Recently, the scale of a storage system for a computer system has been expanding due to an increase of an amount of information to be processed by an information processing system. A storage system in which a plurality of storage devices are arrayed is known as an example of the above-mentioned storage system. With the storage system, data is stored in an array system by a storage controller processing data from a host computer.
Information processing systems are exposed to various security threats and storage systems are no exception. Therefore, it is necessary to always prepare for the various threats such as data theft, unauthorized access, falsification, and data destruction. Regarding security systems associated with the storage system, there are upper-level-application-side security at a host computer and storage side security. A security function on the storage system side is enhanced in order to reduce the burden on the high-level applications.
Even if the security function on the storage system side is enhanced, a storage-drive-based encryption function would possibly face data leakage due to a theft or taking out of the storage drives from a chassis of the storage system. So, a storage-controller-based encryption function is provided instead of or together with the storage-drive-based encryption function. When data is stored in the storage drive by using the above-mentioned encryption function, the storage controller can directly encrypt data and store the encrypted data in the storage drive. Then, since an encryption key is managed by the storage controller, even if the storage drive is taken out for the purpose of, for example, device maintenance, the encryption key will not exist in the storage drive itself and it is difficult to carry out unauthorized analysis of data, thereby realizing a data leakage countermeasure of a high security level.
A secret key that is required for data encryption and decoding is commonly stored as a file by a security administrator or managed by a server that performs key management services (KMS). The KMS manages secret key generation, issue, backup, and recovery in an integrated manner.
Incidentally, a conventional example of a storage system equipped with the storage-controller-based encryption function is described in, for example, Japanese Patent Application Laid-Open (Kokai) Publication No. 2010-33319.