5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Encryption License Key User Guide for

VSP One Block
10.4.x

SVOS

MK-23VSP1B010-02

Last updated: 2025-02-21

Generated from docs.hitachivantara.com

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 1/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Overview of the encryption feature

The Encryption License Key feature provides hardware-based data-at-rest encryption for your sensitive
data.

About Encryption License Key

The data-at-rest encryption feature, called Encryption License Key, protects your sensitive data against
breaches associated with storage media (for example, loss or theft). Encryption License Key provides a
controller-based encryption implementation.

The Encryption License Key feature provides the following benefits:

Hardware-based Advanced Encryption Standard (AES) encryption, using 256-bit keys in the XTS
mode of operation, is provided.
Encryption can be applied to some or all supported internal drives.
Each encrypted internal drive is protected with a unique data encryption key (DEK).
Encryption has negligible effects on I/O throughput and latency.
Encryption requires little to no disruption of existing applications and infrastructure.
Cryptographic erasure (media sanitization) of data is performed when an internal encrypted drive is
removed from the storage system.

Encryption hardware
The data at-rest encryption (DARE) functionality is implemented using cryptographic hardware
(chips) on the encrypting controllers (ECTLs) of the VSP One Block storage systems. The ECTLs
encrypt and decrypt data as it is being written to and read from the cache memory.

Enabling and disabling data encryption is controlled at the dynamic-drive-protection (DDP) group
level. All drives in a DDP group (parity group) are either encrypting or non-encrypting. While it is
possible to have both encrypting and non-encrypting DDP groups configured on an ECTL, best
practice is to encrypt all DDP groups on an ECTL.

Key management
Key management for VSP One Block is integrated within the storage system. Each encrypted
internal drive is protected with a unique DEK that is used with the AES-based encryption. AES-XTS
uses a pair of keys, so each key used as a DEK is actually a pair of 256-bit keys. The DEKs are
stored in the shared memory of the storage system. When the storage system boots, the DEKs in
shared memory are used.

The initial set of encryption keys is generated during the initial encryption setup. Any keys that are
not assigned to drives are designated as Free keys and will be available for use. Encryption keys
are generated with the Free (unused) attribute, and the attribute is changed depending on the use
of the key:

DEK: Data encryption key. A key used to encrypt stored data.

KEK: Key encryption key. The key used to encrypt the other keys. There is only one KEK in
the storage system.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 2/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
When encryption is enabled for a DDP group, DEKs are automatically assigned to the drives in the
DDP group. Similarly, when encryption is disabled, DEKs are automatically replaced: old DEKs are
destroyed, and keys from the free keys are assigned as new DEKs. You can combine this
functionality with migrating data between DDP groups to accomplish rekeying of the DEKs.
Key management server (KMS)
You can use encryption keys created by a KMS that conform to the Key Management
Interoperability Protocol (KMIP) standard. In addition, you can back up encryption keys to a KMS
and restore encryption keys from the backups on the KMS. When an encryption key is backed up
to a KMS, it is encrypted with another encryption key and stored with that encryption key on the
KMS.
Key rotation
Whenever possible, consider using an external KMS and KMIP to automate the encryption key
rotation process to ensure consistency and reduce the risk of human error. Refer to regulatory
requirements and industry standards that may dictate key rotation schedules, such as the following:
NIST Special Publication 800-57: This publication from the National Institute of Standards
and Technology (NIST) provides comprehensive guidance on key management practices,
including key rotation. It recommends regular key rotation based on the sensitivity and
usage of the keys.
PCI DSS (Payment Card Industry Data Security Standard): This standard specifies the
requirements for rotating cryptographic keys for organizations that handle credit card
information.
SOX (Sarbanes-Oxley Act): SOX requires public companies to establish, document, and
maintain internal controls over financial reporting, which can include encryption key
management practices such as key rotation.
Important: If a key compromise is suspected, rotate the encryption keys immediately and
investigate the cause of the compromise.
Primary backup
The storage systems store an encrypted copy of the DEKs in shared memory. A primary backup
(encrypted) of these keys is also made on the flash memory of the ECTLs in the storage system.
When the storage system boots, the DEKs in shared memory are used. If the DEKs in shared
memory are missing or corrupted, the primary backups on the ECTLs are used.
Secondary backup
Secondary backup of encryption keys is performed by the user using VSP One Block Administrator
or the REST API. For this reason, it is the responsibility of the user to store the secondary
encryption key backup. If the primary backup becomes unavailable, a secondary backup is required
to restore the encryption keys. To perform a secondary backup, a dedicated user role, Security
Manager (View & Modify), is required.
CAUTION:
If the primary backup becomes unavailable and no secondary backup exists, the system cannot
decrypt the data.

You can make secondary backups of the keys to a key file on the management client or to a KMS.
If secondary backups are used, it is important that they contain the current DEKs. Make sure to
perform secondary key backups after operations such as generating keys. If the encryption
environment is set to connect to a KMS, the keys cannot be backed up as a file on the
management client.

When backing up by connecting to a KMS, the number of keys that can be backed up to the KMS is
one generation, including secondary backup and automatic backup. The old keys are overwritten
during backup. Encryption keys are backed up against the already created encryption keys.

Important: The creation and secure storage of backup keys must be included as part of your
corporate security policy. To ensure data availability, back up the encryption keys immediately after
they are created and also after each hardware maintenance in which a drive or ECTL is replaced.
You are responsible for storing the secondary backup keys securely.
Automatic backup (KMS only)
If you are using a KMS, the encryption keys are automatically backed up after they are created.
This is called the automatic backup. The number of keys that can be backed up to the KMS is one

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 3/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
generation, including the secondary backup and automatic backup. The old keys are overwritten
during backup.

