Data Domain: How to Reset lost system passphrase in DDOS v7.2 or later

The DD may have a system passphrase configured, which is used for a few important things, namely :

• When using "filesys lock" command, so only after providing the passphrase "filesys unlock" will work

• To store security-sensitive information in the DD registry (which is text based and accessible through ASUPs), such as cloud profile access credentials

• To protect access to the DD GUI externally security certificate private key, if applicable

Although the system passphrase may be set in situations in which neither one of the three situations above apply, loss of the system passphrase can prevent access to both the active and cloud unit storage partitions in the DD. If in the middle of a headswap, lacking the passphrase will cause the process to fail.

For DDOS 7.1 and earlier releases there is no established process to recover from the loss of the system passphrase. If running DDOS 7.1 or earlier, contact your contracted support provider for assistance.

For DDOS 7.2 a built-in, secure mechanism to forcible change the system passphrase was implemented. Note this does not imply the passphrase is less secure than it was before, because completing the passphrase set will require :

• Two-factor authentication (for sysadmin and security officer)

• The participation of DELL Support, who will ascertain the request comes from a legitimate customer representative

• The provision by Support of a one-use, digitally-signed security key based on the DD serial number and timestamp , without which the process can't be performed

To use the command to force set the passphrase the following pre-requirements must be met :

• Downtime (usually not longer than 30 minutes) will be necessary, as the command to set the passphrase must be run with the FS disabled

• Access to the CLI as "sysadmin", and change to System Engineer (SE) privilege level, to run the necessary command
  That the DD is currently running DDOS 7.2 or later, as the command is not present in any earlier releases

• The file system exists and is in unlocked state, and can be disabled gracefully before running the command

• The system should have had a passphrase set in the past (the process does not apply to the case a passphrase was never set before)

• The system passphrase must be stored on disk (which is the default). To make sure this is the case, run the following command :

# system passphrase option set store-on-disk YES

• A security officer has been configured, and security officer authorization is enabled

• In the case of being in the middle of a headswap which failed due to lost passphrase, the old head needs to be the one attached before running the command to reset the passphrase

• Support has to make sure the request to force set the passphrase is a legitimate one coming from a valid customer representative

• Support has to be able to provide the customer with the key to validate the request, and the customer able to paste that key (which is several lines long) in the CLI session being run

• Neither one of the disks in the system can be in foreign state. Also, all volumes must be in functional state (following the process to set the passphrase when one or more disks are not good will result in data loss)

• If there are cloud units and encryption is enabled, cloud volume must be confirmed to be "inuse", else there could be a mixup of active / cloud encryption keys

Details on the process and more specifics on some of the requisites listed above are available for DELL Support Engineers only.