Security Key and RAID Management for Dell PowerEdge H710, H710P, and H810 RAID Controllers

Security Key and RAID Management for Dell PowerEdge H710, H710P, and H810 RAID Controllers


This article provides information on security key and RAID management for Dell PowerEdge H710, H710P, and H810 RAID controllers

Table of Contents:

  1. Security Key Implementation
  2. Security Key Management In The BIOS Configuration Utility
  3. Creating a Security Key
  4. Changing a Security Key
  5. Deleting a Security Key
  6. Creating Secured Virtual Disks
  7. Securing Pre-Existing Virtual Disks
  8. Creating an Unsecured VD While the Controller Has a Security Key
  9. Instant Secure Erase
  10. Troubleshooting Security Key Errors

1. Security key implementation

The Dell PowerEdge RAID Controller (PERC) H710, H710P, and H810 cards support Self-Encrypting Disks (SED) for protection of data against loss or theft of SEDs. Protection is achieved by the use of encryption technology on the drives. There is one security key per controller. You can manage the security key under Local Key Management (LKM). The key can be escrowed in to a file using Dell OpenManage. The security key is used by the controller to lock and unlock access to encryption-capable physical disks. In order to take advantage of this feature, you must:

  1. Have SEDs in your system.
  2. Create (LKM) a security key.

2. Security key management in The BIOS configuration utility

The Dell OpenManage storage management application and the BIOS Configuration Utility (<Ctrl> <R>) of the controller allow security keys to be created and managed as well as create secured virtual disks. The following section describes the menu options specific to security key management and provide detailed instructions to perform the configuration tasks. The contents of the following section apply to the BIOS Configuration Utility (<Ctrl> <R>). For more information on the management applications, see the topic Management Applications For PERC Cards.

The Virtual Disk Management screen, VD Mgmt, is the first screen that is displayed when you access a RAID controller from the main menu screen on the BIOS Configuration Utility (<Ctrl> <R>). The following are security related actions you can perform through the virtual disk management menu:

  • Security Key Management—Creates, changes, or deletes the security settings on a controller.
  • Secure Disk Group—Secures all Virtual Disks in Disk Group.

The Physical Disk Management screen, PD Mgmt, displays physical disk information and action menus. The following are security-related actions you can perform through the physical disk management menu:

  • Instant Secure Erase—Permanently erases all data on an encryption-capable physical disk and resets
    the security attributes.

For more information on the Physical Disk Management screen and Virtual Disk Management screen, see the topics Physical Disk Management (PD Mgmt) and Virtual Disk Management respectively.

Local Key Management (LKM):

  • You can use LKM to generate the key ID and the passphrase required to secure the virtual disk. You can secure virtual
    disks, change security keys and manage secured foreign configurations using this security mode.
Note: Under LKM, you are prompted for a passphrase when you create the key.

3. Creating a security key

The Dell™ PowerEdge™ RAID Controller (PERC) H710, H710P, and H810 cards support encryption of data at the drives when using Dell-qualified Self- Encrypting Disks (SEDs). This feature provides protection to the data at rest in the event of theft or loss of drives. There is one security key per controller which resides in the controller memory and it can be managed by the user (on-controller key management). The security key is used by the controller to lock and unlock access to encryption-capable physical disks. In order to take advantage of this feature, you need to create a security key on your PERC H710, PERC H710P, or PERC H810 card and have Dell-qualified SEDs in your system.

Note: There is no passphrase backup option when you create a security key; you need to remember your passphrase. You will lose access to data if the security key is forgotten.
Note: Creating a security key on the controller does not encrypt the data on any VD. VDs need to be individually secured in order to protect the data.

To create a security key in the BIOS Configuration Utility:

  1. During the host system boot up, press <Ctrl><R> when the BIOS screen displays. The Virtual Disk Management screen displays. If there is more than one controller, the main menu screen displays. Select a controller, and press <Enter>. The Virtual Disk Management screen displays for the selected controller.
  2. Use the arrow keys to highlight Security Key Management.
  3. Press <F2> to display the actions you can perform.
  4. Select Create Key and press <Enter> .
  5. The Create Security Key screen displays. The cursor is at the Security Key Identifier.
  6. Enter an identifier for your security key.
  7. Press <Tab> to enter a passphrase.
  8. Press <Tab> and select OK to accept the settings and to exit the window. Select Cancel to exit if you do not want to enable security on the controller.