If you are not using a KMS, automatic backups are not performed.
Restoring encryption keys
If an existing encryption key becomes unavailable, for example, due to a failure, the encryption key
is restored from the primary backup or secondary backup.
Restoring an encryption key from the primary backup is done automatically by the storage
system.
Restoring an encryption key from the secondary backup is performed by the user. To
restore an encryption key from the latest secondary backup, the Security Manager (View &
Modify) user role is required. To restore an encryption key from a secondary backup that is
not the latest, the Security Manager (View & Modify) role and the Maintenance (Vendor
Only) role) are required.
Decrypting data
To decrypt an encrypted DDP group, you can delete the DDP group. When you delete an encrypted
DDP group, the encryption keys for the drives in the group are deleted and new encryption keys
are assigned.
CAUTION:
Care must be taken when decrypting data. You are responsible for backing up any required data in
a DDP group before decrypting it. Alternatively, decrypt the entire DDP group before formatting it,
such as when adding a DDP group or formatting using the LDEV format feature.
Audit logging
The Audit Log feature provides logging of events that occur in the storage system, including events
related to encryption and data encryption keys. You can use the audit log to check and troubleshoot
encryption key generation and backup. For details about audit logging and audit log events, see the
VSP One Block System Administrator Guide.
Key usage for maintenance operations
Encryption keys are used when the following operations and maintenance tasks are performed.
Operation or maintenance task Number of keys Notes
used*

Adding drives 1 per drive You will need one unused key for
each drive being added.

Replacing drives 1 per drive You will need one unused key for
each drive being replaced.

Deleting an encryption-enabled 1 per drive You will need one unused key for
DDP group each drive in the DDP group being
deleted.

* If a failure occurs during the above operations or maintenance tasks, more than the above
number of unused keys might be required for recovery.

Support specifications for Encryption License Key

Item Specification

Hardware Encryption algorithm Advanced Encryption Standard (AES) 256-bit

specifications
Encryption mode XTS mode

Encryption module standard Compliant to FIPS 140-3 Level 1

LDEVs that you Volume type All emulation types

can encrypt
Internal/external LDEVs Internal LDEVs only

LDEV with existing data Supported (requires data migration)

Managing Creating and deleting You can manage the encryption keys, including
encryption keys encryption keys creating, backing up, restoring, and deleting keys.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 4/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Item Specification
For details, see User interface support for encryption.

Unit of encryption/decryption Encryption is applied to the DDP group.

Data encryption keys (DEKs) are assigned per drive.

Number of encryption keys Up to 4,096 encryption keys can be created per

storage system, including up to 984 DEKs (1 DEK for
each drive).

Backup/restore functionality Redundant (primary and secondary) backup/restore

copies of all DEKs

If the encryption environment of the storage system

is set to connect to a key management server, the
keys cannot be backed up as a file on the
management client.

Attribute of encryption keys Encryption keys are created with the Free attribute.
When a key is allocated to a drive, the attribute
changes to DEK.

When free keys are used After the encryption environment is set up, free keys
are used when the following operations are
performed:

Maintenance operations for drives

Maintenance operations for encrypting
controllers (ECTLs)

If a problem occurs during one of these operations,

additional free keys might be required to recover
from the problem.

Free keys used for maintenance operations for

drives:

Adding drives: 1 free key for each drive being

added
Replacing drives: 1 free key for each drive
being replaced
Decrypting a DDP group: 1 free key for each
drive in the DDP group being decrypted

User interface support for encryption

You can perform encryption operations on your VSP One Block storage systems using the following user
interfaces (UIs):

REST API
VSP One Block Administrator
VSP One Block Administrator API
Command Control Interface (CCI)

The following table lists the encryption operations for VSP One Block and indicates the UI support for each
operation.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 5/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Encryption operations REST API VSP One Block Administrator CCI

GUI API

Edit encryption environment settings Yes Yes No No

List and retrieve encryption keys Yes Yes No No

Confirm settings by editing encryption Yes Yes No No

environment settings

Display encryption key number Yes Yes No No

Generate encryption keys Yes No No No

Back up encryption keys as a file on Yes Yes No No

the management client

Restore encryption keys from a file on Yes Yes No No

the management client

Connect to a KMS to back up Yes No No No

encryption keys

Connect to a KMS to restore Yes No No No

encryption keys

Delete unused encryption keys and Yes No No No

generate new keys

Rekey key encryption keys Yes No No No

Enable encryption when creating a No No No Yes

DDP group

Enable encryption when creating a No Yes Yes No

pool

View, register, or delete a KMS Yes Yes No No

certificate

View, register, edit, or delete the Yes Yes No No

connection settings to the KMS /
change the priority / perform a
communication test

Requirements and planning for

encryption
Storage system requirements

Item Requirements

Encryption hardware Encryption controllers (ECTLs)

The VSP One Block storage systems are shipped with ECTLs already installed
and encryption enabled.

Software license Encryption License Key software license

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 6/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Item Requirements
Note: If the license for Encryption License Key is deleted or expires, encryption
keys cannot be created.

User interfaces REST API

VSP One Block Administrator
VSP One Block Administrator API
CCI

For details about UI support, see User interface support for encryption.

User roles The Security Administrator (View & Modify) role is required for setting up
encryption, enabling encryption on DDP groups, removing encryption, and
backing up and restoring encryption keys.

The Storage Administrator (Provisioning) role is required for creating DDP

groups.

The Security Administrator (View & Modify) and Support Personnel (Vendor
Only) roles are required to restore an encryption key that is not the latest key
from a secondary backup copy.

Data volumes Data can only be encrypted on internal volumes of the storage system. External
volumes cannot be encrypted.

DNS server If you want to connect to a KMS by specifying a host name instead of an IP
address, set the DNS server in the network information of the management port
of the storage system.

