Additional secure disk functions

Now, we describe additional supported secure disk functions. We describe these features:

򐂰 Changing the security key

򐂰 Saving the security key file

򐂰 Secure disk erase

򐂰 FDE drive status

򐂰 Hot-spare drive

7.4.1 Changing the security key

You can change the security key if the existing key is compromised or the passphrase is forgotten, as long as no outstanding Secure Disk communications exist between the FDE drives and the Disk Encryption Manager (for example, if a disk is in a “locked” state). Because the disk encryption key never leaves the disk, periodically change the encryption key, similar to the way that a user might periodically change the administrative password to an operating system. This decision depends on the organization security guidelines.

The process to change the security key is similar to its creation process.

To change the key from the Storage Manager menu, in the upper-left corner, select Storage Subsystem Drive Security Change Security Key (Figure 7-12).

Figure 7-12 Change Security Key

As shown in Figure 7-12, the system prompts you to add a security identifier (optional), a location to store the key file, and a passphrase.

The new security key is generated by the controller firmware and is hidden in the storage subsystem. The new security key replaces the previous key that was used to unlock the

Chapter 7. Configuring encryption on DS5000 with Full Disk Encryption drives 165 security-enabled FDE drives in the storage subsystem. The controller negotiates with all the security-enabled FDE drives for the new key.

The original security key is also stored in the storage subsystem for protection in case the controllers are prevented from completing the negotiation of the new security key with the security-enabled FDE drives (for example, the loss of storage subsystem power during the key change process). If the process does not complete, you must change the security key so that only one version of the security key is used to unlock all drives in a storage subsystem.

The original key is stored in the storage subsystem only. It cannot be changed directly or exported to a security key backup file.

When the security key has been successfully changed, a confirmation window is displayed, as seen in Figure 7-13. This window describes the new key file location and security key identifier.

Figure 7-13 Change Security Key Complete confirmation window

7.4.2 Saving the security key file

This function saves a backup of the security key file and requires the original passphrase in order to reproduce the security key file. You can use this function to verify that the stored passphrase is correct. To save the security key file, from the Storage Manager menu, in the upper-left corner, select Storage Subsystem Drive Security Save Security Key File.

The system prompts you for the location to store the file and the passphrase that will be used to create or change the existing security key file, as shown in Figure 7-14 on page 166. The DS5000 Disk Encryption Manager uses the passphrase to encrypt the security key before the DS5000 Disk Encryption Manager exports the security key to the security key backup file.

Figure 7-14 Save Security Key File window

7.4.3 Secure disk erase

Secure erase provides a higher level of data erasure than other traditional methods. When you initiate secure erase with the DS5000 Disk Encryption Manager, a command is sent to the FDE drive to perform a cryptographic erase. This action erases the existing data encryption key and generates a new encryption key inside the drive, making it impossible to decrypt the data. Drive security becomes disabled and must be re-enabled if required again.

Figure 7-15 Secure Erase process

Chapter 7. Configuring encryption on DS5000 with Full Disk Encryption drives 167 You can only perform secure erase on drives that are not allocated to an array. This process is also referred to as reprovisioning:

򐂰 The FDE drive becomes fully reusable.

򐂰 The FDE drive can be reused in secure or non-secure applications.

򐂰 Previous data and keys are not accessible.

򐂰 A quick process to execute completed in less than a second.

򐂰 This process returns drive to original factory state.

7.4.4 FDE drive status

The FDE disks’ status indicates whether the disk can be accessed:

򐂰 Locked:

– The drive is security capable.

– The drive has security enabled.

– The lock key has not been supplied to the drive.

– Data cannot be read or written from drive.

򐂰 Unlocked:

– The drive is security capable.

– The drive has security enabled.

– The lock key has been supplied to the drive.

– Data can be read or written from drive.

You rarely see the locked state - only when the array containing the disks has been moved to another DS5000 or the controllers have been replaced. The drive becomes locked whenever the disk is powered down. The drive remains unlocked during firmware upgrades or when replacing other components. When the drive is powered on, the status is locked. If the drive detects a security key identifier, it remains locked until it has successfully authenticated with DS5000 Disk Encryption Manager.

7.4.5 Hot-spare drive

If a disk drive fails in the DS5000 storage subsystem, the controller uses redundant data to reconstruct the data on the failed drive on a global hot-spare drive. The global hot-spare drive is automatically substituted for the failed drive without intervention. When the failed drive is eventually replaced, the data from the hot-spare drive is copied back to the replacement drive.

Hot-spare drives must meet the array hot-spare requirements. The following drive types are required for hot-spare drives when secure-capable arrays are configured. If a drive does fail, the DS5000 Storage Manager automatically determines which hot-spare drive to substitute according to the type of the failed drive:

򐂰 For an array that has secured FDE drives, the hot-spare drive must be an unsecured FDE drive of the same or greater capacity. After the unsecured FDE hot-spare drive is used as a spare for a failed drive in the secured RAID array, it is Security-Enabled.

WARNING: All data on the disk will be permanently and irrevocably erased when the secure erase operation is completed for a security-enabled FDE drive. Do not perform this action unless you are sure that you want to erase the data, because you cannot recover the data.

򐂰 For an array that has FDE drives that are not secured, the hot-spare drive can be either an unsecured FDE drive or a non-FDE drive.

򐂰 An unconfigured secured FDE drive cannot be used as a global hot-spare drive. If a global hot spare is a secured FDE drive, it can be used as a spare drive only in secured arrays.

An unconfigured secured FDE drive cannot be used as a global hot-spare drive. If a global hot spare is a secured FDE drive, it can be used as a spare drive only in secured arrays. If a global hot-spare drive is an unsecured FDE drive, it can be used as a spare drive in secured or unsecured arrays with FDE drives, or as a spare drive in arrays with non-FDE drives. You must secure erase the FDE drive to change it to the Unsecured state before it can be used as a global hot-spare drive. The following error message is generated if you assign an

unconfigured secured FDE drive as a global hot spare:

Return code: Error 2 - The operation cannot complete because either (1) the current state of a component does not allow the operation to be completed, (2) the operation has been disabled in NVSRAM (example, you are modifying media scan parameters when that option (offset 0x31, bit 5) is disabled), or (3) there is a problem with the storage subsystem. Check your storage subsystem and its various components for possible problems and then retry the operation. Operation when error occurred: PROC_assignSpecificDrivesAsHotSpares.

When a global hot-spare drive is used as a spare for a failed drive in a secure array, the global hot-spare drive becomes a secure FDE drive and remains secure as long as it is a spare in the secure array. After the failed drive in the secure array is replaced and the data in the global hot-spare drive is copied back to the replaced drive, the global hot-spare drive is automatically reprovisioned by the controllers to become an unsecured FDE global hot-spare drive.

In a mixed disk environment that includes non-security capable Serial Advanced Technology Attachment (SATA) drives, non-security-capable FC drives, and FDE FC drives (with security enabled or not enabled), use at least one type of global hot-spare drive (FDE FC and a SATA drive) at the largest capacity within the array. If a secure-capable FDE FC drive and SATA hot-spare drive are included, all arrays are protected. Hot-spare configuration guidelines are the same for FDE drives.

7.4.6 Log files

The DS Storage Manager major events log (MEL) includes messages that describe any security changes that are made in the storage subsystem.