Self Encrypting Drives (Full Disk Encryption)
Cisco IMC supports self encrypting drives (SED). A special hardware in the drives encrypts incoming data and decrypts outgoing data in real-time. This feature is also called Full Disk Encryption (FDE).
The data on the drive is encrypted on its way into the drive and decrypted on its way out. However, if you lock the drive, no security key is required to retrieve the data.
When a drive is locked, an encryption key is created and stored internally. All data stored on this drive is encrypted using that key, and stored in encrypted form. Once you store the data in this manner, a security key is required in order to un-encrypt and fetch the data from the drive. Unlocking a drive deletes that encryption key and renders the stored data unusable. This is called a Secure Erase. The FDE comprises a key ID and a security key.
-
Enable and disable security on a controller
-
Create a secure virtual drive
-
Secure a non-secure drive group
-
Unlock foreign configuration drives
-
Enable security on a physical drive (JBOD)
-
Clear secure SED drives
-
Clear secure foreign configuration
Scenarios to consider While Configuring Controller Security in a Dual or Multiple Controllers Environment
Note |
Dual or Multiple controllers connectivity is available only on some servers. |
Controller security can be enabled, disabled, or modified independently. However, local and remote key management applies to all the controllers on the server. Therefore security action involving switching the key management modes must be performed with caution. In a scenario where both controllers are secure, and you decide to move one of the controllers to a different mode, you need to perform the same operation on the other controller as well.
Consider the following two scenarios:
-
Scenario 1—Key management is set to remote; both controllers are secure and use remote key management. If you now wish to switch to local key management, switch the key management for each controller and disable remote key management.
-
Scenario 2—Key management is set to local; both controllers are secure and use local key management. If you now wish to switch to remote key management, enable remote key management and switch the key management for each controller.
If you do not modify the controller security method on any one of the controllers, it renders the secure key management in an unsupported configuration state.
Enabling Controller Security
This option is available only on some C-series servers.
Before you begin
You must log in with admin privileges to perform this task.
Procedure
Step 1 |
In the Navigation pane, click the Storage menu. |
||||||||||||||||||
Step 2 |
In the Storage menu, click the appropriate LSI MegaRAID or HBA controller. |
||||||||||||||||||
Step 3 |
In the Controller Info area, click Enable Drive Security. |
||||||||||||||||||
Step 4 |
In the Enable Drive Security dialog box, update the following fields:
|
||||||||||||||||||
Step 5 |
Click Save. This enables controller security. |
Modifying Controller Security
This option is available only on some C-series servers.
Before you begin
-
You must log in with admin privileges to perform this task.
-
You must have first enabled controller security to modify it.
Procedure
Step 1 |
In the Navigation pane, click the Storage menu. |
||||||||||||||||||||||
Step 2 |
In the Storage menu, click the appropriate LSI MegaRAID or HBA controller. |
||||||||||||||||||||||
Step 3 |
In the Controller Info area, click Modify Drive Security. |
||||||||||||||||||||||
Step 4 |
In the Modify Drive Security dialog box, update the following fields:
|
||||||||||||||||||||||
Step 5 |
Click Save. This modifies the controller security settings. |
Disabling Controller Security
This option is available only on some C-series servers.
Before you begin
-
You must log in with admin privileges to perform this task.
-
You must have first enabled controller security to disable it.
Procedure
Step 1 |
In the Navigation pane, click the Storage menu. |
Step 2 |
In the Storage menu, click the appropriate LSI MegaRAID or HBA controller. |
Step 3 |
In the Controller Info area, click Disable Drive Security. |
Step 4 |
Click OK in the confirmation pop-up window. This disables controller security. |
Switching Controller Security Between Local and Remote Key Management
This task allows you to switch controller security from local management to remote management, and from remote to local management.
Before you begin
You must log in with admin privileges to perform this task.
Procedure
Step 1 |
In the Navigation pane, click the Storage menu. |
||
Step 2 |
In the Storage menu, click the appropriate LSI MegaRAID or HBA controller. |
||
Step 3 |
In the Controller Info area, to switch the controller security from remote to local management, click Switch to Local Key Management.
|
||
Step 4 |
(Optional) Similarly, if you want to switch the controller security from local to remote management, click Switch to Remote Key Management. |
||
Step 5 |
Click OK to confirm. |