Overview of the encryption features for VSP F series and VSP G series

The encryption features of the VSP F series and VSP G series provide hardware-based data-at-rest encryption for your
sensitive data.

About the data-at-rest encryption features

The VSP G series and VSP F series storage systems provide data at-rest encryption that protects your sensitive data
against breaches associated with storage media (for example, loss or theft). These features, known as Encryption
License Key and FMD Encryption License Key (VSP F1500 and VSP G1500 only), include hardware-based encryption
implementations as well as integrated key management functionality that can also leverage third-party key management
solutions via the OASIS Key Management Interoperability Protocol (KMIP).

The data-at-rest encryption features provide the following benefits:

• Hardware-based Advanced Encryption Standard (AES) encryption, using 256-bit keys in the XTS mode of
operation, is provided for open and mainframe systems.
• Encryption can be applied to some or all supported internal drives (HDD, SSD, FMD).
• Each encrypted internal drive is protected with a unique data encryption key.
• Encryption has negligible effects on I/O throughput or latency.
• Encryption requires little to no disruption of existing applications and infrastructure.
• Cryptographic erasure (media sanitization) of data is performed when an internal encrypted drive is removed from
the storage system.

Encryption License Key

In Encryption License Key, the encryption back-end director (EBED) encrypts data by using the data encryption key
allocated for each drive and then writes the data to the drive. When encrypted data is read, the EBED decrypts the data.
To use Encryption License Key, the software license key and EBEDs are required.
FMD Encryption License Key

In FMD Encryption License Key, the FMD-HDE drives generate and retain the media encryption keys and encrypt and
decrypt the data. The media encryption keys used by the FMD-HDE drives are encrypted internally, and they cannot be
viewed or output. After successful certification using a certification key, data can be written to and read from these
drives. To use FMD Encryption License Key, the software license key and FMD-HDE drives* are required.

*For information about availability of the FMD-HDE drives, contact your local sales representative.

The FMD Encryption License Key feature enables you to encrypt the data in accelerated compression-enabled parity
groups. The following table shows the combinations of encryption and accelerated compression that are supported.

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
1
 FMD Encryption License
Drive type Accelerated compression Encryption License Key
Key

Supported but not

Enabled Not supported
recommended
FMD DC2

Disabled Supported Not supported

Enabled Not supported Supported

FMD-HDE
Disabled Not supported Supported

Encryption component description

The Encryption feature consists of three major components:

• Software licenses for Encryption License Key and FMD Encryption License Key
• Data at-rest encryption
• Key management

• Software licenses

If you are using BED-based or controller-based encryption, the Encryption License Key software license must be
installed and valid (not expired). If you are using the FMD-HDE drives, the FMD Encryption License Key software
license is required. Note that an expired license can limit the operations that can be performed on an already
configured storage system. The Encryption software licenses are provided by Hitachi.

• Data at-rest encryption (DARE) provided by Encryption License Key

For Encryption License Key, the data at-rest encryption (DARE) functionality is implemented using cryptographic
hardware (chips), included as part of the encrypting back-end directors (EBEDs) for the VSP G1x00, VSP F1500,
VSP G/F700, and VSP G/F900 models. For the VSP G/F350 and VSP G/F370 models, the cryptographic hardware
is located on the encryption controller boards. The EBEDs or encryption controllers must be installed and
configured before DARE can be used. These hardware components encrypt and decrypt data as it is being written
to or read from the physical drives.

Enabling and disabling DARE is controlled at the parity group level (that is, all drives in a parity group are either
encrypting or non-encrypting). While it is possible to have both encrypting and non-encrypting parity groups
configured on an EBED, it is recommended to encrypt all parity groups on an EBED. It is also important to note that

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
2
 different spare drives are used for encrypting and non-encrypting parity groups.

• Data at-rest encryption (DARE) provided by FMD Encryption License Key

The FMD-based DARE functionality is implemented using cryptographic hardware (chips) that reside on the FMD-
HDE drives themselves. The FMD-HDE drives encrypt and decrypt data as it is being written to or read from the
drives, and the drives must be installed and configured before DARE can be used.

