advertisement
MegaRAID SAS Software User Guide March 2012 Chapter 3: SafeStore Disk Encryption Terminology
Chapter 3: SafeStore Disk Encryption
This chapter describes the LSI SafeStore Disk Encryption service. The SafeStore Disk Encryption service is a collection of features within LSI storage products that supports self-encrypting disks. SafeStore encryption services supports local key management.
Overview
The SafeStore Disk Encryption service offers the ability to encrypt data on drives and use disk-based key management to provide data security. This solution provides data protection in the event of theft or loss of physical drives. With self-encrypting drives, if you remove a drive from its storage system or the server in which it is housed, the data on that drive is encrypted and useless to anyone who attempts to access without the appropriate security authorization.
With the SafeStore encryption service, data is encrypted by the drives. You can designate which data to encrypt at the individual virtual disk (VD) level. Any encryption solution requires management of the encryption keys. The security service provides a way to manage these keys. Both the WebBIOS Configuration Utility and the MegaRAID Storage Manager software offer procedures that you can use to manage the security settings for the drives.
Purpose and Benefits
Security is a growing market concern and requirement. MegaRAID customers are looking for a comprehensive storage encryption solution to protect data. You can use the SafeStore encryption service to help protect your data. In addition, SafeStore local key management removes the administrator from most of the daily tasks of securing data, thereby reducing user error and decreasing the risk of data loss. Also, SafeStore local key management supports instant secure erase of drives that permanently removes data when repurposing or decommissioning drives. These services provide a much more secure level of data erasure than other common erasure methods, such as overwriting or degaussing.
Terminology
The following table describes the terminology related to the SafeStore encryption feature.
Table 19 Terminology used in FDE Option
Authenticated Mode Blob Key backup Password Re-provisioning
Description
The RAID configuration is keyed to a user password. The password must be provided on system boot to authenticate the user and facilitate unlocking the configuration for user access to the encrypted data.
A blob is created by encrypting a keys using another key. There are two types of blob in the system – encryption key blob and security key blob.
You need to provide the controller with a lock key if the controller is replaced or if you choose to migrate secure virtual disks. To do this task, you must back up the security key.
An optional authenticated mode is supported in which you must provide a password on each boot to make sure the system boots only if the user is authenticated. Firmware uses the user password to encrypt the security key in the security key blob stored on the controller.
Re-provisioning disables the security system of a device. For a controller, it involves destroying the security key. For SafeStore encrypted drives, when the drive lock key is deleted, the drive is unlocked and any user data on the drive is securely deleted. This situation does not apply to controller-encrypted drives,
, for information about the instant secure erase feature.
LSI Corporation - 41 -
MegaRAID SAS Software User Guide March 2012 Security Key
Option
Un-Authenticated Mode Volume Encryption Keys (VEK) Chapter 3: SafeStore Disk Encryption Workflow
Description
A key based on a user-provided string. The controller uses the security key to lock and unlock access to the secure user data. This key is encrypted into the security key blob and stored on the controller. If the security key is unavailable, user data is irretrievably lost. You must take all precautions to never lose the security key.
This mode allows controller to boot and unlock access to user configuration without user intervention. In this mode, the security key is encrypted into a security key blob, stored on the controller, but instead of a user password, an internal key specific to the controller is used to create the security key blob.
The controller uses the volume encryption keys to encrypt data when a controller-encrypted virtual disk is created. These keys are not available to the user. The firmware uses a unique 512-bit key for each virtual disk. The VEKs for the virtual disks are stored on the physical disks in a VEK blob.
Workflow
Enable Security
You can enable security on the controller. After you enable security, you have the option to create secure virtual drives using a security key.
There are three procedures you can perform to create secure virtual drives using a security key: Create the security key identifier Create the security key Create a password (optional)
Create the Security Key Identifier
The security key identifier appears whenever you enter the security key. If you have multiple security keys, the identifier helps you determine which security key to enter. The controller provides a default identifier for you. You can use the default setting or enter your own identifier.
Create the Security Key
You need to enter the security key to perform certain operations. You can choose a strong security key that the controller suggests.
CAUTION
If you forget the security key, you will lose access to your data.
Create a Password
The password provides additional security. The password should be different from the security key. You can select a setting in the utilities so that you must enter the password whenever you boot your server.
CAUTION
If you forget the password, you will lose access to your data.
When you use the specified security key identifier, security key, and password, security is enabled on the controller.
Change Security
You can change the security settings on the controller, and you have the option to change the security key identifier, security key, and password. If you have previously removed any secured drives, you still need to supply the old security key to import them.
You can perform three procedures to change the security settings on the controller: LSI Corporation - 42 -
MegaRAID SAS Software User Guide March 2012 Chapter 3: SafeStore Disk Encryption Workflow Change the security key identifier Change the security key Change a password See Section
security options in the MegaRAID Storage Manager software.