KMS requirements

Item Requirements

Protocols KMIP v1.0, v1.1, v1.2, v1.3, v1.4

Products Thales/Gemalto: CipherTrust Manager k170v/k470v/k470/k570

Certificates To connect to the KMIP server, you must upload the following certificates to the
storage system:

KMS Root Certificate: X.509 format

Client certificate in PKCS #12 format:
If an intermediate certificate exists, have a signed public key
certificate that consists of a certificate chain containing the
intermediate certificate.
The maximum number of certificate chain levels for the uploaded
certificate is 5, including the root CA certificate.
The public key cryptography of the certificate to be uploaded
must be RSA.
Server certificate configured on the KMIP server:
The public key cryptography of the server certificate must be
RSA.
The maximum number of tiers is 5. Use a certificate with 5 or
fewer tiers.

Contact the KMS administrator for information about these certificates.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 7/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Item Requirements
The client certificate must be converted to PKCS#12 format. In addition, client
certificates before converting to PKCS#12 format must be signed by the
Certificate Authority of the KMS.

Please pay attention to the expiration date when preparing the certificate. When
the certificate expires, you will not be able to connect to the KMS.

SSL/TLS For SSL/TLS communication and certificate requirements between the storage
communication system and the KMS, see the System Administrator Guide.

Number of KMSs Up to two other KMSs can be registered. If two KMSs are registered, they must
be clustered together. It is recommended to register two KMSs.

Prepare the client certificate

Use the following procedure to prepare the client certificate. Encryption keys backed up on the KMS are
managed with the client certificate. The client certificate on the KMS must remain current and not expired.
If the client certificate expires or is not current, the storage system will not be able to access the KMS.

CAUTION:

Encryption keys backed up to the KMS are managed in association with client certificates. If the
client certificate is lost and the storage system controller is replaced, the keys that were backed up
before the controller replacement cannot be restored.
When the connection settings are backed up to the KMS, the storage system does not back up the
client certificate. Make sure that you back up a copy of the connection settings to the KMS and
save a copy of the client certificate separately. Refer to your corporate security policy for
procedures related to backups.
The encryption keys backed up on the KMS are managed with the client certificate. If the client
certificate is changed, the encryption keys that were backed up before the change cannot be
restored. Make sure to back up the encryption keys immediately after changing the client
certificate.

Note:

For information about obtaining the root certificate of the KMS, see the documentation for the KMS.
When configuring the connection to the KMS, you must upload the KMS root certificate and the
client certificate in PKCS #12 format to the storage system. For details, see Configure the
encryption environment.

OpenSSL must be installed in the C:\openssl folder.

1. Download and install openssl.exe from http://www.openssl.org/ to the C:\openssl folder.

2. Create a private key (.key) file.

For details about creating a private key, see the System Administrator Guide.

3. Create a public key (.csr) file.

For details about creating a public key, see the System Administrator Guide.

4. Have the public key file signed by the Certificate Authority (CA) office of the KMS.
For details, see the documentation for the KMS.
5. In the Windows command prompt, change the current folder to the folder where you want to save
the client certificate in the PKCS#12 format.
6. Move the private key file (.key) and the client certificate to this folder, and then run the following
command

C:\key>c:\openssl\bin\openssl pkcs12 -export -in client.crt -inkey clien

t.key -out client.p12

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 8/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
In this command example:

Folder to output the client certificate file in PKCS #12 format: c:\key
Private key file name: client.key
Client certificate file name: client.crt
7. Type the client certificate password. This password is used when uploading a client certificate in
PKCS #12 format to the storage system.
The password can be from 0 to 128 characters in length. The valid characters for the password are:
Numbers (0 to 9)
Upper case letters (A-Z)
Lower case letters (a-z)
The following half-width symbols: ! # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~

In this command example, the client.p12 file is created in the c:\key folder. This client.p12 file is a
client certificate converted to PKCS#12 format.

Configure the encryption environment

You can use VSP One Block Administrator, the REST API, or the initial configuration script to configure the
encryption environment settings. For details about using the initial configuration script, see Using the initial
configuration script to configure the encryption environment and Running the initial configuration script.

CAUTION:
When you use a KMS, the encryption keys backed up on the KMS are used when the storage system is
powered on. Communication between the storage system and the KMS must be established. If
communication with the KMS is not established, the storage system boots up but all volumes become
blocked. Make sure the storage system and the KMS can communicate before powering on the storage
system.

The following table lists the encryption environment settings and indicates when each setting should be
enabled.

Encryption environment settings

Setting No KMS KMS

Configure the KMS -- Configure each attribute.

Set up encryption environment

Enable encryption environment Enabled Enabled

Using a KMS Disabled Enabled

Prohibit local key generation Disabled

Disabled if "Prohibit local
key generation" is
disabled.
Enabled if "Prohibit local
key generation" is
enabled.

If you enable "Prohibit local key

generation", the setting cannot be
changed. Make sure that it is safe
to enable this setting.

Use the following procedure to configure the encryption environment using the REST API. If you are not
using a KMS, perform only step 4.

For details about using VSP One Block Administrator to configure the encryption environment, see the VSP
One Block Administrator User Guide.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 9/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
1. (KMS) Upload the client certificate and the root certificate using the following command:

POST < Base URL>/v1/objects/kms-certificates

Tip:
To upload the client certificate, use ClientCertFile for the attribute fileType.
To upload the root certificate, set the attribute fileType to RootCertFile.
2. (KMS) Set up a connection with the KMS using the following command:

POST <Base URL >/v1/objects/kms-settings

3. (KMS) Perform a communication test with the KMS using the following command:

POST <Base URL >/v1/objects/kms-settings/ <Object ID >/actions/ test-conn

ectivity

4. Configure your encryption environment using the following command:

PATCH <Base URL >/v1/objects/encryption-settings/instance

For details about the settings, see the Encryption environment settings table above.

After you have configured your encryption environment, you can begin performing encryption operations.
The first step is to enable encryption on the drives in the storage system.

Using the initial configuration script to configure the encryption

environment

Use the following workflow to configure the KMS settings for your encryption environment using the initial
configuration script.

Note: Run the script without the KMS configured.

1. Install the Requests library.

For details, see Installing the Requests library.

