Cisco IMC supports
self encrypting drives (SED). A special hardware in the drives encrypts
incoming data and decrypts outgoing data in real-time. This feature is also
called Full Disk Encryption (FDE).
The data on the drive
is encrypted on its way into the drive and decrypted on its way out. However,
if you lock the drive, no security key is required to retrieve the data.
When a drive is
locked, an encryption key is created and stored internally. All data stored on
this drive is encrypted using that key, and stored in encrypted form. Once you
store the data in this manner, a security key is required in order to
un-encrypt and fetch the data from the drive. Unlocking a drive deletes that
encryption key and renders the stored data unusable. This is called a Secure
Erase. The FDE comprises a key ID and a security key.
The FDE feature
supports the following operations:
Enable and disable
security on a controller
Create a secure
non-secure drive group
Enable security on
a physical drive (JBOD)
Clear secure SED
Scenarios to consider While Configuring Controller Security in a
Dual SIOC Environment
Dual SIOC connectivity is available only on some servers.
can be enabled, disabled, or modified independently. However, local and remote
key management applies to all the controllers on the server. Therefore security
action involving switching the key management modes must be performed with
caution. In a scenario where both controllers are secure, and you decide to
move one of the controllers to a different mode, you need to perform the same
operation on the other controller as well.
Consider the following
management is set to remote; both controllers are secure and use remote key
management. If you now wish to switch to local key management, switch the key
management for each controller and disable remote key management.
management is set to local; both controllers are secure and use local key
management. If you now wish to switch to remote key management, enable remote
key management and switch the key management for each controller.
If you do not modify
the controller security method on any one of the controllers, it renders the
secure key management in an unsupported configuration state.