> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create encryption keys and enable encryption

> Generate encryption keys via CryptoHub, back up keys to the KMS, and enable encryption on Hitachi VSP parity groups.

After configuring the KMIP connection, create encryption keys and enable encryption on the target parity groups.

## Create encryption keys

<Steps>
  <Step>
    In Storage Navigator, navigate to **Administration** > **Encryption Keys** > **Encryption Keys** tab.
  </Step>

  <Step>
    Select **Create Keys**. The VSP generates encryption keys using the CryptoHub via KMIP (if configured in the previous step) or locally.
  </Step>
</Steps>

## Back up encryption keys to the CryptoHub

<Steps>
  <Step>
    In the **Encryption Keys** tab, select **Backup Keys** > **To Server**.
  </Step>

  <Step>
    The VSP sends a backup of the encryption keys to the CryptoHub for safekeeping.
  </Step>
</Steps>

<Warning>
  Always back up encryption keys immediately after creation and after any certificate changes. Previously backed-up encryption keys tied to an old client certificate **cannot be restored** after a certificate change.
</Warning>

## Enable encryption on parity groups

<Steps>
  <Step>
    Navigate to the target **parity group** in Storage Navigator.
  </Step>

  <Step>
    Enable encryption on the parity group.
  </Step>

  <Step>
    **Format the LDEVs** in the encrypted parity group. Refer to the Hitachi Provisioning Guide for detailed LDEV formatting instructions.
  </Step>
</Steps>

## Post-configuration checklist

After completing the configuration:

* Securely store a backup of the `client.p12` certificate file and its password outside of the SVP.
* Export and back up the KMS configuration settings from Storage Navigator.
* Document the CryptoHub connection details (IP/hostname, port) in your disaster recovery runbook.
* Set calendar reminders to renew the client certificate before it expires. An expired certificate causes immediate and complete loss of KMS access.