As with Encryption License Key, FMD-based DARE is implemented at the parity group level. The FMD-HDE parity
groups can be configured on regular (nonencrypting) BEDs or EBEDs. When the FMD-HDE drives are configured
on an EBED, encryption and decryption are performed by the FMD-HDE drives. The spare drives for FMD-HDE
parity groups must be FMD-HDE drives.

• Key management

Data security provided by encryption is only as good as the generation, protection, and management of the keys
used in the encryption process. Further, encryption keys must be available when they are needed while being
protected from possible compromise (for example, unauthorized access or destruction). To address these issues
and meet a wide range of requirements associated with key management, the Encryption feature includes multiple
options associated with key management.

It is important to understand what keys the storage systems use and the roles these keys play in the DARE solution.
There is a hierarchy of keys that include:
◦ Data encryption keys (DEKs): Each encrypted internal drive is protected with a unique DEK that is used with
the AES-based encryption. AES-XTS uses a pair of keys, so each key used as a DEK is actually a pair of
256-bit keys.
◦ Certificate encryption keys (CEKs): Each EBED requires a key for the encryption of the certificate (registration
of the EBED) and a key to encrypt the DEKs stored on the EBED.
◦ Key encryption keys (KEKs): A single key, the KEK, is used to encrypt the CEKs that are stored in the system.

Managing these keys in a secure manner is a critical aspect of the Encryption License Key feature. This key
management functionality controls the full key lifecycle, including the generation, distribution, storage, backup/
recovery, rekeying, and destruction of keys. In addition, the design of this key management functionality includes
protections against key corruption (for example, integrity checks on keys) as well as key backups (both primary and
secondary).

After the key generation source (storage system or key management server) has been established in the initial
encryption setup, the initial set of keys is generated. The number of generated keys depends on the storage system
model. Any keys that are not assigned will be designated as free keys and will be available for use.

When encryption is enabled for a parity group, DEKs are automatically assigned to the drives in the parity group.
Similarly, when encryption is disabled, DEKs are automatically replaced (old DEKs are destroyed, and keys from
the free keys are assigned as new DEKs). You can combine this functionality with migrating data between parity
groups to accomplish rekeying of the DEKs.

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
3
 The key management can be configured in a stand-alone mode (integrated key management), or key management
can be configured to use third-party key management (external key management). When external key management
is leveraged, some or all the following functionality can be used:
◦ Initial and/or subsequent generation of keys used as CEKs and DEKs
◦ Generation and protection of KEKs
◦ Manual and automated backup of keys to a key management server (KMS)
◦ Restoration of keys from a key backup on a KMS

All communications with a KMS are performed using the OASIS Key Management Interoperability Protocol (KMIP)
version 1.0 over a mutually authenticated Transport Layer Security (TLS) version 1.2 connection. The TLS
authentication is performed using X.509 digital certificates for both the storage system and two cluster members of
the KMS.

In addition to using the KMS for certain transactions (for example, generation of keys, key backups, and key
recoveries), the storage systems can be configured to be dependent on the availability of the KMS. This
dependency is achieved by protecting the KEK on the KMS, which means that the storage system must retrieve the
KEK from the KMS as part of its boot-up sequence. If the KEK cannot be retrieved from the KMS, the storage
system will not fully boot. This configuration is reversible (that is, you can change back to integrated key
management) unless you configure the storage system in a special mode called KMIP-lock mode. When you
configure the storage system in KMIP-lock mode, local key generation is prevented and the configuration cannot be
changed back to allow local key generation.

Under a typical configuration, the storage systems store an encrypted copy of the CEKs and DEKs in shared
memory. A primary backup (encrypted) of these keys is also made on the flash memory of every EBED installed in
the storage system. When the storage system boots, the keys in shared memory are used unless they are missing
or corrupted, at which point one of the primary backups is used. This is the default behavior even when a KMS is
used to protect the KEK.

