Create encryption keys and enable encryption

Create encryption keys
Back up encryption keys to the CryptoHub
Enable encryption on parity groups
Post-configuration checklist

After configuring the KMIP connection, create encryption keys and enable encryption on the target parity groups.

Create encryption keys

In Storage Navigator, navigate to Administration > Encryption Keys > Encryption Keys tab.

Select Create Keys. The VSP generates encryption keys using the CryptoHub via KMIP (if configured in the previous step) or locally.

Back up encryption keys to the CryptoHub

In the Encryption Keys tab, select Backup Keys > To Server.

The VSP sends a backup of the encryption keys to the CryptoHub for safekeeping.

Always back up encryption keys immediately after creation and after any certificate changes. Previously backed-up encryption keys tied to an old client certificate cannot be restored after a certificate change.

Enable encryption on parity groups

Navigate to the target parity group in Storage Navigator.

Enable encryption on the parity group.

Format the LDEVs in the encrypted parity group. Refer to the Hitachi Provisioning Guide for detailed LDEV formatting instructions.

Post-configuration checklist

After completing the configuration:

Securely store a backup of the client.p12 certificate file and its password outside of the SVP.
Export and back up the KMS configuration settings from Storage Navigator.
Document the CryptoHub connection details (IP/hostname, port) in your disaster recovery runbook.
Set calendar reminders to renew the client certificate before it expires. An expired certificate causes immediate and complete loss of KMS access.

⌘I

Documentation Index