- Notes, cautions, and warnings
- Overview
- Built in iDRAC and PowerEdge Security
- Securely Configuring iDRAC Web Server
- Securely Using TLS/SSL Certificate
- Federal Information Processing Standards (FIPS)
- Secure Shell (SSH)
- Network Security Configuration
- Interfaces and Protocols to Access iDRAC
- iDRAC Port Configuration
- IPMI and SNMP Security Best Practices
- Secure Enterprise Key Manager (SEKM) Security
- iDRAC9 Group Manager
- Virtual Console and Virtual Media Security
- VNC Security
- User Configuration and Access Control
- Configuring Local Users
- Disabling Access to Modify iDRAC Configuration Settings on Host System
- iDRAC User Roles and Privileges
- Superroot User
- Recommended Characters in Usernames and Passwords
- Password Strength Policy
- Secure Default Password
- Changing the Default Login Password using Web Interface
- Force Change of Password (FCP)
- Simple 2-Factor Authentication (Simple 2FA)
- RSA SecurID Two Factor Authentication (2FA) iDRAC9 Datacenter
- Active Directory
- LDAP
- Customizable Security Banner
- System Lockdown Mode
- Securely Configuring BIOS System Security
- Secure Boot Configuration
- Securely Erasing Data
- LCD Panel
- Server Inventory, Lifecycle Log, Server Profiles, and Licenses Import and Export
- Security Events Lifecycle Log
- Default Configuration Values
- Network Vulnerability Scanning
- Security Licensing
- Field Service Debug (FSD)
- Best Practices
- Appendix - White papers
iDRAC9 Security Configuration Guide
Securely Erasing Data
Data security is a key consideration throughout the lifecycle of a server, including when the server is repurposed or retired. Many servers are repurposed as they are transitioned from workload to workload, or as they change ownership from one organization to another. All servers are retired when they reach the end of their useful life. When such transitions occur, the best practice for data protection is to remove all data from the server to ensure that sensitive information is not inadvertently shared. Beyond best practices, often government regulations about privacy rights also necessitate complete data elimination when IT resources are transitioned.
System Erase simplifies the process of erasing server storage devices and server nonvolatile stores such as caches and logs. To meet varying Systems Administrator needs for interactive and programmable operations, System Erase can be performed by the following methods: Lifecycle Controller GUI, WS-Man API, and RACADM CLI.
Using one of these three methods, an administrator can selectively reset a PowerEdge server to its original state (factory settings), removing data from internal server non-volatile stores and from storage devices within the server. System Erase can discover server-attached storage including hard disk drives (HDDs), self-encrypting drives (SEDs), Instant Secure Erase (ISE), and nonvolatile memory drives (NVMe’s). Data stored on ISE, SED, and NVMe devices can be made inaccessible using cryptographic erase while devices such as non-ISE SATA HDDs can be erased using data overwrite.
NVMe Sanitize Cryptographic Erase functionality is much faster and more efficient way than other methodologies. This feature destroys the key and creates a new media encryption key. Data blocks are overwritten with zeros and rendered irretrievable. Data erases other user sensitive data such as debug logs and Personal Identifying Information (PII).
For information about the System Erase function within the Lifecycle Controller GUI, see the Lifecycle Controller User's Guide available at www.dell.com/idracmanuals.
| Drive Type | Connected to | Erase Method used | Notes |
|---|---|---|---|
|
SAS/SATA SED |
PERC |
TCG Enterprise Extension (Dell Drive specification) RevertSP |
Cryptographically erases all user data and returns drive to factory secure state. PERC issues the command to the drives. |
|
SAS SED/SAS ISE SATA SED/ SATA ISE |
PERC/HBA/SW RAID/AHCI PERC/BOSS/HBA/SW RAID/AHCI |
SCSI SANITIZE command(048h) with Service Action=Cryptographic erase (03h) ATA Sanitize Device command(0B4h) with Feature=Crypto Scramble Ext(011h) |
PERC/SW RAID issues the command to the drive. For AHCI and HBA, LC issues the command using BIOS. SED and ISE drives behave identical since they are NOT secured behind these controllers. PERC/BOSS/SW RAID issues the command to the drive. For AHCI and HBA, LC issues the command using BIOS. |
|
SAS/SATA HDD |
PERC/HBA/SW RAID/AHCI |
SCSI Write Buffer(3Bh)/ATA Write Buffer |
Dell only ship ISE/SED drives, this method is no longer in use. |
|
NVMe |
PERC/non-PERC |
|
BIOS and PERC issue these commands to the drives. Sanitize is a new command and so is supported by newer drives – older drives support the Format NVM. BIOS/PERC checks if the drive supports Sanitize and use it – if not use the Format NVM command. |
|
NVMe SED |
PERC/BOSS/non-PERC |
TCG Opal Revert |
Cryptographically erases all user data and returns drive to factory secure state. PERC/BOSS issues the command to the drives. For direct attach iDRAC issues the command. BOSS and iDRAC support for NVMe SED is not supported. |
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\