2. Download and unzip the kmip.zip file from your storage system:
URL of the kmip.zip file on the storage system:

https://<service IP address>/download/restapi/kmip.zip

Script files stored in the kmip.zip file:

setup_kms.py: Initial configuration script file.
init_kms.py: Initialization script file.
block_storage_api.py: Defines the function that generates the request line as a
BlockStorage API class.
storage_param.py: Defines storage system information.
3. Update the parameters in the initial configuration script file (setup_kms.py), and then run the initial
configuration script.

For details, see Running the initial configuration script.

Interoperability requirements and considerations for encryption

Functions Interoperability requirements and considerations

ShadowImage, TrueCopy If the primary volume (P-VOL) of a pair is encrypted, encrypt the
secondary volume (S-VOL) to ensure data security.

Thin Image Advanced Match the encryption states of the P-VOL and pool-VOL. If the P-VOL is
encrypted, encrypt all of the pool-VOLs. If the data pool contains an

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 10/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Functions Interoperability requirements and considerations

unencrypted pool-VOL, the differential data of the P-VOL is not encrypted.
In this case, the security of the data in the S-VOL cannot be guaranteed.

Universal Replicator Match the encryption states of a P-VOL and S-VOL. If you encrypt the P-
VOL only, the data copied on the S-VOL is not encrypted and therefore not
protected.

When you encrypt a P-VOL or S-VOL, use a journal to which only

encrypted LDEVs are registered as journal volumes. If the encryption
states of the P-VOL, S-VOL, and journal volumes do not match, the journal
data in the P-VOL is not encrypted, and the security of the data cannot be
guaranteed.

Dynamic Provisioning When enabling encryption for data written to a data pool through a V-VOL,
use a data pool that consists of encrypted pool volumes.

Volume Migration Encrypt the source LDEV and the target LDEV. The encryption states of
the source and target LDEVs must match for the Encryption License Key
feature to encrypt and guarantee the security of the data on the source and
target LDEVs.

About encryption operations

After the encryption environment for your VSP One Block storage system has been set up, you can start
performing encryption operations. Encryption operations include:

Enabling and disabling encryption

Backing up and restoring encryption keys
Creating and deleting encryption keys
Managing encryption operations with a KMS
Editing and initializing the encryption environment settings

For details about the user interface support for encryption operations, see User interface support for
encryption.

About enabling and disabling encryption

Enabling encryption

Encryption can be enabled on drives only when a DDP (parity) group is created. When you enable data
encryption on a DDP group and then create new volumes in the DDP group, the data to be stored in those
volumes will be encrypted. In addition, you can migrate data from existing volumes to new encrypted
volumes to encrypt existing data. The data is migrated per V-VOL.

If a DDP group is created with encryption disabled, you cannot later enable encryption on that group.

You can use CCI to create DDP groups with encryption enabled.

Disabling encryption

The encryption setting for a DDP group cannot be changed from enabled to disabled. If you want to disable
encryption on drives, first migrate any volumes out of the target DDP group, delete the group, and then
create a new DDP group with encryption disabled. If desired, you can then migrate the volumes to the new
DDP group.

You can use CCI to delete DDP groups.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 11/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

About backing up and restoring encryption keys

Backing up encryption keys

The methods for backing up encryption keys differ depending on whether you use a KMS. You are
responsible for maintaining secondary backups of encryption keys and storing the password.

If you are using a KMS:

The primary backup and the secondary backup occur automatically to back up the encryption keys
to the KMS. No manual secondary backup operations are required.
If you want to make another backup of a specific key, or if you are instructed to perform a manual
backup, back up the encryption key to the KMS.
You can use the REST API to back up encryption keys on the KMS.

If you are not using a KMS:

The primary backup of the encryption key occurs automatically, but the secondary backup requires
a manual operation. After enabling the encryption environment or creating encryption keys, back up
the encryption keys as a file on the management client.
If you want to make another backup of a specific key, or if you are instructed to perform a manual
backup, back up the encryption keys as a file on the management client.
Set a password when you back up encryption keys as a file on the management client. You will
need this password to restore the encryption keys.
You can use VSP One Block Administrator or the REST API to back up encryption keys as a file on
the management client.

Note: The number of keys that can be backed up to the KMS, together with automatic backups, is one
generation. The old keys are overwritten during backup.

Restoring encryption keys

If the encryption keys in the storage system, including the encryption keys backed up in the primary
backup, become unavailable, restore the encryption keys backed up in the secondary backup. You can
restore an encryption key from the secondary backup by using the file on the management client or by
connecting to the KMS and restoring it.

Encryption key restoration is performed collectively for the encryption key whose key information has been
lost among the backed up encryption keys (including unused keys and DEKs). However, deleted
encryption keys or unused keys that are explicitly deleted manually are not restored, such as during drive
maintenance.

To restore an encryption key, all pool volumes that belong to the parity group for which the encryption key
is configured must be blocked. Also, after restoring the encryption key, you must recover all pool volumes
that belong to the parity group for which the encryption key is set.

You can use the REST API to restore encryption keys from the management client or from the KMS.

Note: Always restore the latest encryption key. You cannot restore a secondary backup that does not
contain the most recent encryption key. If you do not have a backup of the latest encryption key and cannot
restore the encryption key, contact customer support.

About creating and deleting encryption keys

Creating encryption keys

Encryption keys are created automatically when the encryption environment is enabled. The encryption
keys are assigned to drives when a DDP group with encryption enabled is created.

New encryption keys must be created manually in the following cases:

When you need to change an encryption key

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 12/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
When unassigned keys are not available, for example, due to drive replacement
After deleting encryption keys

When creating encryption keys, always create the maximum number of keys that can be created: (4,096 -
<current_number_of_keys>)

You can use the REST API to create encryption keys.

Deleting encryption keys

Encryption keys need to be deleted in the following cases:

When you change the encryption key generation location from the storage system to the KMS

Use the encryption keys generated by the KMS, and delete the encryption keys that had been
generated by the storage system.

When you migrate the KMS to a different server

Use the encryption keys generated on the new server, and delete the encryption keys on the old
server.

