Self Encrypting
Disk (SED) technology prevents unauthorized access to the data on
a physical disk that is physically removed from the storage array.
The storage array has a security key. Self encrypting disks provide
access to data only through an array that has the correct security
key.
The self encrypting disk or a security capable
physical disk encrypts data during writes and decrypts data during
reads.
You can create a secure disk group from
security capable physical disks. When you create a secure disk group
from security capable physical disks, the physical disks in that disk
group become security enabled. When a security capable physical disk
has been security enabled, the physical disk requires the correct
security key from a RAID controller module to read or write the data.
All the physical disks and RAID controller modules in a storage
array share security key. The shared security key provides
read and write access to the physical disks, while the physical disk
encryption key on each physical disk is used to encrypt the data.
A security capable physical disk works like any other physical disk
until it is security enabled.
Whenever the power
is turned off and turned on again, all the security enabled physical
disks change to a security locked state. In this state, the data is
inaccessible until the correct security key is provided by a RAID
controller module.
You can view the self encrypting
disk status of any physical disk in the storage array from the Physical
Disk Properties dialog. The status information reports whether the
physical disk is:
- Security capable
- Secure—Security enabled or disabled
- Read/Write Accessible—Security locked or unlocked
You can view the self encrypting disk status
of any disk group in the storage array. The status information reports
whether the storage array is:
Table 1. Interpretation
of security status of disk groupThe following table shows how to interpret
the security status of a disk group:
Secure |
Security Capable - Yes |
Security Capable - No |
Yes |
The disk group is composed of all SED physical
disks and is in a Secure state. |
Not applicable. Only SED physical disks can be
in a Secure state. |
No |
The disk group is composed of all SED physical
disks and is in a Non-Secure state. |
The disk group is not entirely composed of SED
physical disks. |
The
Physical Disk Security menu is displayed in the
Storage Array menu.
The
Physical Disk Security menu has the following
options:
- Create Key
- Change Key
- Save Key
- Validate Key
- Import Key
- Unlock Drives
NOTE: If you have
not created a security key for the storage array, the Create
Key option is active. If you have created a security key
for the storage array, the Create Key option
is inactive with a check mark to the left. The Change Key option, the Save Key option, and the Validate Key option are now active.
The
Secure Physical Disks option
is displayed in the
Disk Group menu. The
Secure Physical Disks option is active if these conditions
are true:
- The selected storage array is not security enabled
but is comprised entirely of security capable physical disks.
- The storage array contains no snapshot base virtual
disks or snapshot repository virtual disks.
- The disk group is in an Optimal state.
- A security key is set up for the storage array.
NOTE: The Secure Physical Disks option is inactive if these conditions
are not true.
The Secure Physical
Disks option is inactive with a check mark to the left
if the disk group is already security enabled.
The
Create a secure disk group option is displayed in the
Create Disk Group Wizard–Disk Group Name and
Physical Disk Selection dialog. The
Create
a secure disk group option is active only when these conditions
are met:
- A security key is installed in the storage array.
- At least one security capable physical disk is installed
in the storage array.
- All the physical disks that you selected on the Hardware tab are security capable physical disks.
You can erase security enabled physical disks
so that you can reuse the physical disks in another disk group or
in another storage array. When you erase security enabled physical
disks, ensure that the data cannot be read. When all the physical
disks that you have selected in the Physical Disk type pane are security
enabled, and none of the selected physical disk is part of a disk
group, the Secure Erase option is displayed
in the Hardware menu.
The
storage array password protects a storage array from potentially destructive
operations by unauthorized users. The storage array password is independent
from self encrypting disk, and should not be confused with the pass
phrase that is used to protect copies of a security key. However,
it is good practice to set a storage array password.