The present invention relates to a computer system equipped with a storage apparatus and a method for controlling the computer system. Particularly, the invention relates to a computer system equipped with an encryption key management function at the time of hot swap of a storage medium in which data is encrypted and stored.
In order to prevent data leakage by, for example, a theft of a storage medium connected to a storage apparatus, the storage apparatus is configured so that it encrypts data received with a write request from a host computer and stores the encrypted data in storage media; and when receiving a read request to read the data from the host computer, the storage apparatus decodes and reads the encrypted data from the storage media and sends it to the host computer.
This type of storage apparatus executes processing for encrypting and decoding the stored data by using an encryption key that is set on a storage medium basis. If a failure occurs in a storage medium such as an HDD and the HDD in which the failure occurred is to be hot-swapped, there is a suggested storage apparatus designed to use a collection copy function to assign an encryption key to a spare disk by exchanging the encryption key from the HDD, in which the failure occurred, to the spare disk (WO2010/137177).
Furthermore, there is also a suggested method for always encrypting all storage media contained in a storage apparatus wherein coexistence of the encrypted storage media and storage media which are not encrypted is not allowed (EMC Symmetrix Data at Rest Encryption (EMC Corporation, white paper, November 2010)).
With the storage apparatus, key information management is important in order to prevent data loss due to the incapability to decode the encrypted data because of loss of the encryption key, or prevent information leakage by loss of the encryption key or leakage of the encryption key. PTL 1 discloses a method for protecting the encrypted data at the time of an HDD failure; however, it does not give any consideration to the management of the encryption key. Also, regarding NPL 1, all the integrated storage media are encrypted, so that double encryption is performed in an IT system which adapts a host-computer-based encryption method, thereby degrading I/O performance. Furthermore, NPL 1 does not give any consideration to an encryption key management method.
Under the circumstance where a storage medium has to be hot-swapped, data leakage or data loss cannot be prevented unless the encryption key management is sufficient. For example, if an encryption key for a storage medium, in which a failure occurred, leaks, there is a possibility that data might leak from the failed storage medium which is removed from the storage apparatus. Also, if a spare storage medium cannot be encrypted at the time of hot swap due to a shortage of encryption keys, confidentiality of data in a spare drive may degrade or the hot swap itself may not be performed. Under this circumstance, there is a possibility that a multiplicity of failures may occur in storage media, which may cause data loss.
Therefore, it is an object of this invention to provide a computer system and computer system control method capable of reliably preventing data leakage and data loss even under the circumstance where a storage medium has to be removed from the system, for example, where a failure has occurred in an encrypted storage medium.
In order to achieve the above-described object, a first invention is a computer system for dividing data from a host computer into a plurality of divided data and generating parity based on the plurality of divided data, assigning key information to each of a plurality of storage media, and encrypting, distributing, and storing the parity and the plurality of divided data in the plurality of storage media; the computer system includes: a first circuit constituting an interface with the host computer; a second circuit constituting an interface with the plurality of storage media; and a controller for restoring the parity or the divided data, which are stored in a specific storage medium belonging to the plurality of storage media, to a spare storage medium; wherein the controller: determines the specific storage medium from among the plurality of storage media; stores the parity or the divided data, which are stored in the specific storage medium, in the spare storage medium based on the plurality of storage media other than the specific storage medium; and controls timing to cancel the key information assigned to the specific storage medium based on timing to finish storing the parity or the divided data in the spare storage medium and cancels the key information in accordance with the controlled timing.
The present invention is equipped with a function controlling the timing to cancel key information from a storage medium removed from the system, so that the timing to cancel the key from the storage medium can be optimized according to the invention in order to, for example, avoid too early timing to cancel the key information, which may cause data loss due to, for example, multiple failures of the storage media, or avoid too late timing to cancel the key information, which may cause data leakage from the storage medium removed from the system.