You can use the REST API to delete unused (Free) encryption keys in the storage system. Encryption keys
that are not Free cannot be deleted.

Note: Encryption keys that are allocated to implemented drives cannot be deleted. If you want to delete the
encryption key allocated to an implemented drive and allocate a new encryption key, you must first disable
encryption for the DDP group to which the drive belongs.

Deleting encryption keys in the storage system

Encryption keys need to be deleted in the storage system in the following cases:

When changing the encryption environment settings to use the KMS to generate encryption keys
instead of the storage system.
When migrating the KMS to a different server and using the newly generated encryption keys
instead of the existing encryption keys.

You can use the REST API to delete unused (Free) encryption keys in the storage system. Encryption keys
that are not Free cannot be deleted.

About rekeying the key encryption key

To maintain optimal security, you should rekey the KEK on a regular basis. In addition, you should rekey
the KEK when there is a suspected security breach or a significant change in system access or user
privileges.

You can use the REST API to rekey the KEK.

Important: Back up the encryption keys and the KEK immediately after rekeying the KEK.

About managing the KMS settings

You can use VSP One Block Administrator to manage the following KMS settings:

Registering a KMS
Adding and deleting certificates for connecting to a KMS
Performing connection tests to a KMS
Checking and editing the KMS settings
Changing the priority of KMSs
Deleting a KMS

About editing and initializing the encryption environment settings

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 13/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Editing the encryption environment settings

You can edit the following encryption environment settings after you have configured your encryption
environment:

Use of a KMS
Location of encryption key generation
Disabling the encryption environment

If you disable the encryption environment, the encryption environment settings will be initialized and
the encryption keys will be deleted, but the KMS settings will be maintained.

You can use VSP One Block Administrator or the REST API to edit the encryption environment settings.

Initializing the encryption environment settings

When you intialize the encryption environment settings, all encryption keys are deleted and the encryption
environment is disabled.

You must initialize the encryption environment settings under the following circumstances:

When disabling or removing the encryption software.

When resolving errors during configuration of the encryption environment settings.
When setting the Key Management Server to Enabled by mistake.

You can use VSP One Block Administrator or the REST API to initialize the encryption environment that is
already set or to delete the KMS settings.

Using the encryption configuration

scripts
Encryption configuration scripts are provided as reference information when you use the REST API to build
and initialize your encryption environment with a KMS.

The encryption configuration scripts are written in Python.

Download Python from the Python website (https://www.python.org/).

The encryption scripts use the standard libraries (json, sys, http.client, time, traceback) and the
Requests library, which is a third-party library.

Download the Requests library from the Requests library download page
(https://pypi.org/project/requests/).

The encryption scripts have been tested with Python 3.11.0 and Requests 2.31.0.
The encryption scripts contain the initialization and initialization code required by client programs,
such as uploading the KMS certificate and adding the KMS configuration.

The encryption configuration script files are located on the ESM of your storage system.

URL of the kmip.zip file on the storage system:

https://<service IP address>/download/restapi/kmip.zip

Script files stored in the kmip.zip file:

setup_kms.py: Initial configuration script file.
init_kms.py: Initialization script file.
block_storage_api.py: Defines the function that generates the request line as a
BlockStorage API class.
https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 14/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
storage_param.py: Defines storage system information.

About the encryption configuration script files

Initial configuration script (setup_kms.py)

The initial configuration script is used to build an encryption environment with a KMS.

The initial configuration script performs the following actions:

Log in to the ESM.

Upload the client certificate to ESM.
Upload the root certificate to the ESM.
Get a list of certificates.
Register a key management server.
Enable encryption preferences.
Log out of the ESM.

Initialization script (init_kms.py)

The initialization script is used to initialize the encryption settings, for example, when an error occurs when
the initial configuration script is executed.

The initialization script performs the following actions:

Log in to the ESM.

Get the status of the encryption preferences.
Disable encryption preferences.
Delete the KMS.
Get a list of certificates.
Remove root and client certificates.
Log out of the ESM.

Block storage script (block_storage_api.py)

This file defines a function to generate a request line as a BlockStorageAPI class. Place this file in the
same folder as setup_kms.py and init_kms.py.

Storage system information script (storage_param.py)

This is a file that defines information about the storage system. Place it in the same folder as setup_kms.py
and init_kms.py.

Installing the Requests library

You can use either online installation or offline installation to install the Requests library.

Online installation:

1. When installing the Requests library in a proxy environment, open the command prompt and
execute the following command:

set https_proxy = proxy server address: proxy server port

If you are not using a proxy environment, skip this step.

2. Execute the following command at the command prompt:

pip install requests

Offline installation:

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 15/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
1. Download the latest version of requests-X.XX.XX-py3- none-any.whl from the Requests library
download page: https://pypi.org/project/requests/#files
2. Copy the downloaded installation file to a folder in the offline environment using storage media.
3. Open the command prompt, navigate to the folder of the copied installation file, and execute the
following command. The X in the command should be the same as the downloaded .whl file.

pip install requests-X.XX.XX-py3-none-any.whl

Running the initial configuration script

Use the following procedure to run the initial configuration script (setup_kms.py). Make sure to run the
initial configuration script before enabling encryption on any DDP groups.

1. Update the Initialize parameters in the initial configuration script file to match your storage
system environment and requirements.

Parameter Example settings Description

STORAGE_SERVER_IP_ADDR "XXX.XXX.XXX.XXX" Service IP address of the ESM

FIRST_WAIT_TIME 60 First interval (in seconds) to get the

execution result of the asynchronous
process. Default = 60.

You can specify a value of 1 to 120.

Normally, you don't need to change
this setting.

MAX_RETRY_COUNT 60 Maximum number of retries to

retrieve the results of asynchronous
processing. Default = 60.

You can specify a value of 1 to 60.

Normally, you don't need to change
this setting.

USER_CREDENTIAL ("user1", "pass1") Credentials used to authenticate with

the storage system.

