Lenovo ThinkServer RD330 MegaRAID SAS Software User Guide - Page 48
Terminology, Workflow
View all Lenovo ThinkServer RD330 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 48 highlights
Chapter 3: SafeStore Disk Encryption | Terminology MegaRAID SAS Software User Guide 3.3 Terminology Table 19 describes the terminology related to the SafeStore encryption feature. Table 19: Terminology used in FDE Option Authenticated Mode Blob Key backup Password Re-provisioning Security Key Un-Authenticated Mode Volume Encryption Keys (VEK) Description The RAID configuration is keyed to a user password. The password must be provided on system boot to authenticate the user and facilitate unlocking the configuration for user access to the encrypted data. A blob is created by encrypting a key(s) using another key. There are two types of blob in the system - encryption key blob and security key blob. You need to provide the controller with a lock key if the controller is replaced or if you choose to migrate secure virtual disks. To do this, you must back up the security key. An optional authenticated mode is supported in which you must provide a password on each boot to make sure the system boots only if the user is authenticated. Firmware uses the user password to encrypt the security key in the security key blob stored on the controller. Re-provisioning disables the security system of a device. For a controller, it involves destroying the security key. For SafeStore encrypted drives, when the drive lock key is deleted, the drive is unlocked and any user data on the drive is securely deleted. This does not apply to controller-encrypted drives, because deleting the virtual disk destroys the encryption keys and causes a secure erase. See Section 3.5, Instant Secure Erase, for information about the instant secure erase feature. A key based on a user-provided string. The controller uses the security key to lock and unlock access to the secure user data. This key is encrypted into the security key blob and stored on the controller. If the security key is unavailable, user data is irretrievably lost. You must take all precautions to never lose the security key. This mode allows controller to boot and unlock access to user configuration without user intervention. In this mode, the security key is encrypted into a security key blob, stored on the controller, but instead of a user password, an internal key specific to the controller is used to create the security key blob. The controller uses the Volume Encryption Keys to encrypt data when a controller-encrypted virtual disk is created. These keys are not available to the user. The firmware (FW) uses a unique 512-bit key for each virtual disk. The VEK for the VDs are stored on the physical disks in a VEK blob. 3.4 Workflow 3.4.1 Enable Security 3.4.1.1 Create the Security Key Identifier 3.4.1.2 Create the Security Key You can enable security on the controller. After you enable security, you have the option to create secure virtual drives using a security key. There are three procedures you can perform to create secure virtual drives using a security key: Create the security key identifier Create the security key Create a password (optional) The security key identifier appears whenever you enter the security key. If you have multiple security keys, the identifier helps you determine which security key to enter. The controller provides a default identifier for you. You can use the default or enter your own identifier. You need to enter the security key to perform certain operations. You can choose a strong security key that the controller suggests. Page 48