Furthermore, a second invention is a computer system for dividing data from a host computer into a plurality of divided data and generating parity based on the plurality of divided data, assigning key information to each of a plurality of storage media, and encrypting, distributing, and storing the parity and the plurality of divided data in the plurality of storage media; the computer system includes: a first circuit constituting an interface with the host computer; a second circuit constituting an interface with the plurality of storage media; and a controller for restoring the parity or the divided data, which are stored in a specific storage medium belonging to the plurality of storage media, to a spare storage medium; wherein the controller: determines the specific storage medium from among the plurality of storage media; assigns key information to the spare storage medium; encrypts and stores the parity or the divided data, which are stored in the specific storage medium, in the spare storage medium based on the plurality of storage media other than the specific storage medium; cancels the key information assigned to the specific storage medium when removing the specific storage medium from a storage area of the plurality of storage media; migrates the parity and/or the divided data, which are restored in the spare storage medium, to another storage medium to which the key information is assigned; and cancels the key information assigned to the spare storage medium if the migration of the parity or the divided data is completed.
Furthermore, a third invention is a method for controlling a computer system for dividing data from a host computer into a plurality of divided data and generating parity based on the plurality of divided data, assigning key information to each of a plurality of storage media and encrypting, distributing, and storing the parity and the plurality of divided data in the plurality of storage media, wherein when restoring the parity or the divided data, which are stored in a specific storage medium belonging to the plurality of storage media, to a spare storage medium, the computer system: determines the specific storage medium from among the plurality of storage media; stores the parity or the divided data, which are stored in the specific storage medium, in the spare storage medium based on the plurality of storage media other than the specific storage medium; and controls timing to cancel the key information assigned to the specific storage medium based on timing to finish storing the parity or the divided data in the spare storage medium and cancels the key information in accordance with the controlled timing.
According to the present invention, it is possible to provide a computer system and computer system control method capable of reliably preventing data leakage and data loss even under the circumstance where a storage medium has to be removed from the system, for example, where a failure has occurred in an encrypted storage medium.
Next, embodiments of the present invention will be explained. Firstly, a first embodiment will be explained. The first embodiment relates to a computer system capable of encryption of storage media based on a controller for a storage apparatus. The computer system sets encryption to a parity group; and if a failure occurs in an HDD constituting the parity group, the computer system implements hot swap. Then, when the HDD in which the failure occurred is removed from the system and a new HDD is added to the system, the computer system shreds an encryption key assigned to the removed HDD and thereby automatically crypto-shreds data stored in the HDD.
Subsequently, the computer system: restores the data or parity of the specific HDD, in which the failure occurred, by means of collection copying from another HDD constituting the same parity group as that of the HDD in which the failure occurred; copies back the restored data in a spare disk to the other HDD; and then also shreds an encryption key assigned to the spare disk, thereby automatically crypto-shreds the data stored in the spare disk.
Furthermore, the storage apparatus requests a security administrator to generate an encryption key for the spare disk in preparation for the next hot swap.
The storage apparatus 20000 includes a host computer I/F unit (FEPK: FrontEnd PacKage) 21000, a media I/F unit (BEPK: BackEnd PacKage) 22000, a control unit (MPPK: Micro Processor PacKage) 23000, and a shared memory unit (CMPK: Cache Memory PacKage) 24000 as shown in
The FEPK 21000 has a plurality of host computer I/Fs 21100, is connected via the first network 50000 to the host computer 40000 and also connected to the internal network 25000, and serves as an intermediary upon reception and delivery of read/write processing target data between the host computer 40000 and volumes.
The BEPK 22000 has a plurality of media I/Fs 22100, is connected via a cable to physical storage devices (for example, HDDs and semiconductor memories such as flash memories) 22200 and also connected to the internal network 25000, and serves as an intermediary upon reception and delivery of read/write processing target data between the internal network side and the physical storage devices 22200.
The CMPK 24000 has a control information memory (MEMORY FOR CONTROL) 24100 and a data cache memory (CACHE MEMORY) 24200; and the information control memory 24100 stores information necessary for processing such as control information and configuration information; and the data cache memory 24200 temporarily stores (caches) data to be written to the physical storage devices 22200 or data read from the physical storage devices 22200. The control information memory 24100 and the data cache memory 24200 may be volatile memories such as DRAM (Dynamic Random Access Memory).
