Data storage systems are arrangements of hardware and software that include one or more storage processors coupled to arrays of non-volatile storage devices, such as, for example, magnetic disk drives, electronic flash drives, and/or optical drives. The storage processors service storage requests, typically arriving from host computer systems (“hosts”), which may, for example, specify files or other elements of host data to be written, read, created, or deleted. Software running on the storage processors manages incoming storage requests and performs various data processing tasks to organize and secure the data elements stored on the non-volatile storage devices. In this way, data storage systems provide external data storage to one or more hosts, for storing host data on behalf of the hosts.
It is often desirable for a data storage system to provide a high level of data security with regard to the host data that is stored on the storage system. Providing host data security in a data storage system may include encrypting host data stored on the storage system. Secure management of an encryption key or keys used to encrypt the host data is very important. Key management has previously been described in the National Institute of Standards and Technology (NIST) special Publication 800-57, entitled “Recommendation for Key Management”, which provides general guidance and best practices for the management of cryptographic keys. Related key wrapping techniques are symmetric encryption algorithms, and include the Advanced Encryption Standard (AES) specification for securely encrypting a plaintext key.