IBM Support

How to set up NVMe Locking Policy / Password for IBM i

How To


Summary

All NVMe devices supported by IBM® i are Self-Encrypting Drives (SED). This means the data is encrypted at rest. However, the key used to encrypt and decrypt the data is not protected. By creating a password policy and adding NVMe devices to it, the devices can protect the confidentiality of stored user data against unauthorized access once the device leaves the owner’s control. This feature uses the Trusted Computer Group (TCG) Opal Security Subsystem Class (SSC) specification for storage. Each NVMe device that supports the Opal SSC is registered in a list of devices on which the administrator can establish a locking policy. Once the device is added to the locking policy the NVMe device will lock itself when Main Power loss or PCIe cold resets occur.
The NVMe device will be locked when:

- DLPAR Remove operation is performed on the device
- Concurrent Maintenance Power Off is performed on the device
- The partition is IPLed
- When the NVMe device is reset

Once the device is locked, reads and writes issued to the drive will fail. While the NVMe device remains in the partition, restoring power to the device will cause it to automatically unlock itself, using the policy password stored in the Platform KeyStore.

Environment

Minimum requirements:
  1. Hardware Management Console (HMC)
  2. Power-10 processor
  3. Server firmware FW1030
  4. NVMe device capable of supporting locking policy
  5. IBM i 7.4 TR7, IBM i 7.5 TR1

Steps

How to set up NVMe Locking Policy:
 
Note:  Each of the IBM i steps regarding NVMe locking policy can be performed using either Advanced Analysis (AA) commands in System Service Tools (SST), or SQL services via an SQL interface such as: STRSQL, RUNSQL, STRQMQRY.
 
1.  Verify that the NVMe used by the IBM i partition supports a locking policy;
     1a.  Using AA command:
          i.     STRSST and sign in
          ii.    Option 1 - Start a service tool
          iii.   Option 4 - Display/Alter/Dump
          iv.   Option 1 - Display/Alter storage
          vi.   Option 2 - Licensed Internal Code (LIC) data
          vii.  Option 14 - Advanced analysis
          viii. Type 1 in the Option field, and NVMEDISPLAYLP in the Command field, then press the Enter key
          ix.   On the Options display, just press the Enter key
          x.    Verify that the NVMe devices show Support Locking = YES.
 
     1b.  Using SQL service:
          Run SQL statement:  SELECT * FROM QSYS2.LOCKING_POLICY_INFO
          Verify that the NVMe devices show LOCKING_SUPPORTED = YES.
 
2.  Power down the IBM i partition
     i.    Cleanly end applications
     ii.   (optional) ENDSBS *ALL
     iii.  PWRDWNSYS OPTION(*IMMED) RESTART(*NO)
 
3.  Configure Platform Key Store (PKS) for the partition using the HMC
     i.    Go into the partition properties
     ii.   Expand Advanced Settings
     iii.  Set the KeyStore Size to 64 KB
     iv.  Save the change
 
4.  Activate partition from the HMC
 
5.  Create a locking policy / password:
     5a.  Using AA command:  NVMECREATELP -P “<password>“ -C “<password>“
     Notes:
          i.    The password parameters should be entered on the Options display
          ii.   Each instance of the password must be enclosed in double quotation marks (“ “)
          iii.  The password must be at least 8 and not more than 32 characters in length
          iv.  The password (-P) and confirmation password (-C) must match
          v.   The password  cannot span across 2 lines on the Options display
          vi.  The confirmation password cannot span across 2 lines on the Options display
 
     5b.  Using SQL service:  CALL QSYS2.CREATE_LOCKING_POLICY(POLICY_PASSWORD => '<password>')
     Notes:
          i.    The password must be enclosed in single quotation marks (' ')
          ii.   The password must be at least 8 and not more than 32 characters in length
          iii.  "POLICY_PASSWORD =>" is optional, the quoted password can be specified without it
 
At this point any eligible NVMe devices with configured units (name spaces) will be automatically added to the locking policy.  You can repeat step 1 to verify the NVMe devices are now under the locking policy.  If you have additional NVMe devices to add to the locking policy, continue with step 6.
 
6.  Add NVMe devices to the locking policy:
     6a.  Using AA command:
           NVMEADDDEVLP -P “<password>“ -D <resource(s)>
                    or
           NVMEADDDEVLP -P “<password>“ -ALL
     Notes:
          i.    The password and resource (or -ALL) parameters should be entered on the Options display
          ii.   The password must be enclosed in double quotation marks (" ")
          iii.  The password must be the same password used in step 5 to create the policy
          iv.  <resource(s)> should be a space separated list of DCxx resource name(s) for the desired NVMe device(s) seen in step 1
          v.   -ALL will add all eligible NVMe devices to the policy
 
     6b.  Using SQL service:
          CALL QSYS2.ADD_DEVICE_LOCKING_POLICY(POLICY_PASSWORD => '<password>', RESOURCE_NAME => '<resource>')
     Notes:
          i.    The password must be enclosed in single quotation marks (' ')
          ii.   The password must be the same password used in step 5 to create the policy
          iii.  "POLICY_PASSWORD =>" is optional, the quoted password can be specified without it
          iv.  The NVMe device resource name must be enclosed in single quotation marks (' ')
          v.   Only one resource name can be specified per call, or use "*ALL" instead of the resource name to add all eligible devices
          vi.  "RESOURCE_NAME =>" is optional, the quoted resource can be specified without it
 
 

Additional Information

Other Related NVMe Locking Policy Functions:
 
  • Change Locking Policy Password
          AA:    NVMECHANGEPWLP
          SQL:  CHANGE_DEVICE_LOCKING_POLICY
 
  • Delete Locking Policy
          AA:    NVMEDELETELP
          SQL:  DELETE_LOCKING_POLICY
 
  • Factory Reset Device
          AA:    NVMEFACTORYRESETDEVLP
          SQL:  FACTORY_RESET_DEVICE
 
  • Remove Device from Locking Policy
          AA:    NVMEREMOVEDEVLP
          SQL:  REMOVE_DEVICE_LOCKING_POLICY
 
  • Unlock Device
          AA:    NVMEUNLOCKDEVLP
          SQL:  UNLOCK_DEVICE
 

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
29 October 2025

UID

ibm16989523

Page Feedback