Abstract: In writing, a storage controller generates encrypted data using a data encryption key and generates an authentication code based on the encrypted data using an authentication key. A storage node verifies the authentication code received from the storage controller. If the authentication code is successfully verified, the storage node stores the encrypted data and the authentication code. In reading, the storage controller verifies the authentication code received from the storage node. If the authentication code is successfully verified, the storage controller decrypts the encrypted data and sends the decrypted data to a host.

Abstract: When data is encrypted and stored for a long time, encryption key(s) and/or algorithm(s) should be updated so as not to be compromised due to malicious attack. To that end, stored encrypted data is converted in the storage system with new set of cryptographic criteria. During this process, read and write requests can be serviced.

Abstract: Key information that is currently in use is archived in a management server to prevent the key information from being lost. A storage device 10 is communicatably connected to a management server 60 managing key information 1. The storage device includes a memory device 21, and a controller 100 controlling the memory device. The controller implements encryption processing on data inputted and outputted to and from the memory device by using the key information. When stoppage of an operation is indicated, the controller determines whether the key information used by the controller is managed by the management server, stops the operation in a case where the key information is managed by the management server, and does not stop the operation in a case where the key information is determined not to be managed by the management server.

Abstract: Key information that is currently in use is archived in a management server to prevent the key information from being lost. A storage device 10 is communicatably connected to a management server 60 managing key information 1. The storage device includes a memory device 21, and a controller 100 controlling the memory device. The controller implements encryption processing on data inputted and outputted to and from the memory device by using the key information. When stoppage of an operation is indicated, the controller determines whether the key information used by the controller is managed by the management server, stops the operation in a case where the key information is managed by the management server, and does not stop the operation in a case where the key information is determined not to be managed by the management server.

Abstract: A storage system 300a that has a volume, manages the volume as a plurality of logical volumes, and can operate as a plurality of logical storage systems having at least one logical volume. The storage system comprises an IO transmission-reception unit 1320a that communicates with a management computer 100, a host computer 200, and a storage system 300b and a processor 1310a that causes the IO transmission-reception unit 1320a to perform transmission to the management computer 100 and storage system 300b by using an identifier of the storage system 300a as an identifier indicating a representative logical storage system that is one predetermined logical storage system from among a plurality of the logical storage system when the storage system operates as a plurality of the logical storage systems.

Abstract: A computer system and its control method capable of allocating resources to a plurality of users in a balanced manner and ensuring information security between the users even when the plurality of users are made to extensively manage a storage system are provided. The storage system includes: a plurality of resource groups defined by grouping of a plurality of resources; a storage area for storing management information of the plurality of resource groups and association information between the plurality of resources and the plurality of resource groups; and a plurality of user groups defined by grouping of the plurality of users, each of the user groups being allocated to at least one of the plurality of resource groups; wherein based on login of at least one user from among the plurality of users, a management device has the storage system execute operation permitted by an authority granted to the user group, to which the relevant user belongs, on the resource group allocated to the user group.

Abstract: A storage system 300a that has a volume, manages the volume as a plurality of logical volumes, and can operate as a plurality of logical storage systems having at least one logical volume. The storage system comprises an IO transmission-reception unit 1320a that communicates with a management computer 100, a host computer 200, and a storage system 300b and a processor 1310a that causes the IO transmission-reception unit 1320a to perform transmission to the management computer 100 and storage system 300b by using an identifier of the storage system 300a as an identifier indicating a representative logical storage system that is one predetermined logical storage system from among a plurality of the logical storage system when the storage system operates as a plurality of the logical storage systems.

Abstract: A storage system comprises multiple first storage apparatuses, and a controller which provides a first logical volume corresponding to a storage area of the multiple first storage apparatuses to a host computer. The controller partitions a storage area corresponding to the first logical volume into multiple first physical storage areas, manages the partitioned multiple first physical storage areas as physical storage areas of a storage pool, creates a first virtual volume which is provided to the host computer, and associates, from among the multiple first physical storage areas, a physical storage area in which user data is stored, with the first virtual volume.

Abstract: A storage system 300a that has a volume, manages the volume as a plurality of logical volumes, and can operate as a plurality of logical storage systems having at least one logical volume. The storage system comprises an IO transmission-reception unit 1320a that communicates with a management computer 100, a host computer 200, and a storage system 300b and a processor 1310a that causes the IO transmission-reception unit 1320a to perform transmission to the management computer 100 and storage system 300b by using an identifier of the storage system 300a as an identifier indicating a representative logical storage system that is one predetermined logical storage system from among a plurality of the logical storage system when the storage system operates as a plurality of the logical storage systems.

Abstract: A storage device partitions data from a host into multiple partitioned data and distributes, encrypts and stores them together with a parity in multiple memory mediums. This storage device executes processing of restoring the partitioned data or the parity stored in a memory medium subjectable to encryption re-key based on decrypted data of the partitioned data or the parity stored in each memory medium other than the memory medium subjectable to encryption re-key among the multiple memory mediums, storing the restored partitioned data or the parity in a backup memory medium while encrypting the restored partitioned data or the parity with a new encryption key, and thereafter interchanging the backup memory medium and the memory medium subjectable to encryption re-key so that the backup memory medium will be a memory medium configuring the parity group and the memory medium subjectable to encryption re-key will be the backup memory medium.