In this example, the user ID is

"user1" and the password is "pass1".

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 16/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Parameter Example settings Description

The user must have the Security
Manager (View & Modify) role.

NUM_OF_KMS_SETTINGS 2 Number of KMSs to be configured.

Default = 2.

You can specify 1 or 2. In this

example, two KMSs are configured
and two client certificates and two
root certificates are uploaded.

2. Update the KMS certificate parameters to match your storage system environment and
requirements.

The paths for the certificate files must be set to the same value for each client certificate and root
certificate. When registering two KMSs, separate the values with commas as shown in the following
example.

Parameter Example settings Description

CLIENT_CERT_FILE_PATH "D:/cert/" The path where the client

certificate file is stored. Prepare
the client certificate file of the
key management server in
advance.

CLIENT_CERT_FILE_NAME_LIST ["clientCert1.p12", Specify a file name for each

"clientCert2.p12"] client certificate to be
registered.

CLIENT_CERT_FILE_NICKNAME_LIST ["clientCert1", Specify the nickname for each

"clientCert2"] client certificate to be registered
as 1 to 255 alphanumeric
characters. You cannot specify
duplicate nicknames for the first
and second units.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 17/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Parameter Example settings Description

CLIENT_CERT_FILE_PASSWORD_LIST ["clientCertPass1", Specify the password of the

"clientCertPass2"] client certificate file: 1 to 128
alphanumeric characters. For a
client certificate without a
password, specify "" (empty
character).

ROOT_CERT_FILE_PATH "D:/cert/" The path where the root

certificate file is stored. Prepare
the root certificate file of the
KMS in advance.

ROOT_CERT_FILE_NAME_LIST ["rootCert1.pem", Specify a file name for each

"rootCert2.pem"] root certificate to be registered.

ROOT_CERT_FILE_NICKNAME_LIST ["rootCert1", Specify the nickname of the

"rootCert2"] root certificate as 1 to 255
alphanumeric characters. You
cannot specify duplicate
nicknames for the first and
second units.
3. Update the KMS parameters to match your storage system environment and requirements.
When registering two KMSs, separate the values with commas (for example, [<setting for KMS1>,
<setting for KMS2>]).

Parameter Example settings Description

KMS_ID_LIST ["0", "1"] Number for each KMS to be

registered. Specify ["0"] to register
one KMS. Specify ["0","1"] or
["1","0"] to register two KMSs.

INTRA_CLASS_PRIORITY_LIST [1, 2] Priority setting in the cluster when

the KMS is in a multi-master
cluster. Specify [1] to register one
KMS, and specify [1,2] or [2,1] to
register two KMSs.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 18/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Parameter Example settings Description

KMS_SERVER_NAME_LIST Specify the IP address or host

["XXX.XXX.XXX.XXX", name IPv4, IPv6 IP address, or
"XXX.XXX.XXX.XXX"] host name for each KMS to be
registered.

KMS_SERVER_PORT_LIST [5696, 5696] Port number for each KMS to be

registered. Default = 5696.

NUM_OF_RETRIES_LIST [3, 3] Number of retries when

communication fails for each KMS
to be registered. Specify a value of
1 to 50. Default = 3.

RETRY_INTERVAL_LIST [10, 10] Retry interval (in seconds) when

communication fails for each KMS
to be registered. Specify a value of
1 to 60. Default = 10.

TIMEOUT_LIST [120, 120]

Time (in seconds) before the
connection times out for each KMS
to be registered. Specify a value of
10 to 999. Default = 120.

4. For each KMS that you add, store the root certificate and client certificate in the path specified in
CLIENT_CERT_FILE_PATH and ROOT_CERT_FILE_PATH of the KMS certificate settings.
5. Open the command prompt, and move to the folder containing the script file.
6. Run the script.

python setup_kms.py

7. Check the execution result.

Successful completion: The script completes normally with the following message:

Operation was completed.

Abnormal termination: The script terminates abnormally with the following message:

An error occurred while running the script. Please check the error
message.

If the specified parameters are incorrect, the script execution is interrupted and an error
message is displayed at the command prompt where the script was executed. Check the
error message output to the command prompt, change the parameter settings accordingly,
and then run the script again.

Running the initialization script

Use the following procedure to run the initialization script (python init_kms.py). Make sure to run the
initialization script before enabling encryption on any DDP groups.

1. Update the Initialize parameters in the initialization script file to match your storage system
environment and requirements.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 19/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Parameter Example settings Description

STORAGE_SERVER_IP_ADDR "XXX.XXX.XXX.XXX" Service IP address of the ESM.

FIRST_WAIT_TIME 60 First interval (in seconds) to get the

execution result of the asynchronous
process. Default = 60.

You can specify a value of 1 to 120.

Normally, you don't need to change
it.

MAX_RETRY_COUNT 60 Maximum number of retries to

retrieve the results of asynchronous
processing. Default = 60.

You can specify a value of between 1

to 60. Normally, you don't need to
change it.

USER_CREDENTIAL ("user1", "pass1") Credentials used to authenticate with

the storage system.

In this example, the user ID is

"user1" and the password is "pass1".
The user must have the Security
Manager (View & Modify) role.

2. Open the command prompt, and move to the folder containing the script file.
3. Run the script.

python init_kms.py

When the script completes, a log is output.

4. Check the execution result.

Successful completion: The script completes normally with the following message:

Operation was completed.

Abnormal termination: The script terminates abnormally with the following message:

An error occurred while running the script. Please check the error
message.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 20/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
If the specified parameters are incorrect, the script execution is interrupted and an error
message is displayed at the command prompt where the script was executed. Check the
error message output to the command prompt, change the parameter settings accordingly,
and then run the script again.

Workflows for encryption

Encryption operations for the VSP One Block 20 storage systems are performed using VSP One Block
Administrator, the REST API, and CCI. For details about UI support for encryption operations, see User
interface support for encryption.

