Abstract: A storage apparatus sends a request for a key encryption key to a key management server using a storage apparatus ID as a parameter, acquires the key encryption key, for which a request has been sent to the key management server, and its attribute information, and stores the key encryption key and its attribute information in a key encryption key list while eliminating the key encryption key that is duplicated. Then, in the order listed in the key encryption key list, decryption of the encryption key is attempted by the key encryption key stored in the key encryption key list, and the success or failure of the decryption of the encryption key is determined. When the decryption of the encryption key using the key encryption key fails, the decryption of the encryption key is attempted using a key encryption key, which has not been attempted yet, in the key encryption key list.

Abstract: A key management control unit of a storage device instructs a key management server to generate an encryption key, and receives the corresponding key number. The key management control unit requests the key management server to acquire the encryption key by the key number when newly assigning the encryption key to a drive of the storage device, and retains attribute information of the acquired encryption key, and the acquired encryption key as a reserved encryption key in a reserved encryption key area of a volatile area. Then, the key management control unit updates an encryption key management information table by applying a key tag to the reserved encryption key as the encryption key to be assigned to the drive of the storage device, and retains the reserved encryption key as a new encryption key corresponding to the drive of the storage device in an encryption key table.

Abstract: A storage apparatus sends a request for a key encryption key to a key management server using a storage apparatus ID as a parameter, acquires the key encryption key, for which a request has been sent to the key management server, and its attribute information, and stores the key encryption key and its attribute information in a key encryption key list while eliminating the key encryption key that is duplicated. Then, in the order listed in the key encryption key list, decryption of the encryption key is attempted by the key encryption key stored in the key encryption key list, and the success or failure of the decryption of the encryption key is determined. When the decryption of the encryption key using the key encryption key fails, the decryption of the encryption key is attempted using a key encryption key, which has not been attempted yet, in the key encryption key list.

Abstract: In writing, a storage controller generates encrypted data using a data encryption key and generates an authentication code based on the encrypted data using an authentication key. A storage node verifies the authentication code received from the storage controller. If the authentication code is successfully verified, the storage node stores the encrypted data and the authentication code. In reading, the storage controller verifies the authentication code received from the storage node. If the authentication code is successfully verified, the storage controller decrypts the encrypted data and sends the decrypted data to a host.

Abstract: This storage system has a plurality of modules that encode data being written to a storage medium and decode data being read from said storage medium. The storage system also has an adapter that controls the reading and writing of data from and to the storage medium such that, when an error is detected and determined to be the error of at least one of said plurality of modules, the adapter prevents the module(s) in question from being used to read or write data.

Abstract: An encryption key used with a storing apparatus and an encryption key used with a non-volatile cache memory are identical to each other. A cache control portion unit effects control in such a way that an encryption key EK used to encrypt first data stored in the storing apparatuses, and an encryption key EK used to encrypt second data which are data corresponding to the first data and are stored in the non-volatile cache memory, are identical to each other. If the cache control portion receives a write request and first data WD, the cache control portion identifies from the storing apparatuses a storing apparatus that is to be the storage destination of the first data, identifies an encryption key allocated to the identified storing apparatus, encrypts the second data corresponding to the first data using the identified encryption key, and stores the data in the non-volatile cache memory.

Abstract: This storage system has a plurality of modules that encode data being written to a storage medium and decode data being read from said storage medium. The storage system also has an adapter that controls the reading and writing of data from and to the storage medium such that, when an error is detected and determined to be the error of at least one of said plurality of modules, the adapter prevents the module(s) in question from being used to read or write data.

Abstract: A computer system that is composed of a host computer, a storage device and a management computer. The storage device comprises a port for connecting with the host computer, a cache memory, a processor, and a plurality of logic volumes which are logical memory regions. For each logic volume, the port, the cache memory and the processor are divided into logic partitions, as resources that are used for reading and writing in the logic volume. The host computer reads and writes with respect to the logic volumes. If a failure occurs in the storage device, the management computer issues a command to the storage device to allocate the resources of a logic partition for which reading/writing performance is not ensured to a logic partition for which reading/writing performance is ensured.

Abstract: An encryption key used with a storing apparatus and an encryption key used with a non-volatile cache memory are identical to each other. A cache control portion unit effects control in such a way that an encryption key EK used to encrypt first data stored in the storing apparatuses, and an encryption key EK used to encrypt second data which are data corresponding to the first data and are stored in the non-volatile cache memory, are identical to each other. If the cache control portion receives a write request and first data WD, the cache control portion identifies from the storing apparatuses a storing apparatus that is to be the storage destination of the first data, identifies an encryption key allocated to the identified storing apparatus, encrypts the second data corresponding to the first data using the identified encryption key, and stores the data in the non-volatile cache memory.

Abstract: The present invention curbs encryption key information used in a virtual logical volume and improves security. A storage management function 33201 is configured to provide to a host computer a virtual logical volume 327 created on the basis of a pool volume 324. The storage management function is configured to allocate a prescribed page from among pages in the pool volume to a virtual logical volume in accordance with a write request from the host computer. The storage management function is configured to select a page to be allocated to the virtual logical volume on the basis of information regarding encryption key information associated with a page that has been allocated to the virtual logical volume and information regarding encryption key information associated with a page capable of being allocated to the virtual logical volume from the pages managed in the pool.

Abstract: An example is a method for determining at least one migration destination for resources of one migration source physical storage system, with physical storage systems, which provide resources to a virtual storage system recognized by a host as one storage system, as migration destination candidates. The method defines at least one migration group from the resources included in the migration source physical storage system so that resources for which the predetermined management permissions are assigned to the same administrator are included in the same migration group, and determines at least one migration destination of the at least one migration group, on a condition that resources in the same migration group are migrated to the same physical storage system among the physical storage systems.

Abstract: An example is a method for determining at least one migration destination for resources of one migration source physical storage system, with physical storage systems, which provide resources to a virtual storage system recognized by a host as one storage system, as migration destination candidates. The method defines at least one migration group from the resources included in the migration source physical storage system so that resources for which the predetermined management permissions are assigned to the same administrator are included in the same migration group, and determines at least one migration destination of the at least one migration group, on a condition that resources in the same migration group are migrated to the same physical storage system among the physical storage systems.

Abstract: When removing an HDD, in which a failure has occurred, after the execution of hot swap in a storage apparatus having a stored data encryption function, an encryption key assigned to that HDD is shredded and thereby data in the HDD is automatically crypto-shredded; and after a new HDD is installed, data in a spare disk regarding which copy back to the new HDD is completed is automatically crypto-shredded and key generation for the spare disk is requested to a security administrator in preparation for the next hot swap.