The present invention relates to an encryption/decryption management method for an encrypted data storage area in a computer system having a data storage apparatus. In particular, the present invention relates to an encryption/decryption management method for an encrypted data storage area in a computer system having plural data storage apparatuses arranged hierarchically and plural kinds of encryption/decryption means existing on a path between a computer and the data storage area.
To improve the confidentiality of data saved by a computer in a data storage apparatus, it is contemplated to encrypt the data to be saved. If data is saved in an encrypted state, the confidentiality can be improved. However, data saved for a long time has to be always correctly decrypted when referring to the data. That is, correct data cannot be referred to if the same encryption/decryption algorithm or key as that used in encryption or an encryption/decryption algorithm or key that has an interoperability with that used in encryption is not used. As an encryption technique, there has been provided a technique that assigns different encryption keys to different zones so that one encryption key can permit only reference to the data in one zone (see Patent Document 1, for example).
On the other hand, an arrangement is becoming popular in which a data storage apparatus and a computer that used the data storage apparatus are connected to each other via a storage-dedicated network (this is referred to as Storage Area Network, SAN). In the network thus arranged, when the computer requires a data storage area, a data storage area in the data storage apparatus is appropriately allocated to the computer, and a management computer determines a path between the computer and the data storage area to enable the computer to adequately use the data storage area (see Patent Document 2, for example).
Patent Document 1: Japanese Patent Laid-Open No. 2002-351747
Patent Document 2: Japanese Patent Laid-Open No. 2001-142648
Patent Document 2 discloses a technique for preparing a new data storage area and determining a path to enable the computer to use the data storage area. In addition, as described in Patent Document 1, it is well known that correct data cannot be obtained if the algorithm or key used in encryption is not the same as that used in decryption.
However, Patent Document 2 does not disclose any technique for determining a path to enable the computer to adequately use an encrypted data storage area when the computer system that has the encrypted data storage area in the data storage apparatus is modified to have plural encryption/decryption means.