Managing the self-encrypting drives on IBM Elastic Storage® Server

The self-encrypting drives (SED) protect data at rest on IBM Storage Scale System drives. After this self-encryption is enabled, data on stolen or lost drives cannot be read without an authentication key, which is also called master encryption key (MEK).

The SED can be enabled only if all drives of a recovery group are SED capable.
After the SED enabled for a recovery group, you cannot disable it.
If an MEK is lost, you lose access to entire data of a recovery group.

Supported configuration

Supported components:

License requirement: DME license is mandatory.
Supported drives: NVMe, HDD, and FCM4 (starting from firmware level 4.4.4.122).
Supported key servers: GKLM, CTM, and TPM (requires RHEL 9.x).

This section describes more details about setting an MEK, enabling the SED, and changing an MEK.

Configuring a master encryption key by using GKLM

An MEK is used to enable SED by enrolling recovery group drives to the SED. With the same MEK, you can unlock the locked drives and crypto-erase the SED enabled drives. The IBM Storage Scale System uses an external key manager such as GKLM for the MEK generation and key management. The mmkeyserv command can be used to set up an MEK for IBM Storage Scale System I/O servers. For more details, see mmkeyserv command in IBM Storage Scale: Command and Programming Reference Guide.

Complete the following steps on an IBM Storage Scale System I/O server node to configure an MEK:

Add a remote key management (RKM) server connection to IBM Storage Scale System I/O server nodes.
```
# mmkeyserv server add
```
Create a tenant on the RKM server, and add the tenant to the IBM Storage Scale System I/O server nodes.
```
# mmkeyserv tenant add
```
Creates a key client for IBM Storage Scale System I/O server nodes to communicate with the RKM server.
```
# mmkeyserv client create
```
Register the key client to the tenant that is added to IBM Storage Scale System I/O server nodes.
```
# mmkeyserv client register
```
Create encryption keys in the tenant.
```
# mmkeyserv key create
```

Configuring a master encryption key using CTM

The CTM configuration procedure is the same for IBM Storage Scale Systems and IBM Storage Scale.

CAUTION:

Create the key server configuration file with the correct permissions, and ensure that the file is available on all required nodes.

CTM can be configured by using the following methods:

A local CA to enable encryption with CTM. For more information, see
Configuring encryption with the Thales CipherTrust Manager key server by using a local certificate authority (CA).
An external CA to enable encryption with CTM. For more information, see
Configuring encryption with the Thales CipherTrust Manager key server by using an external certificate authority (CA).

After CTM is configured on all required nodes, generate a key in CTM. Use this key as an MEK to enable SED when you enroll the recovery group drives.

Enabling the SED on a recovery group

Complete the following tasks to enable the SED on a specified recovery group:

Before you enroll a recovery group for the SED, verify whether all the drives except NVRAM drives of the recovery group are SED capable or not.
```
# mmvdisk sed verify  {--all | --recovery-group RgName[,RgName...] |
                      --recovery-group RgName [--pdisk pdiskname] |
                      --pdisk-path pdisk-path}
```
--all

Selects all recovery groups of the cluster.

--recovery-group

Specifies the recovery group name(s).

--pdisk

Specifies the pdisk path.
Create an MEK.
```
# mmkeyserv key create
```
Get the MEK key Id.
```
# mmkeyserv key show
```
Enable the SED on a specified recovery group.
```
# mmvdisk sed enroll --recovery-group RecoveryGroupName --rkmid RKMId --key-uuid KeyId
```
--rkmid

Specifies a new RKM ID that is displayed as a part of the mmkeyserv rkm show command.

--key-uuid

Specifies the MEK UUID.

--recovery-group

Specifies the name of a recovery group name whose drives would be enabled for SED.

The command can run longer depending on the number of drives in the recovery group.
If the mmvdisk command is interrupted, rerun the command. When the command is rerun, enrolled drives are skipped and drives that were not enrolled before are enrolled with the same MEK.
When the SED is enabled on all drives, a new sedKeyId configuration key is set with the MEK Key ID and RKM key ID to enable the SED. The sedKeyId value is concatenation of MEK Key ID, : (colon) and RKM Key ID. The sedKeyId configuration keyword is set for the node class of a recovery group only.
Check whether all the drives of a recovery group are enabled for the SED.
```
#mmvdisk sed list {--all | --recovery-group RgName[,RgName...] |
                   --recovery-group RgName [--pdisk pdiskname] |
                   --pdisk-path pdisk-path}
```
--all

Selects all recovery groups of the cluster.

--recovery-group

Specifies the recovery group name(s).

--pdisk

Specifies the pdisk path.

This command displays whether the SED is enabled by using an MEK specified by sedKeyId or some other unknown key. It also displays whether the drive is locked or unlocked.

Migrating a recovery group for the SED

The older existing recovery groups, which already have some user data, can be enabled for the SED by using the migration process. The migration can be done on a live system when a workload is going on.

To enable SED on all drives of a recovery group, complete the following steps:

Configure an MEK and find the MEK Key ID (KeyId) and RKM ID.
```
# mmkeyserv 
```
For more details, see mmkeyserv command in IBM Storage Scale: Command and Programming Reference Guide.
Ensure that all the drives of the recovery group are in the OK state.
Verify that all drives of the recovery group are SED capable.
```
# mmvdisk sed verify 
```
Run the mmvdisk sed enroll (with a hyper link) command that passes the MEK key ID (KeyId) and RKM ID (RKMId) that found in step 1 as shown in the following command:
```
# mmvdisk sed enroll  --recovery-group RgName --rkmid RKMid --key-uuid KeyId
```
- The new <KeyId:RKMid> value is stored in the sedKeyId config variable of node class.
- The MEK key is updated from default MSID to the new key specified on all drives, and the SED is enabled on all drives.
If the enroll (migration) process is stopped or interrupted, rerun the sed enroll command to continue the migration.

Auto unlock of the recovery group drives

When the SED is enabled, the SED capable drives are locked after these are power-recycled. The drives on a recovery group are unlocked by using the following methods:

The current MEK that is set by using the SedKeyId keyword is used to unlock drives.
The disk hospital uses the current MEK when it detects SED locked drives.
During the daemon startup, drives are unlocked by using the current MEK with the mmstartup command.

Auto enroll new recovery group drives

After the SED is enabled on a recovery group, the new drives that are added as a part of disk replacement procedure are automatically enrolled. The current MEK that is specified by using the sedKeyId configuration keyword used to enroll drives.

Crypto-erase of recovery group drives

After the SED is enabled on a recovery group, crypto-erase is used on the SED capable drives of the recovery group when deleting the recovery group or individual drives. The crypto-erase is a mandatory operation during the recovery group deletion and disk deletion from the recovery group.

Note: After the crypto-erase of drives, you cannot get the old data back from drives. To reuse the drive again, the drives must be formatted again.