Chapter 15. Disk Security with Full Disk Encryption drives 453
Draft Document for Review March 28, 2011 12:24 pm 7914FDE.fm
With this function you can record both the security key ID, pass phrase, and the secure file
location in a safe place.
ň° Using the FDE drive, it generates and encrypts a security key:
â Creates a unique security key ID that is paired with the security key.
â Adds a randomly generated number.
â The security key ID is saved. This folder location will be needed whenever a security
operation requires the key ID (for example, when a drive powers up).
â Creates a backup of the security key and the security key identifier.
â A secure backup is provided in which the security key and the security key identifier are
encrypted utilizing a user-selected pass phrase.
15.2.2 Full Data Encryption (FDE) disks
FDE drives are required to enable Disk Security. You must use Serial Attached SCSI (SAS)
disks with a speed of up to 15,000 rpm. These disks include:
ň° ST9146852SS 6Gb/s SAS 2.0 2.5-inch 147GB 15k
ň° ST9300503SS 6Gb/s SAS 2.0 2.5-inch 300GB 10k
ň° ST3300657SS 6Gb/s SAS 2.0 3.5-inch 300GB 15K
ň° ST3600957SS 6Gb/s SAS 2.0 3.5-inch 600GB 15k
15.2.3 Premium feature license
The DS3500 requires that the Full Disk Encryption premium feature be installed and enabled
for Disk Security to function. See 3.4, âPlanning for premium featuresâ on page 70 for details
about this topic.
15.2.4 Keys
There are two types of keys that are used with Drive Security and FDE drives:
ň° The
encryption key is generated by the drive and never leaves the drive, so it always stays
secure. It is stored in encrypted form and performs symmetric encryption and decryption
of data at full disk speed with no impact on disk performance. Each FDE drive uses its own
unique encryption key that is generated when the disk is manufactured and regenerated
when required by the storage administrator using the DS3500 Disk Encryption Manager.
ň° The
lock key or security key is a 32 byte random number that authenticates the drive with
the DS3500 Disk Encryption Manager using asymmetric encryption for authentication.
When the FDE drive is secure âenabledâ, it has to authenticate with the Disk Encryption
Manager or it will not return any data and remains locked. After the drive has been
authenticated, access to the drive operates like any other disk drive. One security key is
created for all FDE drives on the DS3500 storage subsystem, where it is generated,
encrypted, and hidden in the subsystem (NVSRAM). The authentication only occurs
typically after the FDE has powered up, where it will be in a âlockedâ state.
If the lock key is not initially established between the DS3500 Disk Encryption Manager
and the disk, then the disk is considered unlocked with access unlimited, as per a
non-FDE drive.
To Next Page
Loading...
