Disk Security components

The Disk Security feature contains many new components. You manage these new components by using the Storage Manager (V10.6.x and higher).

7.2.1 DS5000 Disk Encryption Manager

The Disk Encryption Manager on the DS5000 system maintains and controls the key linkage and communications with FDE drives. It is included with the firmware (7.60) and Storage Manager (10.6) versions:

򐂰 Provides all the management tools necessary to quickly and simply enable and secure FDE drives.

򐂰 Establishes and manages a single authorization scheme for all the FDE drives in a DS5000 storage system:

– Places FDE drives in a secured state – Defines secure arrays

– Supports the decommissioning or repurposing of drives with Instant Secure Erase With this function, you can record the security key ID, passphrase, and the secure file location in a safe place. With the FDE drive, the Disk Encryption Manager on the DS5000 generates and encrypts a security key in this manner:

򐂰 Creates a unique security key ID, which is paired with the security key

򐂰 Adds a randomly generated number

Chapter 7. Configuring encryption on DS5000 with Full Disk Encryption drives 157

򐂰 Saves the security key ID in a folder location to use for each security operation (that is, when a drive powers up)

򐂰 Creates a backup of the security key and the security key identifier

򐂰 Provides a secure backup in which the security key and the security key identifier are encrypted, utilizing a user-selected passphrase

7.2.2 Full Data Encryption disks

Disk Security enablement requires FDE disks. The available FDE disks for Disk Security are all Fibre Channel (FC) disks with a speed of 15,000 rpm:

򐂰 Encryption Capable 4 GBps FC, 146.8 GB/15K

򐂰 Encryption Capable 4 GBps FC, 300 GB/15K

򐂰 Encryption Capable 4 GBps FC, 450 GB/15K

7.2.3 Premium feature license

DS5000 requires that the Drive Security premium feature is installed and enabled for Disk Security to function.

7.2.4 Keys

Two types of keys are used with Drive Security and FDE drives: the security key and the encryption key:

򐂰 The encryption key is generated by the drive and never leaves the drive, so it always stays secure. It is stored in encrypted form, and it performs the symmetric encryption and decryption of data at full disk speed with no effect on disk performance. Each FDE drive uses its unique encryption key, which is generated when the disk is manufactured and regenerated when required by the storage administrator by using the DS5000 Disk Encryption Manager.

򐂰 The lock key or security key is a 32-byte random number that authenticates the drive with the DS5000 Disk Encryption Manager using asymmetric encryption for authentication.

When the FDE drive is secure-enabled, it has to authenticate with the Disk Encryption Manager or it will not return any data and remains locked. After the drive has been authenticated, access to the drive operates like any other disk drive. One security key is created for all FDE drives on the DS5000 storage system where it is generated,

encrypted, and hidden in the subsystem (non-volatile storage RAM (NVSRAM)). The authentication only occurs typically after the FDE has powered up where it is in a locked state.

If the lock key is not initially established between the DS5000 Disk Encryption Manager and the disk, the disk is considered unlocked with unlimited as in any normal non-FDE drive.

7.2.5 Security key identifier

For additional protection, the security key that is used to unlock FDE drives is not visible to the user. The security key identifier is used to refer to a security key, instead. You can see the security key identifier during operations that involve the drive security key backup file, such as creating or changing the security key. The security key identifier is stored in a special area of the disk. It can always be read from the disk and can be written to the disk only if security has been enabled and the drive is unlocked.

The security key identifier field in the FDE Drive Properties window, as shown in Figure 7-3, includes a random number that is generated by the controller when you create or change the security key. One security key is created for all FDE drives on the storage subsystem.

Figure 7-3 shows that the drive is capable (FDE) of being secured and that security is enabled.

Figure 7-3 FDE drive properties showing the security ID and status

7.2.6 Passwords

To enable Disk Security, you must set the DS5000 administration passphrase or password.

Make the password a “strong” password (not easy to guess). The system checks the

password. If the system does not consider the password to be strong enough when you log in or are prompted for the password, a message, as shown in Figure 7-6 on page 160, is displayed. The message includes suggestions to make the password stronger.

The security key and the security key identifier are encrypted using a separate password or passphrase when the key is created or changed (see 7.3.2, “Secure key creation” on page 160 and 7.4.1, “Changing the security key” on page 164). The array then returns a file that is called a “blob” or key backup. If the array needs that key later, you enter the blob and the passphrase at the graphical user interface (GUI), which sends it down to the array where the original key is decrypted.

The user-specified alphanumeric character string is not stored anywhere on the DS5000 or in the security key backup file.

Drive properties: The Security Capable and Secure fields in the Drive Properties window show whether the drive is secure-capable and whether it is in the Secure (Yes) or

Unsecured (No) state.

Chapter 7. Configuring encryption on DS5000 with Full Disk Encryption drives 159