The MPPK 23000 is configured so that a plurality of Micro Processors (MP) 23100 and a Local Memory (LM) 23200 are connected via a bus 23300; and the LM 23200 stores part of the control information stored in the control information memory 24100. The MP 23100 sets a logical storage area 22210 (hereinafter referred to as the parity group) constituted from a group of a plurality of physical storage devices of the same type, cuts out part of the parity group 22210 as a volume 22220, and provides it to the host computer 40000.
The HDD management function 23220 refers to a parity group management table 23230 and an HDD management table 23240; and if an encryption key is assigned to the HDD at the time of removal of the HDD, the HDD management function 23220 requests the key management function 23210 to shred the encryption key and also request to assign a new encryption key to an HDD to be newly installed in the storage apparatus.
A storage control function 23270 monitors HDD installation slots; and if an HDD is installed in, or removed from, the storage apparatus, the storage control function 23270 reports it to the HDD management function 23220.
Each of the key management function 23210, the HDD management function 23220, and the storage control function 23270 is achieved by programs. Incidentally, these functions may be achieved by dedicated integrated circuits.
The management computer 30000 is equipped with a management I/F 31000, a memory 32000, a disk 33000, and processor 34000 as shown in
Next, an encryption key management method for the storage apparatus according to the first embodiment will be explained. Firstly, the outline of the encryption key management method is as follows. When an administrator of the storage apparatus intends to remove a specific HDD, in which a failure occurred, and if an encryption key is assigned to the relevant HDD, the storage apparatus shreds the relevant encryption key and executes processing for crypto-shredding data stored in the relevant HDD. Then, when copy-back of data is performed from a spare disk to an HDD newly installed in the storage apparatus and if an encryption key is assigned to the relevant spare disk, the data stored in the relevant spare disk is crypto-shredded by shredding the relevant encryption key after the completion of the copy-back. The encryption key control method will be explained in detail based on flowcharts shown in
Referring to
The HDD management function 23220 analyzes the HDD removal request, refers to the installation location ID column of the HDD management table 23240, and identifies an HDD which matches the installation location ID included in the HDD removal request from the user (F10010). Next, the HDD management function 23220 checks if a failure has occurred in the relevant HDD and the HDD is deactivated or not (F10020: No).
If it is determined in step F10020 that the relevant HDD is in normal operation (F10020: Yes), that is, if the operation status column 23247 of the HDD management table 23240 stores information indicating that the relevant HDD is in normal operation (the letter string “Normal” in
On the other hand, if the relevant HDD is not in normal operation in step F10020, that is, if the operation status column 23247 of the HDD management table 23240 stores information indicating that the relevant HDD is not in normal operation (the letter string “Deactivated by Failure,” or “Unoperated,” or “Deactivated” in
Next, the HDD management function 23220 refers to the HDD management table 23240 and judges whether or not an encryption key is assigned to the relevant HDD (F10030). This judgment can be made depending on whether the ID of an encryption key is set to the ID of the removal target HDD in the HDD management table 23240. If it is determined in step F10030 that the encryption key is assigned to the relevant HDD (F10030: Yes), the HDD management function 23220 requests the key management function 23210 to shred the relevant key and the key management function 23210 executes processing for shredding the relevant encryption key (F10040). The processing for shredding the encryption key for the removal target HDD will be explained later. If no encryption key is assigned to the relevant HDD, the HDD management function 23220 does not execute step F10040 and proceeds to the next step F10060. Incidentally, the encryption key of the relevant HDD may be shredded before the removal permission notice for the failed HDD.
If the user removes the HDD with the installation location ID, for which the removal permission was granted in step F10024, and the HDD management function 23220 obtains removal confirmation notice from the user via the GUI provided by the encryption management function 32100 of the management computer 30000 (F10060), the HDD management function 23220 obtains the key ID of the removal target HDD of the HDD management table 23240 from the key ID column 23249 (in a case where the encryption key is set to the HDD) and stores information indicating that replacement processing on the relevant host swap source HDD is being executed (the letter string “True” in
Next, as shown in a flowchart in
Subsequently, the HDD management function 23220 notifies the user of a request to input whether copy-back from the spare disk, in which the data and parity of the removed HDD has been restored, to the new HDD is required or not, via the GUI provided by the encryption management function 32100; and then check if the request to perform the copy-back is made by the user or not (F11020).
