Setup Encryption Mode

Overview

This function sets the encryption mode to encrypt volumes by using the CM.

There are two methods to encrypt a volume.

Encryption by firmware (CM)

To encrypt volumes by the CM, use this function to enable the encryption mode (*1). After the encryption mode is enabled, create volumes of which "Encryption by CM" is set to "On". Refer to the [Create Volume] function for details.

*1 : The encryption mode is enabled by selecting "Fujitsu Original Encryption", "AES-128", or "AES-256".
Encryption by drive (SED)

To encrypt volumes by the SED, create volumes in RAID groups or TPPs that are configured with SEDs. Refer to the [Create Volume] function for details. In this case, encrypted volumes can be created even when "Encryption Mode" is set to "Disable".

Note that Web GUI cannot be used to create volumes in FTRPs. To create volumes in FTRPs, use CLI or ETERNUS SF Storage Cruiser.

Use either "Encryption by CM" or "Encryption by SED" for each volume. Note that because "Encryption by CM" reduces the volume access performance, using "Encryption by SED" is recommended.

Caution

The ETERNUS DX60 S5 does not support this function.
Encryption related functions are only available after the encryption mode is enabled.
When disabling the encryption mode, reboot the storage system.
Once a volume has been encrypted, it cannot be changed back to a non-encrypted volume.
The encryption mode cannot be disabled for volumes or pools with the following conditions.
- Volumes that are already encrypted by CM
- Pools (or TPPs and FTRPs) that are already encrypted by CM
- Volumes that are being encrypted by CM
- Extreme Cache Pools that are already encrypted by CM
When using the encryption function in a Unified Storage environment, set the "Encryption Mode" as described below.
- For the ETERNUS DX100 S5
  
  Select "Fujitsu Original Encryption" for the encryption mode. If "AES-128" or "AES-256" is selected, the performance of the NAS function is reduced.
- For the other models
  
  Selecting "Fujitsu Original Encryption" for the encryption mode is recommended.

Note

The encryption mode can be changed even when volumes or pools (TPPs or FTRPs) in the storage system are already encrypted by the SED.
If the encryption mode is enabled with this function (*1), existing unencrypted volumes (or "Standard", "WSV", and "SDV" type volumes) can be encrypted. Refer to the [Encrypt Volume] function for details.
The encryption mode setting can be checked. Refer to the [System Settings] function for details.

*1 : The encryption mode is enabled by selecting "Fujitsu Original Encryption", "AES-128", or "AES-256".

User Privileges

Availability of Executions in the Default Role

Default role	Availability of executions
Monitor
Admin
StorageAdmin
AccountAdmin
SecurityAdmin
Maintainer

Refer to "User Roles and Policies" for details on the policies and roles.

Settings

In this screen, set the encryption mode.

Encryption Mode Setting

Item	Description	Setting values
Encryption Mode	Select the encryption mode to encrypt volumes by using the CM. This item is displayed when no encrypted volume and no encrypted pool (or TPP and FTRP) exist in the storage system. To enable encryption by the CM, select "Fujitsu Original Encryption", "AES-128", or "AES-256". Disable The encryption function by the CM is not used. When the encryption mode is changed to "Disable" from one of the following options, reboot the storage system. Fujitsu Original Encryption AES-128 AES-256 Fujitsu Original Encryption "Fujitsu Original Encryption" is an encryption method which uses a Fujitsu proprietary algorithm. Compared to the AES-128bit method, its practical security level is almost equal while it allows faster processing than the AES-128bit method. AES-128 "AES-128" is an encryption method that uses the AES 128bit method. "Advanced Encryption Standard (AES)" (standard encryption used for information processing by the US federal government) is a standardized encryption method. AES-256 "AES-256" is an encryption method that uses the AES 256bit method. Compared to the AES-128bit method, the encryption strength is higher (meaning that decrypting the encrypted data is difficult), but the Read/Write access performance for the volumes is reduced.	Disable (Default) Fujitsu Original Encryption AES-128 AES-256

Item

Description

Setting values

Encryption Mode

Select the encryption mode to encrypt volumes by using the CM.

This item is displayed when no encrypted volume and no encrypted pool (or TPP and FTRP) exist in the storage system. To enable encryption by the CM, select "Fujitsu Original Encryption", "AES-128", or "AES-256".

Disable
The encryption function by the CM is not used.
When the encryption mode is changed to "Disable" from one of the following options, reboot the storage system.
- Fujitsu Original Encryption
- AES-128
- AES-256
Fujitsu Original Encryption

"Fujitsu Original Encryption" is an encryption method which uses a Fujitsu proprietary algorithm.

Compared to the AES-128bit method, its practical security level is almost equal while it allows faster processing than the AES-128bit method.
AES-128

"AES-128" is an encryption method that uses the AES 128bit method.

"Advanced Encryption Standard (AES)" (standard encryption used for information processing by the US federal government) is a standardized encryption method.
AES-256

"AES-256" is an encryption method that uses the AES 256bit method.

Compared to the AES-128bit method, the encryption strength is higher (meaning that decrypting the encrypted data is difficult), but the Read/Write access performance for the volumes is reduced.

Disable (Default)

Fujitsu Original Encryption

AES-128

AES-256

Operating Procedures

In this screen, set the encryption mode.

Click [Setup Encryption Mode] in [Action].
Select the encryption mode and click the [Set] button.

→ A confirmation screen appears.
Click the [OK] button.

→ The encryption mode setting is performed.
Click the [Done] button to return to the [System Settings] screen.
Caution
- When disabling the encryption mode, reboot the storage system.