For instructions on performing encryption operations, see the user guide for the UI (for example, VSP One
Block Administrator User Guide, REST API Reference Guide).

The Security Administrator (View & Modify) role is required to perform encryption operations.

Workflow for setting up encryption on the storage system

Use the following workflow to set up encryption on your storage system. For details about UI support for
these tasks, see User interface support for encryption.

1. Verify the encryption environment settings for the storage system.

2. Configure the encryption environment settings for the storage system. For details, see Configure
the encryption environment.

When you enable encryption on the storage system, a data encryption key (DEK) is generated for
each drive in the storage system.

3. Confirm the DEK information for the storage system.

4. Back up the DEKs as a file on the management client or on the KMS.
Note: Keep the password used for key backup in a secure location. This password must be used
for key restoration as well.
5. Enable encryption on the drives in the storage system.

You can enable encryption on the drives as follows:

When creating a DDP group using CCI.

When creating a pool using VSP One Block Administrator.

Workflow for encrypting new data

Use the following workflow to encrypt new data on your storage system:

1. Create a DDP group with encryption enabled.

2. Create a volume on the encrypted DDP group.
3. Allocate the volume to a host.
4. Begin host I/Os to the new volume.

All host data written to this new volume will be encrypted on the storage system.

Workflow for encrypting existing data

Use the following workflow to encrypt an existing volume by migrating it to an encrypted DDP group:

1. Create a DDP group with encryption enabled.

2. Create a volume in the encrypted DDP group.
3. Create a volume pair using Volume Migration or ShadowImage.
4. Migrate or replicate the existing volume to the new volume in the encrypted DDP group.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 21/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
The data in the target volume of the pair is now encrypted on the storage system.
5. Delete the volume pair.
6. Shred or otherwise eradicate the data in the source volume of the pair.

Workflow for encrypting existing data without changing the drive configuration

Use the following workflow to encrypt a volume in a DDP group for which data encryption is disabled
without changing the drive configuration:

1. Create a volume pair using Volume Migration.

2. Migrate the volume out of the DDP group.
3. Delete the DDP group.
4. Create a DDP group with encryption enabled.
5. Create a volume in the encrypted DDP group.
6. Create a volume pair using Volume Migration.
7. Migrate the volume back to the encrypted DDP group.

The data in the target volume of the pair is now encrypted on the same drive configuration in the
storage system.

Workflow for backing up encryption keys

Use the following workflow to back up the encryption keys for your storage system:

1. Immediately after configuring the encryption environment, back up the encryption keys (DEKs) to
the management client* or to the KMS.
2. Immediately after creating encryption keys, back up the encryption keys (DEKs) to the
management client* or to the KMS.

* Keep the password used for encryption key backup on the management client in a secure location. This
password must be used for key restoration as well.

Workflow for changing the data encryption key for encrypted data

Use the following working to re-encrypt encrypted data with another encryption key:

1. Create a DDP group with encryption enabled.

2. Create a volume in the encrypted DDP group.
3. Create a volume pair using Volume Migration.
4. Migrate the encrypted data to the new volume in the encrypted DDP group.

The migrated data in the new volume is now encrypted with a different encryption key.

Workflow for migrating the KMS to another server

If you want to migrate the KMS to another server, change the settings of the primary server and the
secondary server to match the new KMS. When you change the connection destination of the KMS, the
encryption keys are backed up to the newly configured KMS.

Use the following command to set up a connection with the KMS to be used after migration:

PATCH <Base URL >/v1/objects/kms-settings/ <Object ID>

If you want to change the KMS itself, set the KMS migration flag isMigration to true. A backup of
the KEK and encryption keys is registered on the destination KMS.
If you want to change the IP address, host name, or other settings without changing the KMS itself,
set the KMS migration flag isMigration to false. No new key encryption key or encryption key
backups are registered on the KMS.

CAUTION:
Do not turn off the storage system during the configuration process of migrating the KMS to another server.
If the storage system is turned off during this task, the key encryption key and encryption keys backed up

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 22/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block
to the KMS cannot be retrieved when the power is turned on, and the data cannot be decrypted.
Note: If all volumes are blocked and SIM code 661000 or 661001 (Failed to retrieve encrypted key from
Key Management Server) is reported, perform the following actions before migrating the KMS:

1. Test the connection with the pre-migration KMS.

2. Confirm that the connection test with the KMS completes successfully.
3. Contact customer support and request that the storage system be restarted.

Workflow for disabling or removing the encryption software

When you disable a software license, you can re-enable the license. When you remove a software license,
you must contact customer support if you want to reinstall the license. For additional information about
disabling and removing software licenses, see the VSP One Block System Administrator Guide.

Use the following workflow to disable or remove the Encryption License Key software:

1. Verify that encryption is disabled for all DDP groups.

If encryption is enabled on any DDP group, the software license cannot be disabled or removed.

2. Initialize the encryption environment settings.

If the encryption environment settings have not been initialized, the software license cannot be
disabled or removed.

3. Disable or remove the Encryption License Key software.

Troubleshooting
When error conditions associated with Encryption License Key occur, the following events take place:

The management software displays error messages.

The storage system issues service information messages (SIMs).
The storage system issues SNMP traps (if SNMP has been configured).

You can use the information provided in the error messages, SIMs, and SNMP traps to troubleshoot and
resolve error conditions associated with Encryption License Key.

Troubleshooting Encryption License Key operations

The following table provides general troubleshooting information for Encryption License Key. If you need
technical assistance, please contact customer support.

Problem Actions

The encryption key operation

(backup/restore) failed. Make sure the Encryption License Key software on the
storage system is valid and has not expired.
Make sure the Security Manager (View & Modify) role is
assigned.
If you are restoring a key, make sure the key has not changed
since the last secondary backup.
If you are restoring a key, make sure you are using the most
recent encryption key.
If you are using a KMS:
Check the connection to the KMS.
Make sure the maximum number of keys that the KMS
can back up has not been exceeded.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 23/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Problem Actions
Check to see if timeouts are occurring, possibly due to
an increase in the number of keys in the KMS.
Check whether the time matches between the storage
system and the KMS.
Check whether SSL/TLS communication and
certificate requirements between the storage system
and the KMS are met. For details, see the System
Administrator Guide.