If the HDD management function 23220 determines in step F11020 not to perform copy-back from the spare disk to the new HDD (F11020: No), it recognizes the relevant new HDD as a new spare disk (F11030), stores information indicating that the relevant new HDD is a spare disk (“Spare” in
If it is determined in step F11020 that copy-back from the spare disk, in which the data of the removed HDD is restored, to the new HDD is to be executed (F11020: Yes), the HDD management function 23220 refers to the hot swap management table 23270 and obtains the hot swap destination HDD ID stored in the hot swap destination HDD ID column 23273 corresponding to the ID of the removed HDD (where the letter string “True” is set in
Then, the HDD management function 23220 refers to the key ID column 23249 of an HDD whose HDD ID in the HDD ID column 23241 of the HDD management table 23240 matches the hot swap destination HDD ID; and judges whether or not an encryption key is assigned to the spare disk (F11040).
If it is determined in step F11040 that an encryption key is assigned to the spare disk (F11040: Yes), that is, if a key ID is stored in the key ID column 23249 of the HDD management table 23240, the HDD management function 23220 executes processing for assigning the encryption key to the new HDD (F11050) and then executes copyback from the spare disk to the new HDD (F11060).
If it is determined in step F11040 that no encryption key is assigned to the spare disk (F11040: No), that is, if no key ID is stored in the key ID column 23249 of the HDD management table 23240, the HDD management function 23220 does not perform step F11050 and executes copy-back from the spare disk to the new HDD (F11060). Incidentally, if encryption is set to a parity group, an encryption key should normally be assigned to a spare disk for the HDD belonging to the relevant parity group.
If the copy-back is normally completed, the HDD management function 23220 judges again whether or not an encryption key is assigned to the relevant spare disk (F11070). If no encryption key is assigned to the relevant spare disk (F11070: No), the HDD management function 23220 updates the HDD ID column 23233 of the parity group management table 23230 to the ID of the new HDD and then stores information indicating that the relevant spare disk is unused (the letter string “Unoperated” in
If it is determined in step F11070 that the encryption key is assigned to the relevant spare disk (F11070: Yes), the HDD management function 23220 identifies the key ID of the key assigned to the relevant spare disk from the key ID column 23249 of the HDD management table 23240, designates the key ID to the key management function 23210, and requests for shredding of the relevant encryption key. When the copy-back is completed, the key management function 23210: recognizes that the attribute of the (spare) disk has changed; starts step F11080 for the case where the encryption key is assigned to the (spare) disk; cancels the encryption key with the key ID, for which it has received the shredding request, from the key management table 23250; and then proceeds to step F11090.
If it is necessary to generate an encryption key for the spare disk, the HDD management function 23220 requests the key management function 23210 to generate the spare disk encryption key via the GUI provided by the encryption management function 32100 of the management computer 30000 as will be explained with reference to a flowchart described later.
The removal of an HDD is requested mainly when the HDD is deactivated by a failure and the relevant HDD is to be hot-swapped; however, an HDD is sometimes removed from the storage apparatus in a case of HDD maintenance. Even in a case where the removal of an HDD, in which no failure has occurred, needs to be supported for the purpose of, for example, the HDD maintenance, the processing in steps F10020 and F10022 is executed and then I/O to the HDD is stopped.
