About self-encrypting drives

The IBM® PureData® System for Analytics N3001 and N3001-001 appliances use self-encrypting drives (SEDs) for improved security and protection of the data stored on the appliance.

Self-encrypting drives (SEDs) encrypt data as it is written to the disk. Each disk has a disk encryption key (DEK) that is set at the factory and stored on the disk. The disk uses the DEK to encrypt data as it writes, and then to decrypt the data as it is read from disk. The operation of the disk, and its encryption and decryption, is transparent to the users who are reading and writing data. This default encryption and decryption mode is referred to as secure erase mode. In secure erase mode, you do not need an authentication key or password to decrypt and read data. SEDs offer improved capabilities for an easy and speedy secure erase for situations when disks must be repurposed or returned for support or warranty reasons.

For the optimal security of the data stored on the disks, SEDs have a mode referred to as auto-lock mode. In auto-lock mode, the disk uses an authentication encryption key (AEK) to protect its DEK. When a disk is powered off, the disks are automatically locked. When the disk is powered on, the SED requires a valid AEK to read the DEK and unlock the disk to proceed with read and write operations. If the SED does not receive a valid authentication key, the data on the disk cannot be read. The auto-lock mode helps to protect the data when disks are accidentally or intentionally removed from the system.

In many environments, the secure erase mode may be sufficient for normal operations and provides you with easy access to commands that can quickly and securely erase the contents of the disk before a maintenance or repurposing task. For environments where protection against data theft is paramount, the auto-lock mode adds an extra layer of access protection for the data stored on your disks.

SEDs are currently available on the following appliances:
  • IBM PureData System for Analytics N3001
  • IBM PureData System for Analytics N3001-001

The SED models certified for use on the IBM PureData System for Analytics N3001 appliance meet the requirements of FIPS 140-2 with respect to the cryptographic routines used by the disks. The nzhw -detail command provides information for disk model information which can be referenced on the NIST vendor list. For more information about the NIST vendor list, see http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.