Home » Dell Manuals » Servers » Dell EqualLogic PS6210XS » Manual Viewer

Dell EqualLogic PS6210XS EqualLogic Group Manager Administrator s Guide PS Ser - Page 323

Self-Encrypting Drives (SED) Frequently Asked Questions (FAQ), Why are my backups always different?

View all Dell EqualLogic PS6210XS manuals

Add to My Manuals
Save this manual to your list of manuals

Page 323 highlights

During normal operation, the array has the information it needs to operate SED disks. The key shares are stored across the array on the non-spare disks. If a disk fails and is replaced by a spare, the configuration generates a new set of key shares, and the original key shares are discarded. If a SED disk goes offline due to power failure, removal from the array, or disk failure, the disk is automatically locked, and any data residing in memory about that disk drive is automatically wiped. To recover the data on that disk, you must provide two of the three key shares to unlock the disk. Backing up the key shares ensures that you have current copies in case you need to recover the data on a locked disk. 1. Click Group and then expand Members. 2. Select the name of the member whose encryption key you want to back up. 3. Click the Maintenance tab. 4. In the Disk Encryption panel, click the Encryption Key Shares button. 5. Enter the administrative password in the dialog box. The Information dialog box lists the names and code string of each key share. 6. To download all three key shares (backup units) as individual text files, click Save all... and choose the location where you want to store them. All three file names have the format membername-keyshare-n, wheren stands for 1, 2, or 3. 7. Use the Copy buttons above each key share to copy the individual key share (backup unit) and paste it into a file, if desired. Select Copy all if you want to copy all three key shares to the clipboard. NOTE: If you generate a second set of key shares, the first set is not invalidated. Generating a second set of key shares, therefore, does not protect the key shares from being compromised. Self-Encrypting Drives (SED) Frequently Asked Questions (FAQ) Why are my backups always different? Although the encryption key never changes, the backup looks different each time it is generated. The three backup units are cryptographic images of the key, and are never generated the same way twice. Why is a secure-erase command not available? The command is not needed. Whenever it is safe to erase a drive, AutoSED will always do so, without intervention. A manual secureerase is never necessary, so no command is provided to perform it. NOTE: Secure-erase is also known as cryptographical erase or crypto-erase. What is the difference between a locked drive and a securely erased drive? Data that is locked is inaccessible without the SEDset key. Data that is securely erased has been cryptographically destroyed. I accidentally reset an SED array. What can I do? Nothing. Every drive in the member has been securely erased, and the data has been cryptographically destroyed. Recovery is impossible. What if the entire array is stolen? Security is compromised. The array will unlock itself when it boots, as it did before it was stolen. What if the grpadmin password is stolen? Security is compromised. The adversary can connect to the array over the network and read the data. SED is irrelevant in this case. About Self-Encrypting Drives (SEDs) and AutoSED 323

