Disk encryption
The storage system supports data encryption with the Full Disk Encryption (FDE) feature.
The FDE disks encrypt and decrypt at interface speeds, with no impact on performance.
Recovery key and dual key server support is available on the DS8A00. For a list of FDE drives, see Feature codes for drive sets.
To enable encryption, the storage system must be configured to communicate with two or more encryption key servers. The physical connection between the Hardware Management Console (HMC) and the key server is through an Internet Protocol network.
Each FDE drive has an encryption key for the region of the disk that contains data. When encryption is enabled, the encryption key for the region is wrapped with an access credential and stored on the disk media. Read-and-write access to the data on an encrypted region is blocked following a power loss until the initiator that is accessing the drive authenticates with the currently active access credential. When encryption is disabled, the encryption key for the region is wrapped with the unique data key that is assigned to this particular disk during manufacturing and stored on the disk media. This data key is accessible to the device and to any initiator that is attached and the wrapped key is stored on the disk media. Read-and-write access to the data on a decrypted region does not require an access credential or any interface protocols that are not used on a non-FDE drive. FDE drives still encrypt and decrypt data with an encryption key. However, the encryption and decryption is done transparently to the initiator.
The FDE drive that is a member of an encryption-enabled rank is locked. An FDE drive that is a spare, a member of an encryption-disabled rank, or not assigned is unlocked. Locking occurs when an FDE drive is added to an encryption-enabled rank. Unlocking occurs when an encryption-enabled rank is deleted or when an encryption-enabled rank member becomes a spare. Unlocking implies a cryptographic erasure of an FDE drive. FDE drives are also cryptographically erased when an encryption-disabled rank is deleted. You can cryptographically erase data for a set of logical volumes in an encryption-enabled extent pool by deleting all of the ranks that are associated with the extent pool.
FDE drives are not cryptographically erased when the disk fails. In this case, the device-adapter is likely to intentionally fence the failing drive from the device interface as soon as possible to prevent it from causing any other problems on the interface.
A unique access credential for each locked drive in the storage facility image (SFI) is derived from one data key that it obtains from the Security Key Lifecycle Manager server. The storage system stores multiple independent copies of the EEDK persistently and it must be able to communicate with a Security Key Lifecycle Manager server after power-on to allow access to the disks that are enabled for encryption.
- On your disks
- Data on your disks (for example, DDM installed through DDM Install Group features) that are members of an encryption-enabled rank is managed through a data key that is obtained from the Security Key Lifecycle Manager server. The data is encrypted with an encryption key that is managed through an externally encrypted key. The data on disks that are members of a rank that is not encryption-enabled is encrypted with an encryption key that is encrypted with a derived key and stored on the disk. Therefore, this data is obfuscated.
- NVS dump data on system disks
- If you start a force power off sequence, write data in flight in the NVS memory is encrypted with an encryption key and stored on the system disk in the storage system. The encryption key is encrypted with a derived key and stored on the system disk, hence NVS data is obfuscated. The data on the system disk is cryptographically erased after power is restored and after the data is restored to the NVS memory during the initial Licensed Internal Code load.
- Atomic-parity update (APU) dump data in device flash memories
- If a force power off sequence is initiated atomic parity write data in flight within the device adapter memory for RAID 6 arrays is encrypted with an encryption key. The data is stored in flash memory on the device adapter in the storage system, and is limited to 32 MB per device adapter or 512 MB per storage facility.
Recovery key configuration operations
A security administrator must start the process to configure a recovery key for the storage system SFI before an encryption group is created. Each configured encryption group has an associated recovery key. You can use the recovery key to access data from an encryption group that is in a configured-inaccessible state when access to the encryption group data key through any key server is not possible.
- The security administrator requests configuration of a recovery key.
- The SFI generates the recovery key and displays it to the security administrator.
- The security administrator inputs the recovery key for verification.
- The SFI puts the recovery key in the verify-pending state until the storage administrator authorizes it.
- The storage administrator authorizes configuration of the recovery key.
Within a secure key environment, you might choose to disable the recovery key rather than to configure one. Disabling the recovery key increases the security of the encrypted data, but it also increases the risk of encryption deadlock.
If you choose to disable the recovery key, you are highly encouraged to strictly follow the guidelines for preventing encryption deadlock. Failure to do so might result in permanent loss of all encrypted data that is managed by key servers, if an encryption deadlock occurs.
- The security administrator requests that the recovery key is disabled. This action changes the recovery key state from Unconfigured to Disable Authorize Pending.
- The storage administrator authorizes the recovery key disablement. This action changes the recovery key state from Disable Authorize Pending to Disabled.
- The security administrator requests that the recovery key is enabled. This action changes the recovery key state from Disabled to Enable Authorize Pending.
- The storage administrator authorizes the recovery key enablement. This action changes the recovery key state from Enable Authorize Pending to Unconfigured.
- Normal recovery key configuration steps are followed to configure the recovery key before encryption group creation.