HP 3PAR Command Line Interface Administrator's Manual: HP 3PAR OS 3.1.2 (QR482-96525, September 2013)
10 Data Encryption
Beginning with HP 3PAR OS 3.1.2 MU2, HP 3PAR encrypted storage systems provide data
encryption by using self-encrypting drives (SEDs) with a local key manager (LKM).
Data encryption prevents data exposure that might result from the loss of physical control of disk
drives when disk drives are:
• Decommissioned at their end of life.
• Returned for warranty or repair.
• Lost or stolen.
The HP 3PAR StoreServ Data Encryption solution uses SED technology to encrypt all data on the
physical drives and prevent unauthorized access to data-at-rest (DAR). When encryption is enabled,
the SED will lock when power is removed, and it will not be unlocked until the matching key from
the HP 3PAR StoreServ system is used to unlock it.
SEDs contain special firmware and an application-specific integrated circuit (ASIC) that provides
encryption. Each SED has a number of bands that control access to different areas of the drive.
Each band has an internal encryption key that is not exposed outside of the drive itself. This
encryption key is always used to encrypt and decrypt all data stored on that band. All data
encryption is handled at the physical disk layer. System features, such as thin provisioning and
dynamic optimization, work independently of encryption.
Each band has a single authentication key that controls access to data on the band. In the HP
3PAR StoreServ data-encryption implementation, the entire disk is in one band. Access to data is
controlled by setting the authentication key, which locks and unlocks the drive.
The LKM, which is part of the HP 3PAR OS that runs on each node in a cluster, maintains the
authentication key. You must back up and protect the keystore file; HP does not have access to
the key.
All drives in the same array will have the same authentication key. The disks become locked
whenever they lose power, which guarantees that any disk removed from an HP 3PAR Storage
system will not be accessible except in its original array. When the drive is unlocked, all I/O to
the drive behaves exactly as it would on a non-SED, and encryption and decryption happen at full
interface speed, without data delays.
There is a minimal delay for booting (since each drive must be unlocked before the system becomes
operational) and for data encryption management functions (since each disk must be updated
whenever keys are changed on the system). Each of these operations takes up to 3 seconds per
disk, but happens in several threads. On a system with 160 disks, for example, enabling encryption
111