The present invention generally relates to a storage apparatus, and in particular to a storage apparatus comprising an encryption engine that encrypts data sent from a host and stores it in a storage device, and decrypts the encrypted data stored in the storage device and sends it to the host, and to the control method of such a storage apparatus.
A storage apparatus is known as a special device for providing a large-capacity storage resource to a host computer or a host system. This storage apparatus is also known as a storage subsystem or a storage controller, and is configured by comprising a plurality of storage devices, and a controller for controlling the input and output of data between the storage device and the host according to a write access or a read access from the host.
In recent years, from demands for ensuring the security of data, it is necessary to improve the confidentiality of data to be written in the storage apparatus. As methods of encrypting the data to be written in the storage apparatus, there is a method where the host personally encrypts the data, a method of disposing an encryption engine on a network connecting the host and the storage apparatus, and a method of the storage apparatus personally comprising the encryption engine.
As conventional technology pertaining to a mode where the storage apparatus comprises the encryption engine, for instance, there is a storage system described in Japanese Patent Laid-Open Publication No. H2006-227839 (Patent Document 1).
This storage system aims to simplify the decryption process of encrypted data when migrating such encrypted data to a different encryption engine, maintain security to prevent tapping and falsification when rewriting the calculation method of encrypted data into a different calculation method, and improve the access performance. FIG. 3 of Patent Document 1 illustrates a storage system 100 accessible from a host computer comprising a storage apparatus including a data area 120. In this storage system 100, when a storage apparatus comprising a scheme capable of decrypting encrypted data is selected as the migration destination of such encrypted data, it is possible to continue retaining such encrypted data in a reliable manner even when the device or code calculation method becomes obsolete by updating the code calculation method applied in migrating data or decoding encrypted data with a different method based on internal processing of the device, and re-storing such method.