Managing the self-encrypting drives support on IBM Elastic Storage® Server

The self-encrypting drives (SED) support protects data at rest on Elastic Storage System (ESS) drives. After this support is enabled, data on stolen or lost drives cannot be read without an authentication key, which is also called master encryption key (MEK).

  • The SED support can be enabled only if all drives of a recovery group are SED capable.
  • After the SED support enabled for a recovery group, you cannot disable it.
  • If an MEK is lost, you lose access to entire data of a recovery group.
This section describes more details about setting an MEK, enabling the SED support, and changing an MEK.

Configuring a master encryption key

An MEK is used to enable SED support by enrolling recovery group drives to the SED support. With the same MEK, you can unlock the locked drives and crypto-erase the SED enabled drives. The ESS uses an external key manager such as GKLM for the MEK generation and key management. The mmkeyserv command can be used to set up an MEK for ESS I/O servers. For more details, see mmkeyserv command in IBM Storage Scale: Command and Programming Reference Guide.

Complete the following steps on an ESS I/O server node to configure an MEK:
  1. Add a remote key management (RKM) server connection to ESS I/O server nodes.
    # mmkeyserv server add
  2. Create a tenant on the RKM server, and add the tenant to the ESS I/O server nodes.
    # mmkeyserv tenant add
  3. Creates a key client for ESS I/O server nodes to communicate with the RKM server.
    # mmkeyserv client create
  4. Register the key client to the tenant that is added to ESS I/O server nodes.
    # mmkeyserv client register
  5. Create encryption keys in the tenant.
    # mmkeyserv key create

Enabling the SED support on a recovery group

Complete the following tasks to enable the SED support on a specified recovery group:
  1. Before you enroll a recovery group for the SED support, verify whether all the drives except NVRAM drives of the recovery group are SED capable or not.
    # mmvdisk sed verify  {--all | --recovery-group RgName[,RgName...] |
                      --recovery-group RgName [--pdisk pdiskname] |
                      --pdisk-path pdisk-path}
    --all
    Selects all recovery groups of the cluster.
    --recovery-group
    Specifies the recovery group name(s).
    --pdisk
    Specifies the pdisk path.
  2. Create an MEK.
    # mmkeyserv key create
  3. Get the MEK key Id.
    # mmkeyserv key show
  4. Enable the SED support on a specified recovery group.
    # mmvdisk sed enroll --recovery-group RecoveryGroupName --rkmid RKMId --key-uuid KeyId
    --rkmid
    Specifies a new RKM ID that is displayed as a part of the mmkeyserv rkm show command.
    --key-uuid
    Specifies the MEK UUID.
    --recovery-group
    Specifies the name of a recovery group name whose drives would be enabled for SED support.

    The command can run longer depending on the number of drives in the recovery group.

  5. If the mmvdisk command is interrupted, rerun the command. When the command is rerun, enrolled drives are skipped and drives that were not enrolled before are enrolled with the same MEK.
  6. When the SED support is enabled on all drives, a new sedKeyId configuration key is set with the MEK Key ID and RKM key ID to enable the SED support. The sedKeyId value is concatenation of MEK Key ID, : (colon) and RKM Key ID. The sedKeyId configuration keyword is set for the node class of a recovery group only.
  7. Check whether all the drives of a recovery group are enabled for the SED support.
    #mmvdisk sed list {--all | --recovery-group RgName[,RgName...] |
                   --recovery-group RgName [--pdisk pdiskname] |
                   --pdisk-path pdisk-path}
    --all
    Selects all recovery groups of the cluster.
    --recovery-group
    Specifies the recovery group name(s).
    --pdisk
    Specifies the pdisk path.

    This command displays whether the SED support is enabled by using an MEK specified by sedKeyId or some other unknown key. It also displays whether the drive is locked or unlocked.

Changing the MEK for recovery group drives

After the SED support is enabled for a recovery group, you might have to change the MEK for all the drives of the recovery group. The MEK needs to be changed if the current MEK is compromised or some organization policies such as MEK needs to be changed periodically. The MEK SED can be changed at the recovery group level on the ESS systems only.
  1. Set up a new MEK before you change the MEK for a recovery group.
  2. Get a new MEK key ID.
    # mmkeyserv key show
  3. Get an RKM ID.
    # mmkeyserv rkm show
  4. Change the MEK of the specified recovery group.
    # mmvdisk sed rekey --recovery-group RecoveryGroupName --rkmid RKMId --key-uuid KeyId
    --rkmid
    Specifies a new RKM ID displayed as part of the mmkeyserv rkm show command.
    --key-uuid
    Specifies the MEK UUID.
    --recovery-group
    Specifies the recovery group name whose drives would be enabled for the SED support.
    This command might run longer depending on the number of drives in the recovery group.
  5. If the mmvdisk command is interrupted, rerun to restart the rekey the MEK of the recovery group.

    This command changes MEK for the drives that were not rekeyed before with the same new key. After all the drives are rekeyed successfully, the sedKeyId configuration key is updated with a new MEK Key Id and RKM key Id values (concatenation of new MEK Key ID, : and new RKM Key ID).

Migrating a recovery group for the SED support

The older existing recovery groups, which already have some user data, can be enabled for the SED support by using the migration process. The migration can be done on a live system when a workload is going on.

To enable SED support on all drives of a recovery group, complete the following steps:
  1. Configure an MEK and find the MEK Key ID (KeyId) and RKM ID.
    # mmkeyserv

    For more details, see mmkeyserv command in IBM Storage Scale: Command and Programming Reference Guide.

  2. Ensure that all the drives of the recovery group are in the OK state.
  3. Verify that all drives of the recovery group are SED capable.
    # mmvdisk sed verify
  4. Run the mmvdisk sed enroll (with a hyper link) command that passes the MEK key ID (KeyId) and RKM ID (RKMId) that found in step 1 as shown in the following command:
    # mmvdisk sed enroll  --recovery-group RgName --rkmid RKMid --key-uuid KeyId
    • The new <KeyId:RKMid> value is stored in the sedKeyId config variable of node class.
    • The MEK key is updated from default MSID to the new key specified on all drives, and the SED support is enabled on all drives.
  5. If the enroll (migration) process is stopped or interrupted, rerun the sed enroll command to continue the migration.

Auto unlock of the recovery group drives

When the SED support is enabled, the SED capable drives are locked after these are power-recycled. The drives on a recovery group are unlocked by using the following methods:
  • The current MEK that is set by using the SedKeyId keyword is used to unlock drives.
  • The disk hospital uses the current MEK when it detects SED locked drives.
  • During the daemon startup, drives are unlocked by using the current MEK with the mmstartup command.

Auto enroll new recovery group drives

After the SED support is enabled on a recovery group, the new drives that are added as a part of disk replacement procedure are automatically enrolled. The current MEK that is specified by using the sedKeyId configuration keyword used to enroll drives.

Crypto-erase of recovery group drives

After the SED support is enabled on a recovery group, crypto-erase is used on the SED capable drives of the recovery group when deleting the recovery group or individual drives. The crypto-erase is a mandatory operation during the recovery group deletion and disk deletion from the recovery group.
Note: After the crypto-erase of drives, you cannot get the old data back from drives. To reuse the drive again, the drives must be formatted again.