If the HDD management function 23220 determines in step F10024 that an encryption key is assigned to the HDD for which the removal permission was granted (F10030), it starts the flowchart in
During Loop 1 indicated as steps F10042 through F10045, the HDD management function 23220 waits to proceed to F10046 until the collection copying is completed. Specifically speaking, the HDD management function 23220 sets a collection copy completion flag to False and starts Loop 1 (F10042), refers to the operation status column 23247 of the spare disk in the HDD management table 23240, and confirms the completion of collection copying (F10043). If it is determined in step F10043 that the collection copying is not completed, that is, if the operation status column 23247 of the spare disk in the HDD management table 23240 stores information indicating that the collection copying is being executed (the letter string “In Preparation” in
If it is determined in step F10043 that the collection copying is completed, that is, the operation status column 23247 of the spare disk in the HDD management table 23240 stores information indicating that normal operation is being performed (“Normal” in
After exiting Loop 1 and confirming the implementation (true) of the collection copy completion flag, the HDD management function 23220 cancels the key ID from the key ID column 23249 of the HDD, for which the removal permission was granted, in the HDD management table 23240, releases the assignment of the encryption key to the relevant HDD, and requests the key management function 23210 to cancel the encryption key with the relevant key ID (F10046). The key management function 23210 cancels the key with the key ID from the key management table 23250 (F10047) and then terminates the flowchart (F10049).
It is the most secured way to immediately shred the encryption key and execute crypto-shredding in order to prevent information leakage from the removed HDD. However, when problems such as multiple failures of HDDs occur before the completion of rebuilding (collection copying) of the parity group and it becomes inevitably necessary to restore data from the removed HDD and if the encryption key is shredded, there is a possibility that the data may be read from the removal target HDD, but cannot be decoded, which may lead to data loss. So, after the permission is granted to remove the HDD in which the failure occurred, the encryption key assigned to the relevant HDD is retained until the completion of the collection copying as shown in the flowchart in
On the other hand, the storage apparatus 20000 can automatically shred the encryption key of the removed HDD regardless of the progress of the collection copying; however, even in this case, the encryption key of the relevant HDD is not shredded for a certain period of time after deciding the removal target HDD or removing the removal target HDD; and then after that, the encryption key is shredded. If a customer engineer (CE) mistakenly removes an HDD, which should not be removed, and immediately shreds the encryption key of that HDD, data stored in the relevant HDD will be lost.
The HDD management function 23220 requests the key management function 23210 that the encryption key be assigned to the new HDD (F11052). The key management function 23210 selects the key ID(s) of the encryption key(s), whose status column 23255 in the encryption key management table 23250 stores information indicating the relevant encryption key(s) is not assigned to any HDDs, that is, the relevant encryption key(s) is unused (the letter string “Reserved Key” in
Incidentally, assignment of the encryption key to the new HDD is not limited to the case where the necessity of the copy-back is determined; and the assignment of the encryption key to the new HDD may be immediately executed, for example, when a failed HDD is detected.
If the HDD management function 23220 is notified by the storage control function 23270 that an HDD has been removed, or an HDD is to be removed, it starts the flowchart (F12000). The HDD management function 23220 obtains the HDD ID of the removed HDD from the HDD ID column 23241 of the HDD management table 23240 and compares it with the HDD ID of the HDD for which the removal was permitted in step F10024 in
On the other hand, if the HDD management function 23220 determines in step F12010 that the HDD ID of the relevant HDD is not identical to the ID of the HDD whose removal was permitted (F12010: No), the HDD management function 23220 refers to the key ID column 23249 of the HDD management table 23240 and checks whether or not an encryption key is assigned to the relevant HDD (F12020).
If the HDD management function 23220 determines in step F12020 that no encryption key is assigned to the relevant HDD, that is, no key ID is stored in the key ID column 23249 of the HDD management table 23240 (F12020: No), it terminates the flowchart (F12070).
If the HDD management function 23220 determines in step F12020 that an encryption key is assigned to the relevant HDD (F12020: Yes), that is, a key ID is stored in the key ID column 23249 of the HDD management table 23240, it proceeds to step F12030.
During Loop 2 from step F12030 to step F12050, the HDD management function 23220 judges whether or not the relevant HDD is reinstalled in the storage apparatus 200020 within a certain period of time after the removal of the HDD for the purpose of, for example, maintenance (F12040). If the removed HDD is returned to the storage apparatus 20000 within the certain period of time, the HDD management function 23220 compares the HDD ID of the installed HDD with the HDD ID of the removed HDD. If the HDD ID of the HDD returned to the storage apparatus is identical to the HDD ID of the removed HDD (F12040: Yes), the HDD management function 23220 terminates the flowchart (F12070).
