Locking the SEDs

Cloud Pak for Data System software provides commands to configure the SEDs to use auto-lock mode.

About this task

By default, the SEDs on the Cloud Pak for Data System operate in secure erase mode. The IBM® installation team can configure the disks to run in auto-lock mode by creating a key store and defining an authentication key for your host and storage disks when the system is installed in your data center. If you choose not to auto-lock the disks during system installation, you can lock them later. The process to auto-lock the disks does not require a downtime window.

While it is recommended that you configure your SEDs to operate in auto-lock mode, make sure that this is appropriate for your environment. After the drives are configured for auto-lock mode, you cannot easily disable or undo the auto-lock mode for SEDs.

The authentication encryption key (AEK) can be stored in a password protected key store repository on the local partition of each node of Cloud Pak for Data System.

For locally stored keys, the key repository is stored in the /var/lib/sedsupport directory on each of the nodes. The repository is locked and protected.

AEK can be used to auto lock the SED drives using the CLI command apsedkey enable.

Execute the following steps to successfully enable locking on SED drives.


  1. Creating key store by using apsedkeydb command.
  2. Generate key by using apsedkey generate command.
  3. Enable locking by using apsedkey enable command.
  4. Check the status of authentication key by using apsedkey status command.