It is also possible to generate secondary backups of the keys either to a key file or on a KMS. Generating
secondary backups of the keys on a KMS is the only way to ensure that CEKs and DEKs are stored on a KMS.
These secondary key backups can be used to recover keys when the keys are not available in the storage system
(for example, when the storage system has been configured to purge all CEKs and DEKs at shutdown). If
secondary key backups will be used, it is important that they contain the current CEKs and DEKS, and this is
simplified with a KMS because secondary key backups are automatically performed after certain key operations (for
example, generating keys) and/or by leveraging regular (automated) key backups. Note that automatic key backups
have been optimized such that they are only performed when the CEKs and DEKs have changed.

Support specifications for Encryption License Key and FMD Encryption

License Key
The following table lists the support specifications for Encryption License Key.

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
4
Item Specification

Advanced Encryption Standard

Encryption algorithm
(AES) 256-bit

Encryption mode XTS mode

Encryption License Key:

• VSP G350, VSP G370, VSP

F350, VSP F370: Compliant to
FIPS 140-2 Level 1
• VSP G700, VSP G900, VSP
Hardware specifications F700, VSP F900: Compliant to
FIPS 140-2 Level 2*
• VSP G1000, VSP G1500, and
VSP F1500: Compliant to FIPS
Encryption module standard 140-2 Level 1 and Level 2*

*To use encryption modules

compliant to FIPS 140-2 Level 2,
contact customer support.

FMD Encryption License Key (VSP

F1500 and VSP G1500 only): FIPS
140-2 Level 2 (certification pending)

Volume type Open, mainframe, multiplatform

Emulation type All emulation types

LDEVs that you can encrypt
Internal/external LDEVs Internal LDEVs only

LDEV with existing data Requires data migration

Use Device Manager - Storage

Managing encryption keys Creating encryption keys
Navigator (HDvM - SN) to create

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
5
Item Specification

encryption keys.

Use Device Manager - Storage

Navigator to delete encryption keys.

Note: You cannot delete encryption

keys that are allocated to
Deleting encryption keys
implemented drives. You can delete
the encryption key allocated to a
drive and allocate a new encryption
key only when encryption is disabled
for the parity group.

Encryption is applied to the parity

group.
Unit of encryption/decryption
Data encryption keys (DEKs) are
used per drive.

• VSP G350, VSP G370, VSP

F350, VSP F370: Up to 1,024
Free keys or DEKs can be
created per storage system. In
addition, you can create 4
certificate encryption keys
(CEKs) and one key encryption
key (KEK), so the total
maximum number of encryption
keys, including DEKs, CEKs,
and KEKs, is 1,029.
Number of encryption keys
• VSP G700, VSP F700: Up to
4,096 Free keys or DEKs can
be created per storage system.
In addition, you can create 8
CEKs and one KEK, so the total
maximum number of encryption
keys, including DEKs, CEKs,
and KEKs, is 4,105.
• VSP G900, VSP F900: Up to
4,096 Free keys or DEKs can

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
6
Item Specification

be created per storage system.

In addition, you can create 16
CEKs and one KEK, so the total
maximum number of encryption
keys, including DEKs, CEKs,
and KEKs, is 4,113.
• VSP G1x00, VSP F1500: Up to
4,096 encryption keys can be
created per storage system. In
addition, you can create up to
32 CEKs, 2,304 DEKs, and
1,728 PINs.

For Encryption License Key, the

encryption keys are set in the
following units:
◦ DEK: One key for each
drive or FMD DC2
◦ CEK: Four keys for each
EBED

For FMD Encryption License

Key, the encryption keys are set
in the following units:
◦ PIN: Three keys for each
FMD-HDE drive

Keys used for Encryption License

Key are created with the Free
attribute, and then another attribute
is assigned according to the usage.
The attributes for the encryption
keys are:
Attribute of encryption keys
• Free Unused data encryption
key that has not yet been
allocated.
• DEK Data encryption key. The
key for the encryption of the
stored data.

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
7
 Item Specification

• CEK Certificate encryption key.

The key for the encryption of
the certificate and the key for
the encryption of DEK per drive.
• PIN Certificate encryption key
for FMD-HDE. The key is used
to certify FMD-HDE for FMD
Encryption License Key.
• KEK Key encryption key. The
key for encrypting a key in a
storage system with an attribute
other than KEK for Encryption
License Key.