Abstract: A storage system comprises multiple first storage apparatuses, and a controller which provides a first logical volume corresponding to a storage area of the multiple first storage apparatuses to a host computer. The controller partitions a storage area corresponding to the first logical volume into multiple first physical storage areas, manages the partitioned multiple first physical storage areas as physical storage areas of a storage pool, creates a first virtual volume which is provided to the host computer, and associates, from among the multiple first physical storage areas, a physical storage area in which user data is stored, with the first virtual volume.

Abstract: A storage system 300a that has a volume, manages the volume as a plurality of logical volumes, and can operate as a plurality of logical storage systems having at least one logical volume. The storage system comprises an IO transmission-reception unit 1320a that communicates with a management computer 100, a host computer 200, and a storage system 300b and a processor 1310a that causes the IO transmission-reception unit 1320a to perform transmission to the management computer 100 and storage system 300b by using an identifier of the storage system 300a as an identifier indicating a representative logical storage system that is one predetermined logical storage system from among a plurality of the logical storage system when the storage system operates as a plurality of the logical storage systems.

Abstract: A storage system 300a that has a volume, manages the volume as a plurality of logical volumes, and can operate as a plurality of logical storage systems having at least one logical volume. The storage system comprises an IO transmission-reception unit 1320a that communicates with a management computer 100, a host computer 200, and a storage system 300b and a processor 1310a that causes the IO transmission-reception unit 1320a to perform transmission to the management computer 100 and storage system 300b by using an identifier of the storage system 300a as an identifier indicating a representative logical storage system that is one predetermined logical storage system from among a plurality of the logical storage system when the storage system operates as a plurality of the logical storage systems.

Abstract: There is provided a computer system, having a host and at least one storage system. The at least one storage system provides storage area includes at least one of an encrypted storage area and a plaintext storage area The at least one storage system is configured to: receive an instruction about what type of storage area is available to the host computer; present the encrypted storage area to the host as an available storage area separate from unavailable storage areas in the case of the type of storage area being available according to the instruction indicating “encrypted”; and present, in the case of the type of storage area being available according to the instruction indicating other than “encrypted”, one of both the encrypted storage area and the plaintext storage area to the host computer as available storage areas, and only the plaintext storage area as an available storage area.

Abstract: It is an object of this invention to provide a computer system and its control method capable of preventing allocation of a resource(s), which is not intended by a superior administrator, to a certain storage administrator even when the superior administrator sets a certain authority to that storage administrator and intends to allocate a resource(s), which is required to enable this authority, to the storage administrator. When the superior administrator sets a certain authority to a certain storage administrator and intends to allocate a resource(s), which is required to enable this authority, to the storage administrator, the computer system prevents allocation of a resource(s), which is not intended by the superior administrator, to that storage administrator by optimizing allocation of resource groups and authorities to the storage administrator.

Abstract: A storage system for controlling attributes for data stored in virtual storage areas includes a logical storage area management unit 1140 that manages the linking of virtual storage areas and attributes such as encryption attributes to logical storage area groups. When receiving a command to change an attribute of a virtual storage area or virtual volume, the logical storage area management unit determines the presence or absence of a unit logical storage area in a logical storage area group or pool linked to a different attribute and that is not yet allocated to a virtual storage area. The logical storage area management unit links a unit logical storage area determined to be present to a virtual storage area, reads data stored in the unit logical storage area linked to a virtual storage area subjected to an attribute change, and stores the read data in accordance with the different attribute.

Abstract: This invention provides a system including a computer and a storage-subsystem comprising at least either a first storage area for storing data sent from the computer or a second storage area to be associated with the first storage area, for storing replicated data of data stored in the first storage area. This system includes a replication processing status referral unit for referring to a replication processing status of data of the first storage area and the second storage area to be associated, and an output unit for outputting first performance information concerning data I/O stored in the first storage area, and outputting second performance information concerning data I/O stored in the second storage area together with the first performance information when the replicated data is being subject to replication processing from the first storage area to the second storage area as a result of referring to the replication processing status.

Abstract: Provided is a storage device which partitions data from a host into multiple partitioned data and distributes, encrypts and stores them together with a parity to and in multiple memory mediums. This storage device executes processing of restoring the partitioned data or the parity stored in a memory medium to be subject to encryption re-key based on decrypted data of the partitioned data or the parity stored in each memory medium other than the memory medium to be subject to encryption re-key among the multiple memory mediums, storing the restored partitioned data or the parity in a backup memory medium while encrypting the restored partitioned data or the parity with a new encryption key, and thereafter interchanging the backup memory medium and the memory medium to be subject to encryption re-key so that the backup memory medium will be a memory medium configuring the parity group and the memory medium to be subject to encryption re-key will be the backup memory medium.

Abstract: A computer system in which an encryption-decryption process performed by one encryption-decryption module can be moved to another without stopping the process for a read/write request from a host computer. The computer system has a host computer, and a storage system for storing encrypted data. The storage system provides a storage area for accepting access from the host computer. In performing a process for changing the data encrypted and stored by the destination source, the move destination encrypts the data decrypted by the move source which further encrypts and stores the data encrypted by the move destination, and after all data is stored, the move source decrypts and stores the further encrypted data.

Abstract: It is an object of this invention to provide a computer system and its control method capable of preventing allocation of a resource(s), which is not intended by a superior administrator, to a certain storage administrator even when the superior administrator sets a certain authority to that storage administrator and intends to allocate a resource(s), which is required to enable this authority, to the storage administrator. When the superior administrator sets a certain authority to a certain storage administrator and intends to allocate a resource(s), which is required to enable this authority, to the storage administrator, the computer system prevents allocation of a resource(s), which is not intended by the superior administrator, to that storage administrator by optimizing allocation of resource groups and authorities to the storage administrator.