Page 48
MegaRAID SAS Software User GuideChapter 3: SafeStore Disk Encryption
| Terminology
3.3 Terminology Table19 describes the terminology related to the SafeStore encryption feature.
3.4 Workflow
3.4.1 Enable Security You can enable security on the controller. After you enable security, you have the
option to create secure virtual drives using a security key.
There are three procedures you can perform to create secure virtual drives using a
security key:
Create the security key identifier
Create the security key
Create a password (optional)
3.4.1.1 Create the Security Key
Identifier
The security key identifier appears whenever you enter the security key. If you have
multiple security keys, the identifier helps you determine which security key to enter.
The controller provides a default identifier for you. You can use the default or enter your
own identifier.
3.4.1.2 Create the Security Key You need to enter the security key to perform certain operations. You can choose a
strong security key that the controller suggests.
Table 19: Terminology used in FDE
Option Description
Authenticated Mode The RAID configuration is keyed to a user password. The password must be provided on system boot to
authenticate the user and facilitate unlocking the configuration for user access to the encrypted data.
Blob A blob is created by encrypting a key(s) using another key. There are two types of blob in the system –
encryption key blob and security key blob.
Key backup You need to provide the controller with a lock key if the controller is replaced or if you choose to migrate
secure virtual disks. To do this, you must back up the security key.
Password An optional authenticated mode is supported in which you must provide a password on each boot to
make sure the system boots only if the user is authenticated. Firmware uses the user password to encrypt
the security key in the security key blob stored on the controller.
Re-provisioning Re-provisioning disables the security system of a device. For a controller, it involves destroying the
security key. For SafeStore encrypted drives, when the drive lock key is deleted, the drive is unlocked and
any user data on the drive is securely deleted. This does not apply to controller-encrypted drives, because
deleting the virtual disk destroys the encryption keys and causes a secure erase. See Section3.5, Instant
Secure Erase, for information about the instant secure erase feature.
Security Key A key based on a user-provided string. The controller uses the security key to lock and unlock access to the
secure user data. This key is encrypted into the security key blob and stored on the controller. If the
security key is unavailable, user data is irretrievably lost. You must take all precautions to never lose the
security key.
Un-Authenticated Mode This mode allows controller to boot and unlock access to user configuration without user intervention. In
this mode, the security key is encrypted into a security key blob, stored on the controller, but instead of a
user password, an internal key specific to the controller is used to create the security key blob.
Volume Encryption Keys (VEK) The controller uses the Volume Encryption Keys to encrypt data when a controller-encrypted virtual disk
is created. These keys are not available to the user. The firmware (FW) uses a unique 512-bit key for each
virtual disk. The VEK for the VDs are stored on the physical disks in a VEK blob.
To Next Page
Loading...