All keys except KEK is referred

to as encryption keys.

Redundant (primary and secondary)

Backup/restore functionality
backup/restore copies

When encryption keys are used

After the encryption environment is set up, Free keys are used to perform the following operations. In addition, if a
problem occurs during an operation, extra Free keys might be needed to recover from the problem.

• Adding drives

To allocate data encryption keys or FMD-HDE certification keys, Encryption License Key uses one Free key, and
FMD Encryption License Key uses three Free keys. During this operation, media encryption keys are generated in
the FMD-HDE drives.

• Replacing drives

To change data encryption keys or FMD-HDE certification keys, Encryption License Key uses one Free key and
FMD Encryption License Key uses three Free keys for each drive. During this operation, media encryption keys are
generated in the FMD-HDE drives.

• Decrypting parity groups

To change data encryption keys or FMD-HDE certification keys, Encryption License Key uses one Free key, and

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
8
 FMD Encryption License Key uses three Free keys for each drive in the parity group. During this operation, media
encryption keys are generated in the FMD-HDE drives.

• Adding or replacing encrypting back-end directors (EBEDs)

VSP G1x00, VSP F1500: To replace an EBED, 4 Free keys are used as CEKs, and 2 Free keys are used to
register them.

VSP F700, VSP F900, VSP G700, VSP G900: To replace an EBED, 2 Free keys are used as CEKs, and 1 Free key
is used to register them.

• Replacing BEDs with EBEDs

When the first BED is replaced with an EBED, one data encryption key (DEK) is assigned to all drives except for the
FMD-HDE drives in the storage system. The number of Free keys to be used for each replacement from BED to
EBED is as follows:
◦ Number of Free keys used as CEK: 4
◦ Number of Free keys used as KEKs for registering certification keys: 2

• Replacing controllers

VSP G350, VSP G370, VSP F350, VSP F370: 2 Free keys are used as CEKs, and 1 Free key is used to register
them.

VSP G700, VSP G900; VSP F700, VSP F900: No Free keys are used as CEKs, and no Free keys are used to
register them.

• Updating CEKs

VSP G1x00, VSP F1500: 4 Free keys for each EBED (32 Free keys per storage system) are needed to change
CEKs. This is the value when the maximum number of EBEDs are installed.

VSP G350, VSP G370, VSP F350, VSP F370: 2 Free keys for each controller (4 Free keys per storage system) are
needed to change CEKs.

VSP G700, VSP F700: 2 Free keys for each EBED (8 Free keys per storage system) are needed to change CEKs.

VSP G900, VSP F900: 2 Free keys for each EBED (16 Free keys per storage system) are needed to change CEKs.

• Updating PINs (VSP F1500 and VSP G1500)

Three Free keys for each FMD-HDE drive (1,728 Free keys per storage system) are needed to change PINs. This
is the value when the maximum number of FMD-HDE drives are installed.

Audit logging of encryption events

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
9
The Audit Log feature provides logging of events that occur in the storage system, including events related to encryption
and data encryption keys. When the KMIP key manager is configured, the interactions between the storage system and
the KMIP key manager are also recorded in the audit log. You can use the audit log to check and troubleshoot key
generation and backup.

For details about audit logging and audit log events, see the Hitachi Audit Log User Guide.

Primary and secondary backups of encryption keys

The storage system automatically creates and stores a primary backup of each encryption key. In addition, you can
create secondary backups of the encryption keys. If a primary backup key is unavailable, the secondary backup is
required to restore the key.
ImportantThe creation and secure storage of backup keys must be included as part of your corporate security policy. It is
strongly recommended that you back up each encryption key or group of keys immediately after you create them and
that you schedule regular backups of all encryption keys to ensure data availability. You are responsible for storing the
secondary backup keys securely.
CautionIf a primary backup key becomes unavailable and no secondary backup key exists, the system cannot decrypt
the encrypted data.

Automatic encryption key backup (key management server only)

When a key management server is used, encryption keys are automatically backed up after they are created. This
operation is called an automatic backup.