If the HDD ID of the HDD returned to the storage apparatus is not identical to the HDD ID of the removed HDD in step F12040, the HDD management function 23220 terminates Loop 2 after the elapse of the certain period of time after the removal of the HDD. The HDD management function 23220 identifies the key ID of the key assigned to the relevant new HDD from the key ID column 23249 of the HDD management table 23240, designates the key ID to the key management function 23210, and requests for shredding of the encryption key of the removed HDD (F12050).
When the key management function 23210 cancels the encryption key with the key ID, for which the shredding request was made, from the key management table 23250 (F12060) and the HDD management function 23220 confirms the cancellation of the encryption key, the key management function 23210 terminates the flowchart (F12070). When this happens, the HDD management function 23220 reports the shredding of the encryption key assigned to the removed HDD to the user and warns the user about such shredding via, for example, an LED placed on the back face of the storage apparatus 20000. A countdown to the shredding of the encryption key may be reported to the user. A user input means for enabling emergency stop of the shredding of the encryption key may be provided.
If the time width set by Loop 2 is too long, security would be impaired; and if the time width set by Loop 2 is too short, workability of, for example, maintenance would be impaired. Since the long time width and the short time length have a trade-off relationship, an optimum time width is decided in advance as appropriate. The administrator of the storage apparatus 20000 may change the time width.
A second embodiment relates to a storage apparatus that imports and uses an encryption key generated by an external key management server for the purpose of encryption/decoding of stored data. Particularly, the second embodiment relates to a computer system designed so that when it is necessary to hot-swap a failed HDD, the storage apparatus 20000 imports an encryption key for a spare disk from the external key management server in advance and the relevant encryption key is prevented from the use for other purposes in preparation for a case of a shortage of encryption keys due to a communication failure with the external key management server, making it impossible to import the encryption keys. The second embodiment will be explained below based on
After the encryption management function 32100 of the management computer 30000 receives a request from the user via the GUI to set the encryption setting of a parity group to on, it starts the processing of the flowchart (F20000). When the encryption management function 32100 obtains the number of HDD IDs (represented as x) stored in the HDD ID column 23233 of the parity group, for which the encryption setting request was made, in the parity group management table 23230 from the key management function 23210 (F20020) and obtains the number of HDDs (represented as y), regarding which the information indicating a spare disk (the letter string “Spare” in
If the encryption management function 32100 determines that it has failed to obtain the x+y pieces of encryption keys from the key management server (F20050: No), it notifies the user via GUI that the encryption setting of the relevant parity group cannot be set to on (F20060); and then terminates the flowchart (F20100).
If the encryption management function 32100 determines in step F20050 that it has successfully obtained the x+y pieces of encryption keys, it sends the relevant encryption keys to the key management function 23210 (F20070); the key management function 23210 stores the received encryption keys in the encryption key management table 23250 and stores information indicating that the relevant encryption key has not been assigned to any HDD yet (the letter string “Reserved Key” in
The HDD management function 23220 obtains the encryption key generation location (see the encryption key generation policy table 23260 in
If the HDD management function 23220 determines that the encryption key generation location is inside the storage apparatus (F21020: Inside Storage Apparatus), it proceeds downstream from step F21060. If the HDD management function 23220 determines that the encryption key generation location is the key management server (F21020: Key Management Server), it identifies HDDs constituting the parity group, for which the encryption-setting-on request was made by means of input by the user, from the HDD ID column 23233 of the parity group management table 23230 (F21030) and requests as many encryption keys as the number of the HDDs constituting the parity group from the key management function 23210 (F21040).
Incidentally, if the encryption key generation location is inside the storage apparatus, the key management function 23210 does not access the external key management server 80000, which is the only difference from the above-described flow; and the execution of steps from F21030 to F21060 by the HDD management function 23220 is the same as the flow in the case where the encryption key generation location is the key management server 80000. The same applies to a flowchart in
The key management function 23210 identifies as many key IDs of keys, regarding which the information indicating that the relevant key has not been assigned to any HDD (the letter string “Reserved Key” in
The HDD management function 23220 assigns the key IDs received from the key management function 23210 to the HDDs constituting the parity group for which the encryption-setting-on request was made, that is, the HDD management function 23220 stores the key IDs in the key ID column 23249 (the HDD management table 23240) of the relevant HDDs (F21060) and then terminates the flowchart (F21070).
