Enabling the SED online on a recovery group

The self-encrypting drive support can be enabled on existing recovery groups.

A remote key manager (RKM) server is needed. For requirements reference, see the mmkeyserv command in the IBM Storage Scale: Command and Programming Reference Guide.

Complete the following steps to enable the SED support on all drives of a recovery group.

  1. By using the mmkeyserv command, configure the master encryption key (MEK) and find a Key ID and an RKM ID.
    1. Add a key server to a cluster.
      # mmkeyserv server add keyserver01
    2. Create a tenant in the key server.
      # mmkeyserv tenant add ece01 --server keyserver01
    3. Create a key client on the key server.
      # mmkeyserv client create cluster01 --server keyserver01
    4. Register the key client to the tenant with the RKM ID.
      # mmkeyserv client register cluster01 --tenant ece01 --rkm-id keyserver01_ece01
    5. Create an encryption key in the tenant (It returns a Key ID.).
      # mmkeyserv key create --server keyserver01 --tenant ece01
  2. Ensure that all the drives of the recovery group are in the OK state. 
    # mmvdisk pdisk list --rg rg1 --not-ok
  3. Verify that all drives of recovery group are SED-capable by using the mmvdisk sed verify command. 
    # mmvdisk sed verify --rg rg_name
  4. Run the mmvdisk sed enroll command by passing the Key ID and RKM ID mentioned in step 1 to enroll the RG with the SED that is enabled. 
    # mmvdisk sed enroll --recovery-group rg_name --rkmid keyserver01_ece01 --key-uuid KeyId
    The sed enroll command performs the following steps:
    1. Stores the new <KeyId:RKMid> value in the sedKeyId config variable of node class.
    2. Updates the MEK key from default MSID to the new key specified on all drives, and enable SED support on all drives.
  5. Verify that the drives are enrolled. 
    # mmvdisk sed list --recovery-group rg_name
    Notes:
    • If the enroll process is stopped or interrupted, the sed enroll command can be issued to resume the migration.
    • For replacing a failed disk with a new disk, scale-up of adding new disks into a recovery group or scale-out of adding new nodes into a recovery group, complete the following steps:
      1. To verify whether all the new drives are enrolled with an sedKey after the enroll process, issue the following command:
        # mmvdisk sed list --recovery-group rg_name
      2. Run the following command to enroll the drives if any drives are not enrolled:
        # mmvdisk sed enroll
    For more information, see the mmvdisk sed command in IBM Storage Scale RAID: Administration and Programming Reference.