and rebuild begins. The DEK from the removed drive will be removed immediately from
the keystore. A keystore modified status will be set by the Key Manager at this point
and will trigger an alert to back up the keystore because DEK modifications were made
to the keystore.
If the removed disk drive is reinserted anywhere in the system before the five minute
period has expired, a rebuild will not be required and modifications will not be made to
the keystore. The DEK will remain the same because the key is associated with the
disk drive, not the slot. Also, a keystore modified status alert will not be generated.
If sanitizing or destruction of the removed drive is required, it should be done
independently.
Adding a disk drive to a storage system with encryption activated
Inserting one or more new disks into the system does not trigger generation of a new
DEK for each disk. This operation will not occur for a new disk until the disk is
provisioned into a pool. A keystore modified status will be set by the Key Manager at
this point and will trigger an alert to back up the keystore because DEK modifications
were made to the keystore.
When you add a new disk drive to a storage system, the drive is considered unbound.
Disk drives that are not bound are overwritten with default data to remove pre-
existing data. Only the addressable space of the drive is overwritten. Any residual
plaintext data that may be hidden in obscured locations within the drive will not be
overwritten.
If the potential access to data remnants from the previous use of a drive violates your
security policy, you must independently sanitize the drive before it is inserted in the
storage system with encryption activated.
Removing a disk drive from a storage system with encryption enabled
When a system is already configured with DEKs for all the drives in the system that
are in provisioned pools, those drives are considered bound drives. If a bound drive is
removed and after a period of five minutes is not replaced, the DEK for the drive will
not be removed from the keystore. The key will remain valid until the provisioned pool
is deleted, or until a new drive is swapped in. If the removed disk drive is reinserted
anywhere in the system before the five minute period has expired, a rebuild will not be
required, as in the case of a replacement drive, and modifications will not be made to
the keystore. The DEK will remain the same because the key is associated with the
disk drive, not the slot. Also, a keystore modified status alert will not be generated.
If sanitizing or destruction of the removed drive is required, it should be done
independently.
Replacing a chassis and SPs from a storage system with encryption enabled
The generated keystore has a relationship to the hardware in the storage system. A
service engagement is required to replace a chassis and SPs from a storage system
with encryption enabled.
Data Security Settings
Adding a disk drive to a storage system with encryption activated 55
To Next Page
Loading...
Need help?
General