4. Changing a security key

To change the security key, you must have a previously established security key present on the controller and provide the current passphrase at the time of change.

Note: If there is an existing configuration on the controller, it is updated with the new security key. If you had previously removed any secured disks, you still need to supply the old passphrase to import them.

To change a security key in the BIOS Configuration Utility:

  1. During host system boot up, press <Ctrl><R> when the BIOS screen displays. The Virtual Disk Management screen displays.If there is more than one controller, the main menu screen displays.
  2. Select a controller, and press <Enter> . The Virtual Disk Management screen displays for the selected controller.
  3. Use the arrow keys to highlight Security Key Management.
  4. Press <F2> to display the actions you can perform.
  5. Select Change Key and press <Enter> .
  6. The Change Security Key screen displays. The cursor is at the Security Key Identifier. Enter an identifier for your Security Key.
  7. Press <Tab> to enter a new passphrase.
  8. Press <Tab> and select OK to accept the settings and to exit the window. Select Cancel to exit if you do not want to change the security key on the controller.

5. Deleting a security key

Note: If you delete the Security Key, you will not be able to create secured virtual disks and all secured un-configured self-encrypting drives will be erased. However, deleting a Security Key will not affect security or data in foreign disks.

To delete a security key in the BIOS Configuration Utility:

  1. During host system boot up, press <Ctrl><R> when the BIOS screen displays. The Virtual Disk Management screen displays.
    If there is more than one controller, the main menu screen displays.
  2. Select a controller, and press <Enter> . The Virtual Disk Management screen displays for the selected controller.
  3. Use the arrow keys to highlight Security Key Management.
  4. Press <F2> to display the actions you can perform.
  5. Select Delete Key and press <Enter> .

6. Creating secured virtual disks

A secured virtual disk is a virtual disk that has been locked on a controller that holds a security key. In order to create a secured virtual disk, the controller must have a security key present and the user must select the option to secure the virtual disk during VD creation or after the VD has been created. Members of a secured virtual disk must be SED dives only.

To create a secured virtual disk, the controller must have a security key established first. See the topic Creating A Security Key

Note: Combining SAS and SATA hard drives within a virtual disk is not supported. Also, combining hard drives and solid state drives (SSDs) within a virtual disk is not supported.

After the security key is established, perform the steps outlined in the topic Creating Virtual Disks to create a virtual disk.

To secure the virtual disk, navigate to the Secure VD option at the bottom left area of the Create New VD screen.

Note: All virtual disks added to a secured Disk Group are secured.

7. Securing pre-existing virtual disks

To secure a pre-existing virtual disk in the BIOS Configuration Utility:

  1. During the host system boot up, press <Ctrl><R> when the BIOS screen displays. The Virtual Disk Management screen displays. If there is more than one controller, the main menu screen displays. Select a controller, and press <Enter> . The Virtual Disk Management screen displays for the selected controller.
  2. Use the arrow keys to highlight the Disk Group number.
  3. Press <F2> to display a menu of the available actions.
  4. Highlight the Secure Disk Group option and press <Enter> .
Note: If you select to secure a Disk Group, all VDs part of the Disk Group are secured.

8. Importing or clearing secured foreign configurations and secure disk migrations

Secured virtual disks created on a PERC H700/H800 or H710/H710P/H810 card can be migrated to another PERC H710, H710P, or H810 card. A virtual disk secured with a security key different from the current controller security key cannot be imported without authentication of the original passphrase used to secure them. When importing secured virtual disk(s) created with a different security key, the secured foreign configuration(s) do not show in the Foreign Configuration View screen. Follow the steps below to import or clear a foreign secured virtual disk.

Note: If you are importing secured and unsecured virtual disks, you are prompted to resolve the secured foreign configuration first.
Note: The PERC H710, H710P, or H810 card needs to have a security key present before being able to import a secured virtual disk.
Note: Any unsecured virtual disks imported are still unsecured.
Note: If you are importing a virtual disk originally secured with a local key (LKM), you are prompted for the passphrase used to secure that virtual disk.
Note: A secured VD cannot be imported using the PERC H310 card.


