1. Field of the Invention
The present invention relates to a computer system, a management terminal, a storage system and an encryption management method, and more particularly to an encryption-decryption function control method for an encrypted storage area in the case where a plurality of encryption-decryption means are provided on a connection path between a host computer and the storage area.
2. Description of the Related Art
In a basic system for public enterprises bearing the social infrastructure, a storage system for storing data plays an important role. These systems are required to cope with an increased data amount in the electronic infrastructure, and have high availability and security.
Therefore, a technique for enabling a storage management not dependent on the physical configuration by applying a storage virtualization technique, and shortening a system shutdown period caused by changing the system configuration has been implemented.
As a measure for enhancing the security, Japanese Patent Laid-Open Publication No. 2006-091952 discloses a technique for enabling the storage system to encrypt a data when storing data in the storage system to ensure the secrecy of the data stored in the storage system.
In a computer system applying the above-mentioned virtualization technique, a plurality of devices (called an “encryption-decryption module”) for performing an encryption-decryption process for the data stored in the storage area may exist on a path where the host computer gains access to the storage area. For example, in a case where a first storage system at the upper level has a first encryption-decryption module, and a second storage system at the lower level has a second encryption-decryption module, the first encryption-decryption module and the second encryption-decryption module are provided on a connection path where the host computer gains access to the storage area provided for the second storage system. Japanese Patent Laid-Open Publication No. 2006-091952 discloses a technique for moving an encryption-decryption process for data performed by the second encryption-decryption module to the first encryption-decryption module in connecting the second storage system used singly to the first storage system. With this technique, even if there is no interoperability between the first encryption-decryption module and the second encryption-decryption module (e.g., the first encryption-decryption module and the second encryption-decryption module encrypt or decrypt the data within the storage area based on different encrypt keys and encryption-decryption algorithms), an encryption-decryption process can be performed by converting the data encrypted by the second encryption-decryption module into the data encrypted by the first encryption-decryption module.