The encryption management function 32100 starts the flowchart based on a login by the user (F22000). The encryption management function 32100 obtains information indicating whether the parity group whose encryption setting is on exists or not, from the HDD management function 23220 of the storage apparatus 20000 (F22010). When this happens, the HDD management function 23220 refers to the encryption setting column 23237 of the parity group management table 23230 and check whether the information indicating that the encryption setting is on (the letter string “ON” in
If it is determined in step F22010 that no parity group whose encryption setting is on exist, the encryption management function 32100 terminates the flowchart (F22080). If it is determined in step F22010 that the parity group whose encryption setting is on exists, the key management function 23210 obtains the encryption key generation location (F22020). When doing so, the key management function 23210 refers to the encryption key generation location column 23261 of the key generation policy table 23260 and returns the information indicating the encryption key generation location to the encryption management function 32100.
If the encryption key generation location is inside the storage apparatus in step F22020, the encryption management function 32100 terminates the flowchart (F22080). If the encryption key generation location is the key management server in step F22020, the encryption management function 32100 obtains the number of unused spare disks from the HDD management function 23220 (F22030). When this happens, the HDD management function 23220 calculates the number of HDDs, regarding which the information indicating that the relevant HDD is a spare disk (the letter string “Spare” in
Next, the encryption management function 32100 obtains the number of unassigned keys from the key management function 23210 (F22040). When this happens, the key management function 23210 calculates the number of keys, regarding which the information indicating that the relevant key has not been assigned to any HDD yet (the letter string “Reserved Key” in
The encryption management function 32100 compares the number of unused spare disks obtained from the HDD management function 23220 with the number of unassigned keys obtained from the key management function 23210 (F22050). If the number of unused spare disks is less than the number of unassigned keys in step F22050, the encryption management function 32100 terminates the flowchart (F22080).
If the number of unused spare disks is more than the number of unassigned keys in step F22050, the encryption management function 32100 requests the key management server 80000 via the GUI to import as many encryption keys as the number obtained by subtracting the number of unassigned keys from the number of unused spare disks (F22060). When the user executes the encryption key import and sends the imported encryption keys to the key management function 23210 (F22070) and the key management function 23210 stores the relevant encryption keys in the key management table 23250, the encryption management function 32100 terminates the flowchart (F22080).
In a third embodiment, the user sets the encryption key generation location, whether prior generation of an encryption key for a spare disk is required or not, and whether automatic cancellation of an encryption key is possible or not, which are set as encryption key management policies and are to be used for encryption/decoding of stored data; and as a result, the encryption key management function 23210 generates and/or cancels the relevant key in accordance with the relevant policy.
The key management function 23210 analyzes a request for the encryption key and obtains the requested number of encryption keys (F30010). Next, the key management function 23210 refers to the “whether prior generation of encryption key for spare disk is required or not” column 23264 in the key generation policy table 23260 and judges whether prior generation of encryption keys for spare disks is required or not (F30020).
If it is found in step F30020 that the “whether prior generation of encryption key for spare disk is required or not” column 23264 of the key generation policy table 23260 stores information indicating that the prior generation of the spare disk encryption key is not required (the letter string “Not Required” in
If it is found in step F30020 that the “whether prior generation of encryption key for spare disk is required or not” column 23264 of the key generation policy table 23260 stores information indicating that the prior generation of the spare disk encryption key is required (the letter string “Required” in
When this happens, the HDD management function 23220 calculates the number of HDDs (the number of unused spare disks), regarding which the information indicating that the relevant HDD is a spare disk (the letter string “Spare” in
The key management function 23210 compares the number of encryption keys (the number of unused and unassigned encryption keys) obtained by subtracting the number of encryption keys requested by the HDD management function 23220 from the number of encryption keys, regarding which the information indicating that the relevant key has not been assigned to any HDD yet (the letter string “Reserved Key” in
If it is found in step F30040 that the number of unused spare disks is less than the number of unused and unassigned keys (F30040: No), the key management function 23210 proceeds to step F30080. If it is found in step F30040 that the number of unused spare disks is more than the number of unused and unassigned keys (F30040: Yes), the key management function 23210 refers to the encryption key generation location column 23261 and the “whether internal generation of encryption key is possible or not at the time of key shortage” column 23262 of the key generation policy table 23260 and identifies the encryption key generation location (F30050) in order to generate as many encryption keys as the number calculated by subtracting the number of unused and unassigned keys from the number of unused spare disks.