Perform the following steps when importing a foreign secured virtual disk:

Note: To Clear, you need to Instant Secure Erase foreign configurations secured with a different security key.
Note: The key identifier for the passphrase used to secure the foreign secured virtual disks is displayed under the Secured Drives option.
  1. During the host system bootup, press <Ctrl> <R> when the BIOS screen is displayed.
    The Virtual Disk Management screen is displayed.
    If there is more than one controller, the main menu screen is displayed.
  2. Select a controller, and press <Enter> .
    The Virtual Disk Management screen is displayed for the selected controller.
  3. Press <F2> to display a menu of available actions.
  4. Select Import to import the foreign configuration or Clear to delete the foreign configuration. Press < <Enter>.
    If you select to Import the configuration, the Secure Foreign Import screen is displayed.
  5. Enter the passphrase that was used to secure the foreign configuration.
  6. Press <Tab> and select OK to finish importing the secured foreign configuration or select Cancel to exit this menu.
    If you select Cancel for the secured foreign import, the disks remain inaccessible until imported or instant secure
    erased. See the topic Instant Secure Erase .

9. Instant secure erase

Instant Secure Erase is the process of permanently erasing all data on an encryption-capable physical disk and
resetting the security attributes. You need to execute Instant Secure Erase on SEDs that are inaccessible (blocked) due
to a lost or forgotten passphrase.

Note: By executing Instant Secure Erase, the data on your encryption-capable physical disk is lost.

To execute Instant Secure Erase:

  1. Press <Ctrl> <N> to access the PD Mgmt screen.
    A list of physical disks is displayed. On the right menu, the physical disk properties are displayed including
    information about whether the physical disk is secured or not.
  2. Press the down-arrow key to highlight a physical disk that is secured.
  3. Press <F2> to display a menu of available actions.
  4. The Secure Erase option is highlighted at the bottom of the menu.
  5. Press <Enter> to Secure Erase the physical disk and select YES.

10. Troubleshooting security key errors

Secured Foreign Import Errors

A foreign configuration is a RAID configuration that already exists on a replacement physical disk that you install in a system. A secured foreign configuration is a RAID configuration that was created under a different security key.

There are two scenarios in which a secured foreign import fails:

  • The passphrase authentication fails—A VD secured with a security key different from the current controller security key cannot be imported without authentication of the original passphrase used to secure them. Supply the correct passphrase to import the secured foreign configuration. If you have lost or forgotten the passphrase,
    the secured foreign disks remain locked (inaccessible) until the appropriate passphrase is entered or if they are instant secure erased.
  • The secured VD is in an offline state after supplying the correct passphrase—You must check to determine why the virtual disk failed and correct the problem. See the topic Troubleshooting .

Failure to Select Or Configure Non Self-Encrypting Disks (Non-SED)

A virtual disk can be either secured or unsecured depending on how it was configured when created. In order to create a secured virtual disk, the controller must have a security key present and must be composed of SEDs only. In order to select/configure non-SED, you must create an unsecured virtual disk. You can create an unsecured virtual disk even if there is a security key present. Select the Secure VD option as No in the Create New VD menu. See the topic Creating Virtual Disks for steps on how to create an unsecured virtual disk.

Failure To Delete Security Key

A security key is used to lock or unlock access to a security-enabled component. This key is not utilized in the actual encryption of data. If a security key is present, both secured and unsecured virtual disks may exist.

To delete the security key, you must have a previously established security key present on the controller and there
cannot be any configured secured disks. If there are configured secured disks, remove or delete them.

Failure To Instant Secure Erase Task On Physical Disks

Instant Secure Erase is the process of securely erasing all data permanently on an encryption-capable physical disk and resetting the security attributes. It is used in a couple of scenarios such as deleting a foreign configuration in the event of a forgotten or lost passphrase or unlocking a disk that had been previously locked.

Instant Secure Erase can be executed only on encryption-capable disks as long as the disks are not hot spares and are not configured (part of a virtual disk). Ensure that the conditions are met and see the topic Instant Secure Erase.


Need more help?
Find additional PowerEdge and PowerVault articles
Watch Part Replacement Videos for Enterprise products

Visit and ask for support in our Communities

Create an online support Request





Article ID: SLN164101

Last Date Modified: 06/20/2019 06:39 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.