Disclosed is a device and method for securing stored data in an IP based storage area network (SAN), where the physical storage media is located in an unprotected site. The connection between the client and the unprotected site is established over a public or private IP network preferably by means of an iSCSI protocol. According to the present invention a data block to be saved in a remote site is encrypted at the initiator host using a private encryption key and an encrypt key. The private encryption key is saved in a key management table which is shared among other hosts that may access the encrypted data block.