When a key management server is not used, an automatic backup is not performed, and you must manually back up the
encryption keys.

Regular encryption key backups

If desired, you can configure regularly scheduled encryption key backups to the key management server. These
operations are called regular backup operations. You can enable the Encryption Key Regular Backup option and specify
the time(s) for the regular backup operations on the Edit Encryption Environmental Settings window. Regular backup
operations are performed automatically even when the designated regular backup user is not logged in.
ImportantPerforming regular backups is a supplemental function available only when the key management server is
used and the Encryption Key Regular Backup option is enabled.

• If the key management server is used but you do not enable the regular backup option, the encryption keys are
backed up automatically after they are created.
• If the key management server is not used, you must perform manual backups, especially immediately after you
create encryption keys.

How regular backups are queued and performed

At the specified time for a regular backup, the regular backup operation is queued as a task. You can verify queued
tasks in the Tasks window. If other tasks are already in the queue, the regular backup will not start until after the other

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
10
tasks already in the queue are complete. Because of this, the time that the regular backup begins might be different from
the time you specified. In addition, if the key management server has the latest backup, the regular backup task is
skipped because it is not necessary to back up the same encryption keys again.

At the specified time for a regular backup, if the previous regular backup has not yet been performed because another
queued task is still in progress, a second regular backup task is not added to the task queue, and only the first regular
backup is performed. For example, if you specify 00:00 and 02:00 for regular backups, and a task started before 00:00
completes at 03:00, the 02:00 regular backup is not queued, and only the regular backup for 00:00 is performed at
03:00.
Note

• When the SVP stops, regular backup operations are not performed. After the SVP is restarted, regular backups will
resume queueing as a task.
• During a regular backup, your service representative cannot perform SVP operations or maintenance of the storage
system. If a regular backup will occur during planned maintenance, you can revise the regular backup schedule or
cancel the regular backup task temporarily.

Verifying regular backups

You should verify, on a regular basis, that regular backups are being performed successfully. You can verify the regular
backup task results in the Tasks window. To view details about a regular backup task, you must have the System
Administrator (System Resource Management) role, or you must be logged in as the designated regular backup user.
You can also verify the regular backup task results in the audit log. The audit log records the regular backup user name
for the regular backup tasks.
Note

• If a regular backup task is skipped (for example, because the key management server already has the latest
backup), the skipped task is not output to the Tasks window or to the audit log.
• If a necessary regular backup task is not performed, the task is regarded as failed. You can check the details of the
failed task in the audit log.

Discontinuing regular backups

If you want to discontinue regular backups, you can disable the Enable Encryption Key Regular Backup to Key
Management Server option in the Edit Encryption Environmental Settings window.
Managing the number of backed up encryption keys

A regular backup deletes the old encryption key. Because of this, the number of encryption keys to be backed up
regularly is always one. In the same way as manually backed up keys, the status of a regular backup encryption key can
be viewed, and the key itself can be restored or deleted.
NoteWhen you manually back up encryption keys, the old keys are not deleted. The number of keys that can be backed
up on a key management server is limited. Make sure to delete unnecessary keys from the key management server
whenever possible.

Workflow for implementing data encryption

Use the following workflow to implement data encryption on your storage system:

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
11
1. If you will use a key management server, configure the key management server first. Several configuration tasks
must be performed on the key management server before you can perform the initial configuration of the
Encryption License Key and FMD Encryption License Key software.

For details, see Key management server connections.

2. Install the Encryption License Key and/or FMD Encryption License Key software.

For instructions, see Installing the Encryption License Key and FMD Encryption License Key software.
3. Configure the encryption environmental settings on the storage system.

For instructions, see Configuring the encryption environmental settings.

4. Create and back up the encryption keys.

For details, see Creating and backing up encryption keys.

5. Enable encryption on the desired parity groups.

For instructions, see Enabling encryption on a parity group that does not contain pool volumes.

https://knowledge.hitachivantara.com/Documents/Management_Software/SVOS/8.2/Volume_Security/Data-at-Rest_Encryptio…
Updated: Thu, 26 May 2022 07:15:09 GMT
Powered by
12