If it is found in step F30050 that the encryption key generation location is the encryption key management server 80000 and the internal generation is not possible at the time of a key shortage, or the encryption key generation location is the encryption key management server 80000 and the HDD to which the relevant encryption key is to be assigned is an HDD constituting a parity group for which an encryption-setting-on request was made by the user (F30050: No), the key management function 23210 issues an encryption key import request to the encryption key management server 80000 via the GUI provided by the encryption management function 32100 of the management computer 30000 (F30060) and proceeds to step F30080.
If it is found in step F30050 that the encryption key generation location is inside the storage apparatus or the HDD to which the encryption key is to be assigned is a spare disk for executing hot swap because a failure has occurred in an HDD constituting the parity group, whose encryption setting is on, or is an HDD newly installed because of replacement of the HDD in which the failure occurred, and the encryption key generation location is the key management server and the internal generation is possible at the time of a key shortage (F30050: Yes), the encryption key management function 23210 generates an encryption key inside the storage apparatus 20000, stores the relevant encryption key in the key column 23253 of the key management table 23250, stores the information indicating that the relevant key has not been assigned to any HDD yet (the letter string “Reserved Key” in
After receiving the encryption key cancellation request, including the key ID and information indicating whether the HDD to which the relevant key is assigned is the removed HDD or a used spare disk, from the HDD management function 23220, the key management function 23210 starts the flowchart (F31000).
The key management function 23210 refers to the “whether automatic cancellation of encryption key assigned to removed HDD is possible or not” column 23265 of the encryption key generation policy table 23260 if the HDD to which the relevant encryption key is assigned is the removed HDD; or the key management function 23210 refers to the “whether automatic cancellation of encryption key assigned to spare disk is possible or not” column 23266 of the encryption key generation policy table 23260 if the HDD to which the relevant encryption key is assigned is the used spare disk; and then the key management function 23210 judges whether automatic cancellation of the relevant encryption key is possible or not (F31010).
If it is determined in step F31010 that the encryption key can be automatically canceled, that is, the information indicating that the encryption key may be automatically canceled (the letter string “Permitted” in
If it is determined in step F31010 that the encryption key cannot be automatically canceled, that is, the information indicating that the encryption key may not be automatically canceled (the letter string “Not Permitted” in
According to the aforementioned embodiments, when removing an HDD, in which a failure has occurred, after the execution of hot swap in the storage apparatus having a stored data encryption function, an encryption key assigned to that HDD is shredded and thereby data in the HDD is automatically crypto-shredded; and after a new HDD is installed, data in a spare disk regarding which copy-back to the new HDD is completed is automatically crypto-shredded and key generation for the spare disk is requested to a security administrator in preparation for the next hot swap. Then, with the storage apparatus which imports and uses an encryption key generated by the external key management server for encryption/decoding of stored data, the encryption key for the spare disk is imported from the external key management server in advance and the encryption key is prevented from the use other than the intended use in preparation for a case where the encryption key may not be imported due to a communication failure with the external key management server at the time of the hot swap, thereby causing a shortage of encryption keys.
In the aforementioned embodiments, the controller for the storage apparatus assigns an encryption key to an HDD; however, if the HDD is an HDD equipped with a self-encryption function, the aforementioned embodiments can be applied to the HDD equipped with the self-encryption function by replacing the encryption key with an authentication key.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/JP2012/001003 | 2/15/2012 | WO | 00 | 4/4/2012 |