Locking the SEDs

The IBM®® Integrated Analytics System M4002-001 software provides commands to configure the SEDs on the M4002-001 models (MTM:3456-A1E) to use auto-lock mode.

About this task

By default, the SEDs on the IBM Integrated Analytics System M4002-001 appliances operate in secure erase mode. The IBM installation team can configure the disks to run in auto-lock mode by creating a key store and defining an authentication key for your host and storage disks when the system is installed in your data center. If you choose not to auto-lock the disks during system installation, you can lock them later. The process to auto-lock the disks does not require downtime window.

While it is recommended that you configure your SEDs to operate in auto-lock mode, make sure that this is appropriate for your environment. After the drives are configured for auto-lock mode, you cannot easily disable or undo the auto-lock mode for SEDs.

The AEK can be stored in a password protected key store repository on the local partition of the each node of IIAS M4002-001. IIAS M4002-001 supports storing the AEK in the external IBM Security Key Lifecycle Manager (ISKLM) server starting from IIAS 1.0.17.0.

For locally stored keys, the key repository is stored in the /var/lib/sedsupport directory on each of the nodes. The repository is locked and protected.

AEK can be used to auto lock the SED drives using the CLI command apsedkey enable.

Execute the following steps to successfully enable locking on SED drives.

Procedure

  1. Create key store by using apsedkeydb command.
  2. Generate key by using apsedkey generate command.
  3. Enable locking by using apsedkey enable command.
  4. Check the status of authentication key by using apsedkey status command.
  5. Integrating IIAS with ISKLM server for AEK management