After confirming the above, perform the encryption key operation

(backup/restore) again.

The create encryption key

operation failed. Make sure the Encryption License Key software on the
storage system is valid and has not expired.
Make sure the Security Manager (View & Modify) role is
assigned.
If you are using a KMS:
Check the connection to the KMS.
Check whether the time matches between the storage
system and the KMS.
Check whether SSL/TLS communication and
certificate requirements between the storage system
and the KMS are met. For details, see the System
Administrator Guide.

After checking the above, get the list of encryption keys and check
whether an encryption key has been created. For instructions, see the
REST API Reference Guide.

If an encryption key was created, the creation of the

encryption key was successful. Perform an external backup of
the encryption key.
If no encryption key was created, try creating the encryption
key again. If you are not using a KMS, after the encryption key
has been successfully created, manually back it up as a file
on the management client.

Encryption key deletion failed.

Make sure the Encryption License Key software on the
storage system is valid and has not expired.
Make sure the Security Manager (View & Modify) role is
assigned.
If you are using a KMS:
Check the connection to the KMS.
Check whether the time matches between the storage
system and the KMS.
Check whether SSL/TLS communication and
certificate requirements between the storage system
and the KMS are met. For details, see the System
Administrator Guide.

After checking the above, get the list of encryption keys and check
whether the encryption key has been deleted. For instructions, see
the REST API Reference Guide.

If the encryption key was deleted, no action is required.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 24/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Problem Actions
If the encryption key was not deleted, try deleting the
encryption key again.

Test communication failed.

Check the following items to make sure that the connection
settings with the key management server are correct:
Host name
Port number
Client certificate file
Root certificate file
If the test communication is taking a long time, you can adjust
the following items to make the communication successful:
Timeout
Retry interval
Number of retries
Check whether the time matches between the storage system
and the KMS.
Check whether SSL/TLS communication and certificate
requirements between the storage system and the KMS are
met. For details, see the System Administrator Guide.

Encryption preference failed

Make sure the Encryption License Key software on the
(encryption disabled to enabled).
storage system is valid and has not expired.
Make sure the Security Manager (View & Modify) role is
assigned.
If you are using a KMS:
Check the connection to the KMS.
Check whether the time matches between the storage
system and the KMS.
Make sure the maximum number of keys that the KMS
can back up has not been exceeded.
Check whether SSL/TLS communication and
certificate requirements between the storage system
and the KMS are met. For details, see the System
Administrator Guide.

After checking the above, initialize the encryption environment

settings. Confirm that the initialization of the encryption environment
settings completed successfully, and then run the encryption
environment setting again.

Encryption configuration failed

Make sure the Encryption License Key software on the
(change whether to use a KMS
with encryption enabled) storage system is valid and has not expired.
Make sure the Security Manager (View & Modify) role is
assigned.
If you are using a KMS:
Make sure the maximum number of keys that the KMS
can back up has not been exceeded.
Check whether the time matches between the storage
system and the KMS.
Check whether SSL/TLS communication and
certificate requirements between the storage system
and the KMS are met. For details, see the System
Administrator Guide.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 25/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Problem Actions
After checking the above, see if the encryption configuration settings
have changed.

If the encryption configuration settings have changed, the

operation was successful. Perform an external backup of the
encryption keys.
If the encryption configuration settings have not changed, try
configuring the encryption settings again. After the encryption
environment setting is successful, perform an external backup
of the encryption keys.

The encryption key operation If all volumes are blocked and SIM code 661000, 661001 is reported:
failed with one of the following
error codes: 1. Check the connection with the KMS and confirm that the
connection test completes successfully.
36162-00204208 2. Contact customer support and ask them to restart the storage
36162-00204209 system.
36162-00204224 3. After the storage system has restarted, make sure that all
blocked volumes are recovered.

In other cases:

1. Check the status of the storage system and recover any

blocked volumes.
2. After recovering the blocked volumes, perform the encryption
key operation again.

Test communication succeeded, The functions required to configure a KMS are not supported by the
but error code 36162-00204225 KMS to which you are connected. Review KMS requirements and
was displayed. update the KMS software as needed.

SIM code 660100 or 660200 was The number of unused keys (encryption key with the Free attribute)
returned. might be lower than the number required for maintenance. Create the
maximum number of Free keys.

Failed to initialize the encryption

environmental settings. Make sure the Encryption License Key software on the
storage system is valid and has not expired.
Make sure the Security Manager (View & Modify) role is
assigned.
If you are using a KMS:
Check the connection to the KMS.
Check whether the time matches between the storage
system and the KMS.
Check whether SSL/TLS communication and
certificate requirements between the storage system
and the KMS are met. For details, see the System
Administrator Guide.

After confirming the above, initialize the encryption environment

settings again.

Key management server

Make sure the Encryption License Key software on the
migration failed.
storage system is valid and has not expired.
Make sure the Security Manager (View & Modify) role is
assigned.
If you are using a KMS:
Check the connection to the KMS.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 26/27
5/12/25, 11:03 AM Encryption License Key User Guide for VSP One Block

Problem Actions
Check whether the time matches between the storage
system and the KMS.
Make sure the maximum number of keys that the KMS
can back up has not been exceeded.
Check whether SSL/TLS communication and
certificate requirements between the storage system
and the KMS are met. For details, see the System
Administrator Guide.

If the KMS settings have been updated, return to the settings before
the KMS migration (KMS migration flag isMigration=false ), and then
perform the KMS migration again.

If the KMS settings have not been updated, perform the KMS
migration again.

https://docs.hitachivantara.com/internal/api/webapp/print/ca29b23d-3ee3-48ad-a672-f708aba06b6e 27/27