Locking the SEDs

By default, the SEDs operate in secure erase mode. The IBM installation team can configure the disks to run in auto-lock mode by creating a keystore and defining an authentication key for your host and storage disks when the system is installed in your data center. If you choose not to auto-lock the disks during system installation, you can lock them later. Contact IBM Support to enable the auto-lock mode. The process to auto-lock the disks requires a short NPS service downtime window.

While it is recommended that you configure your SEDs to operate in auto-lock mode, make sure that this is appropriate for your environment. After the drives are configured for auto-lock mode, you cannot easily disable or undo the auto-lock mode for SEDs.

The NPS system requires an AEK for the drives in the storage arrays that are managed by the SPUs. The AEKs can be stored in a password protected key store repository in the NPS container.

For locally stored keys, the key repository is stored in the /nz/var/keystore directory on the NPS container. The repository is locked and protected.

You should use the nzkeybackup command to create a backup copy of the AEKs after you change the keys. If the keystore on the NPS container is lost, the disks cannot be read. Make sure that you carefully protect the keystore backups for the system in a secure area, typically in a location that is not on the NPS container.