264 IBM Midrange System Storage Hardware Guide
5.2.5 Security key identifier
For additional protection, the security key that is used to unlock FDE drives is not visible to the
user. The security key identifier is used to refer to a security key instead. You can see the
security key identifier during operations that involve the drive security key backup file, such as
creating or changing the security key. The security key identifier is stored in a special area of
the disk; it can always be read from the disk and can be written to the disk only if security has
been enabled and the drive is unlocked.
The security key identifier field in the FDE Drive Properties window, shown in Figure 5-3,
includes a random number that is generated by the controller when you create or change the
security key. One security key is created for all FDE drives on the storage subsystem.
Note that the Security Capable and Secure fields in the Drive Properties window show
whether the drive is secure capable and whether it is in Secure (Yes) or Unsecured (No) state.
The example shows that the drive is both capable (FDE) and enabled.
Figure 5-3 FDE drive properties showing security ID and status
5.2.6 Passwords
For Disk Security to be enabled, the DS5000 has to have the administration pass phrase or
password set. The password must be “strong” and not easy to guess. A check is made on the
password and if the system does not consider it to be strong enough when you log in or are
prompted for the password, the message shown in Figure 5-6 on page 266 will appear. It will
include suggestions about how the password can be made stronger.
The security key and the security key identifier are encrypted using a different password or
pass phrase when the key is created or changed (see 5.3.2, “Secure key creation” on
page 266 and 5.4.1, “Changing the security key” on page 270). The array then returns a file
that is called a
blob, or key backup. If the array needs that key later, you give the blob and
pass phrase to the GUI, which sends it down to the array where the original key is decrypted.
To Next Page
Loading...
Need help?
General