Change the Security Key Identifier
You have the option to edit the security key identifier. If you plan to change the security key, it is highly recommended that you change the security key identifier. Otherwise, you will not be able to differentiate between the security keys.
You can select whether you want to keep the current security key identifier or enter a new one. To change the security key identifier, enter a new security key identifier.
Change the Security Key
You can choose to keep the current security key or enter a new one. To change the security key, you can either enter the new security key or accept the security key that the controller suggests.
Add or Change the Password
You have the option to add a password or change the existing one. To change the password, enter the new password. To keep the existing password, enter the current password. If you choose this option, you must enter the password whenever you boot your server.
This procedure updates the existing configuration on the controller to use the new security settings.
Create Secure Virtual Drives
You can create a secure virtual drive and set its parameters as desired. To create a secure virtual drive, select a configuration method. You can select either simple configuration or advanced configuration.
Simple Configuration
If you select simple configuration, select the redundancy type and drive security method to use for the drive group.
See Section
type and drive security method for a configuration.
Advanced Configuration
If you select advanced configuration, select the drive security method, and add the drives to the drive group.
See Section
Creating a Virtual Drive Using Advanced Configuration
, for the procedures used to import a foreign configuration.
After the drive group is secured, you cannot remove the security without deleting the virtual drives.
Import a Foreign Configuration
After you create a security key, you can run a scan for a foreign configuration and import a locked configuration. (You can import unsecured or unlocked configurations when security is disabled.) A foreign configuration is a RAID configuration that already exists on a replacement set of drives that you install in a computer system. WebBIOS Configuration Utility and the MegaRAID Storage Manager software allows you to import the existing configuration to the RAID controller or clear the configuration so you can create a new one.
See Section Viewing and Changing Device Properties , for the procedure used to import a foreign configuration in WebBIOS or Section Importing or Clearing a Foreign Configuration , for the procedure in the MegaRAID Storage Manager software.
LSI Corporation - 43 -
MegaRAID SAS Software User Guide March 2012 Chapter 3: SafeStore Disk Encryption Instant Secure Erase To import a foreign configuration, you must first enable security to allow importation of locked foreign drives. If the drives are locked and the controller security is disabled, you cannot import the foreign drives. Only unlocked drives can be imported when security is disabled. After you enable the security, you can import the locked drives. To import the locked drives, you must provide the security key used to secure them. Verify whether any drives are left to import as the locked drives can use different security keys. If there are any drives left, repeat the import process for the remaining drives. After all of the drives are imported, there is no configuration to import.
Instant Secure Erase
Instant Secure Erase is a feature used to erase data from encrypted drives. After the initial investment for an encrypted disk, there is no additional cost in dollars or time to erase data using the Instant Secure Erase feature.
You can change the encryption key for all MegaRAID RAID controllers that are connected to encrypted drives. All encrypted drives, whether locked or unlocked, always have an encryption key. This key is set by the drive and is always active. When the drive is unlocked, the data to host from the drive (on reads) and from the host to the drive cache (on writes) is always provided. However, when resting on the drive platters, the data is always encrypted by the drive.
You might not want to lock your drives because you have to manage a password if they are locked. Even if you do not lock the drives, there is still a benefit to using encrypted disks.
If you are concerned about data theft or other security issues, you might already invest in drive disposal costs, and there are benefits to using SafeStore encryption over other technologies that exist today, both in terms of the security provided and time saved.
If the encryption key on the drive changes, the drive cannot decrypt the data on the platters, effectively erasing the data on the disks. The National Institute of Standards and Technology (http://www.nist.gov) values this type of data erasure above secure erase and below physical destruction of the device.
Consider the following reasons for using instant secure erase.
If you need to repurpose the hard drive for a different application
You might need to move the drive to another server to expand storage elsewhere, but the drive is in use. The data on the drive might contain sensitive data including customer information that, if lost or divulged, could cause an embarrassing disclosure of a security hole. You can use the instant secure erase feature to effectively erase the data so that the drive can be moved to another server or area without concern that old data could be found.
If you need to replace drives
If the amount of data has outgrown the storage system, and there is no room to expand capacity by adding drives, you might choose to purchase upgrade drives. If the older drives support encryption, you can erase the data instantly so the new drives can be used.
If you need to return a disk for warranty activity
If the drive is beginning to show SMART predictive failure alerts, you might want to return the drive for replacement. If so, the drive must be effectively erased if there is sensitive data. Occasionally a drive is in such bad condition that standard erasure applications do not work. If the drive still allows any access, it might be possible to destroy the encryption key.
LSI Corporation - 44 -
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project