Storage Platform G1000 Encryption License Key User Guide Hitachi Data Systems Corporate Headquarters 750 Central Expressway Santa Clara California 95050 2627 U S A Phone 1 408 970 1000 www hds com info hds com Asia Pacific and Americas 750 Central Expressway Santa Clara California 95050 2627 U S A Phone 1 408 970 1000 info hds com Europe Headquarters Sefton Park Stoke Poges Buckinghamshire SL2 4HD United Kingdom Phone 44 0 1753 618000 info eu hds com Hitachi Data Systems MK 92RD8009 02
87. ys Create a data encryption license key to use with the Encryption License Key feature Use the following process to create a data encryption license key 1 Create the data encryption license key or group of keys For details see Creating data encryption license keys on page 4 2 2 Back up the secondary data encryption license key For details see Workflow for backing up secondary data encryption license keys on page 4 3 3 Schedule regular weekly backups of all of your data encryption license keys to ensure data availability Creating data encryption license keys If you need to change a data encryption license key create a new data encryption license key 4 048 Free keys or DEK keys are created when you configure encryption environmental settings on the Edit Encryption Environmental Settings window for the first time this differs from the configuration 4 048 keys are created if maximum disk adapters are installed After that you can create 4 096 Free keys or DEK keys You can create up to 4 096 encryption keys per storage system When you configure encryption environmental settings on the Edit Encryption Environmental Settings window again Free Keys are not created and DEK keys and CEK keys are not updated Keys that were created previously will be used Encryption keys are commonly created in the storage system However when the key management server is in use and Generate Encryption Keys on Key Management Server i
Download Pdf Manuals
Related Search