ETERNUS DX - disk arrays, what's inside. Part 2
We continue to explore what other mechanisms are present in ETERNUS DX.
On all ETERNUS DX disk systems, it is possible to organize hardware encryption at the logical volume level using the hardware of the array itself. The option is intended for a scenario where an attacker physically stole hard disks from a disk system and then tries to recover data. The controller itself carries out the encryption, and it can do this at the level of one or more logical volumes (LUNs). Sometimes this can be much more efficient than buying an entire disk group with SED (Self Encrypted Disk) disks. Maybe, for example, you suddenly need to encrypt data on one small logical volume - simply add this option for a specific volume.
I will immediately answer the questions that are usually asked on this topic: it is possible to import into the territory of the Russian Federation and countries of the Customs Union, this equipment with this functionality is indicated in the corresponding notification. If this function is suddenly categorically not needed (some CIS countries, or some customers in the Russian Federation, where it is forbidden according to their internal service instructions), this option can be permanently disabled at the factory by hardware and permanently. But this point must be indicated at the stage of ordering. Then no engineer can turn it on anymore. The option itself is completely free, present in all ETERNUS DX models.
When cloning a logical volume or its replication, if the source volume is encrypted, then the clone / replica / snapshot will also be encrypted.
Encryption takes place on disk system controllers, so you should not abuse this option and encrypt everything in a row - performance degradation may begin. When creating the first logical volume with the encryption option, the system suggests creating a certain file with a “master key”. It is advisable to do this. If, for example, there was a system with one controller that broke down and had to be replaced, then by entering this “master key”, you can access the encrypted data.
When initially configuring a project in System Architect, he will substitute the recommended number of hot-swap drives. This, by the way, should be remembered when you ask, for example, that you need to install an entry-level cd with 8 disks - Architect will automatically add another one for Hot Spare (HS). Especially a lot of miracles begin if you enter 24 disks, and System Architect automatically adds a hot-swap disk, and since there is no free slot, it also adds an expansion shelf. Which, of course, is far from always necessary.
It is possible to designate Global and Dedicated HS disks. Global will be available for all disk groups in the array, and Dedicated will be available only for the specified ones. If a Dedicated disk is used, and another hot-swap disk is needed in the same group, then it will be taken from the Global pool.
The vast majority of OSs are, of course, supported, and this is stated in the Datasheet. If you could not find something exotic in the datasheet, it makes sense to contact your partner or Fujitsu representative to check the OS you need in the more advanced technical documentation and in the Matrix EP. If nothing could be found there, then if the question is not idle, it makes sense to contact the representative office. There is a practice of organizing requests directly to the ETERNUS DX development team.
If we talk about possible connection interfaces, then everything is really flexible, efficient and convenient. Starting from the very entry-level system, and then with all the stops, it is possible to add / change existing connection interfaces.
Moreover, for example, for entry-level systems, for the customer there is a choice of FC, iSCSI, FCoE and SAS. Frankly speaking, it was not possible to recall any other system on the market that, if sold, for example, with FC, could then expand so flexibly - you can add either FC, or iSCSI, or FCoE, or SAS.
The advantages of this approach are obvious. If, for example, a system is already needed today, and it is known exactly which interface you need to access today, then the agony of choosing whether to expand the number of the same interfaces or add later a different type or speed of interfaces can be left for later. When clarity comes, you can buy and easily add the necessary CA-cards.
Built-in encryption mechanism
On all ETERNUS DX disk systems, it is possible to organize hardware encryption at the logical volume level using the hardware of the array itself. The option is intended for a scenario where an attacker physically stole hard disks from a disk system and then tries to recover data. The controller itself carries out the encryption, and it can do this at the level of one or more logical volumes (LUNs). Sometimes this can be much more efficient than buying an entire disk group with SED (Self Encrypted Disk) disks. Maybe, for example, you suddenly need to encrypt data on one small logical volume - simply add this option for a specific volume.
I will immediately answer the questions that are usually asked on this topic: it is possible to import into the territory of the Russian Federation and countries of the Customs Union, this equipment with this functionality is indicated in the corresponding notification. If this function is suddenly categorically not needed (some CIS countries, or some customers in the Russian Federation, where it is forbidden according to their internal service instructions), this option can be permanently disabled at the factory by hardware and permanently. But this point must be indicated at the stage of ordering. Then no engineer can turn it on anymore. The option itself is completely free, present in all ETERNUS DX models.
When cloning a logical volume or its replication, if the source volume is encrypted, then the clone / replica / snapshot will also be encrypted.
Encryption takes place on disk system controllers, so you should not abuse this option and encrypt everything in a row - performance degradation may begin. When creating the first logical volume with the encryption option, the system suggests creating a certain file with a “master key”. It is advisable to do this. If, for example, there was a system with one controller that broke down and had to be replaced, then by entering this “master key”, you can access the encrypted data.
A few words about hot-swap drives
When initially configuring a project in System Architect, he will substitute the recommended number of hot-swap drives. This, by the way, should be remembered when you ask, for example, that you need to install an entry-level cd with 8 disks - Architect will automatically add another one for Hot Spare (HS). Especially a lot of miracles begin if you enter 24 disks, and System Architect automatically adds a hot-swap disk, and since there is no free slot, it also adds an expansion shelf. Which, of course, is far from always necessary.
It is possible to designate Global and Dedicated HS disks. Global will be available for all disk groups in the array, and Dedicated will be available only for the specified ones. If a Dedicated disk is used, and another hot-swap disk is needed in the same group, then it will be taken from the Global pool.
A few words about supported servers, operating systems and interfaces
The vast majority of OSs are, of course, supported, and this is stated in the Datasheet. If you could not find something exotic in the datasheet, it makes sense to contact your partner or Fujitsu representative to check the OS you need in the more advanced technical documentation and in the Matrix EP. If nothing could be found there, then if the question is not idle, it makes sense to contact the representative office. There is a practice of organizing requests directly to the ETERNUS DX development team.
If we talk about possible connection interfaces, then everything is really flexible, efficient and convenient. Starting from the very entry-level system, and then with all the stops, it is possible to add / change existing connection interfaces.
Moreover, for example, for entry-level systems, for the customer there is a choice of FC, iSCSI, FCoE and SAS. Frankly speaking, it was not possible to recall any other system on the market that, if sold, for example, with FC, could then expand so flexibly - you can add either FC, or iSCSI, or FCoE, or SAS.
The advantages of this approach are obvious. If, for example, a system is already needed today, and it is known exactly which interface you need to access today, then the agony of choosing whether to expand the number of the same interfaces or add later a different type or speed of interfaces can be left for later. When clarity comes, you can buy and easily add the necessary CA-cards.