Secure storage policy

You can use the secure storage policy to clear the sensitive data on the system.

About this task

Choose the Secure storage policy menu to clear the sensitive data for the following activities:
  • Returning the system to IBM® Global Asset Recovery Services (GARS).
  • Resale of the system.
  • When there are changes in the customer workloads such as moving a system from development environment to production use.
  • When the encryption or decryption keys are compromised or lost.
Notes:
  • You can use the secure storage policy to clear the sensitive data on the system. Due to the sensitivity of the data that might be cleared, the procedure requires physical access to the system to authorize the operation.
  • Warning: This operation is not reversible. If the sensitive data that is cleared contains data or storage encryption keys, you will also lose the encryption keys. Additionally, if the encryption keys or data are not replicated to another location, the system also loses the ability to decrypt data that is encrypted by using those encryption keys.

To change the secure storage policy, complete the following steps:

Procedure

  1. On the ASMI Welcome pane, specify your user ID and password, and click Log In.
  2. In the navigation area, expand System Configuration > Security > Secure Storage Policy.
  3. On the content pane, select any one of the following options:
    • Clear None: This option is the default option. No sensitive data is cleared on the next power-on.
    • Clear All: Select this option to clear or reset all the sensitive data that is controlled by the platform firmware.
    • Clear OS Secureboot Key: Select this option to enable the OpenPower Abstraction Layer (OPAL) to clear the secure boot keys of the operating system.
    • Clear PowerVM System Key: Select this option to enable the PowerVM® to clear the system key to the default state. The trusted system key is used for virtual Trusted Platform Module (vTPM) and Platform Keystore data encryption.
  4. Click Save settings to save the changes.
  5. Power-on the system. The system detects the request to change the secure storage policy and enables the physical presence detection to authorize the operation. The system then automatically powers off.
  6. Power-on the system manually by using the power button. The system performs the requested operation and the selected operation returns to the default option that is Clear None.