Chapter 5. Disk Security with Full Disk Encryption drives 263
With this function you can record both the security key ID, pass phrase, and the secure file
location in a safe place.
Using the FDE drive, it generates and encrypts a security key:
– Creates a unique security key ID that is paired with the security key.
– Adds a randomly generated number.
– The security key ID is saved. This folder location will be needed whenever a security
operation requires the key ID (for example, when a drive powers up).
– Creates a backup of the security key and the security key identifier.
– A secure backup is provided in which the security key and the security key identifier are
encrypted utilizing a user-selected pass phrase.
5.2.2 Full Data Encryption (FDE) disks
FDE drives are required to enable Disk Security. Currently, you must use Fibre Channel (FC)
disks with a speed of 15,000 rpm. These disks include:
Encryption Capable 4 GBps FC, 146.8 GB/15K: 41Y8461 146 GB ST3146356FC
9CG004-039
Encryption Capable 4 GBps FC, 300 GB/15K: 41Y8462 300 GB ST3300056FC
9CK004-039
Encryption Capable 4 GBps FC, 450 GB/15K: 41Y8463 450 GB ST3450056FC
9CN004-039
5.2.3 Premium feature license
The DS5000 requires that the Drive Security premium feature be installed and enabled for
Disk Security to function. See 4.2, “Planning for premium features” on page 124 for details
about this topic.
5.2.4 Keys
There are two types of keys that are used with Drive Security and FDE drives:
The
encryption key is generated by the drive and never leaves the drive, so it always stays
secure. It is stored in encrypted form and performs symmetric encryption and decryption
of data at full disk speed with no impact on disk performance. Each FDE drive uses its own
unique encryption key that is generated when the disk is manufactured and regenerated
when required by the storage administrator using the DS5000 Disk Encryption Manager.
The
lock key or security key is a 32 byte random number that authenticates the drive with
the DS5000 Disk Encryption Manager using asymmetric encryption for authentication.
When the FDE drive is secure “enabled”, it has to authenticate with the Disk Encryption
Manager or it will not return any data and remains locked. After the drive has been
authenticated, access to the drive operates like any other disk drive. One security key is
created for all FDE drives on the DS5000 storage subsystem, where it is generated,
encrypted, and hidden in the subsystem (NVSRAM). The authentication only occurs
typically after the FDE has powered up, where it will be in a “locked” state.
If the lock key is not initially established between the DS5000 Disk Encryption Manager
and the disk, then the disk is considered unlocked with access unlimited, as per a
non-FDE drive.
To Next Page
Loading...
Need help?
General