Section	Page
Dell EqualLogic Group Manager Administrator’s Guide PS Series Firmware Version 10.0 FS Series Firmware Version 4.0	3
About This Manual	24
Audience	24
Related Documentation	24
Dell Online Services	24
Dell EqualLogic Storage Solutions	24
Dell Technical Support and Customer Service	24
Contacting Dell	25
About Group Manager	26
About GUI and CLI Access	27
Log In to the Group Manager GUI	27
Access the Command-Line Interface (CLI)	27
About the Localized GUI	28
About the End-User License Agreement	28
Install the Group Manager GUI Locally	28
Show or Hide the Session Banner	29
Keyboard Shortcuts	29
GUI Icons	30
Search for Volumes, Collections, Pools, Partners, and Members	31
About Online Help for Group Manager	31
Install the Group Manager Online Help as a Local Resource	31
Access Online Help	31
Localized Online Help	32
Troubleshooting Online Help	32
Architecture Fundamentals	34
About Groups	37
How Groups Work	38
Group Configuration Recommendations	39
About Storage Pools	40
Maintenance Pool	40
Single-Pool Design	40
Multiple-Pool Design	40
Storage Pool: Design Checklist	41
Storage Pool: Design Examples	41
About Volumes	42
Volume Attributes	44
Volume Types	45
About Volume Space Allocation	45
About NAS Architecture	46
About NAS Clusters	48
About NAS Controllers	49
About NAS Containers	50
About the NAS Reserve	50
Set Up the iSCSI SAN	52
Post-Setup Tasks	53
About the Group Date and Time	53
Change or Delete an NTP Server	53
Change the Time Zone and Clock Time	54
About Session Idle Timeout	54
Change the Session Idle Timeout	54
Set General GUI Policies	54
Set GUI Communication Policies	55
Set Alarm Policies	55
Display NAS Cluster Alarms	55
Set Advanced Policies	55
Monitor Events	55
Monitor Audit Log Events	56
About Event Notifications	57
About Email Notification	57
About Email Home	58
Configure or Change Email Home Notifications	59
Configure syslog Notification	59
Enable or Disable the Display of Informational Event Messages	60
Data Security	61
About Group-Level Security	62
Enable or Disable GUI and CLI Access	62
Switch Administration Authentication Type	62
About Administration Accounts	63
Types of Administration Accounts	63
Differences Between Authentication Methods	65
Administration Account Attributes	65
About Security Access Protocols	66
SSH Key Pair Authentication	66
Minimum Requirements for Administrative Access	67
Create a Local Administration Account	67
Modify Local Administration Accounts	68
Delete Local Administration Accounts	68
About RADIUS Accounts	69
RADIUS Attributes for Administration Accounts	69
About LDAP Authorization and Active Directory	73
Search Path Optimizations	73
Add an Active Directory Server	73
About Active Directory Groups	76
About Single Sign-On	77
Check Server and Single Sign-On Configuration	77
Use Single Sign-On to Log In to a PS Series Group	77
Log Out of Group Manager Using Single Sign-On	78
Enable or Disable Single Sign-On	78
About SNMP Access to the Group	78
About SNMP Authentication	78
Add or Change SNMP Access to a Group	78
Display SNMP Access to a Group	79
About SNMP Traps	79
About VDS and VSS Authentication	81
Display and Configure Windows Service Access to a Group	81
Add a VDS/VSS Access Control Policy	81
Modify a VDS/VSS Access Control Policy	81
Delete a VDS/VSS Access Control Policy	82
About IPsec	82
Types of Protected Traffic	82
IPsec Policies	83
Security Certificates	84
IPsec Security Parameters	84
IPsec Security Associations (SA)	84
IPsec Pre-Shared Keys (PSKs)	84
Examples of IPsec Configurations	85
IPsec Performance Considerations	101
IPsec Configuration Limitations	101
Protect Network Traffic with IPsec	104
About Dedicated Management Networks	106
Using IPv6 with Management Networks	106
Configure a Management Network	106
Display Management Network Information	108
Unconfigure a Management Network	108
Secure Erase	108
About Volume-Level Security	110
Connect Initiators to iSCSI Targets	110
Access Control Methods	110
About Access Policies	111
Access Policies: Use Cases	111
Create a New Access Policy	113
Create a New Basic Access Point	113
Modify or Delete a Basic Access Point	114
Modify Access Policies and Basic Access Points by Volume	114
Associate Access Control Policies with Volumes	115
Create an Access Policy Group	116
Associate an Access Policy Group to a Volume	116
Manage Access Controls for VDS/VSS Access	116
Authenticate Initiators with CHAP	117
Display Local CHAP Accounts	117
Create a Local CHAP Account	117
Modify a Local CHAP Account	118
Delete a Local CHAP Account	118
Configure CHAP for Initiator Authentication on Existing Volumes	119
Configure CHAP for Initiator Authentication on New Volumes	119
Configure CHAP Accounts on a RADIUS Authentication Server	119
Configure Target Authentication	119
About iSNS Servers	120
Prerequisites for Configuring an iSNS Server	120
Enable or Disable iSNS Discovery	120
Configure an iSNS Server in the Group	121
Modify an iSNS Server	121
Delete an iSNS server	121
Prevent Discovery of Unauthorized Targets	121
iSCSI Access Requirements	121
Enable the iSCSI Discovery Filter	122
Disable the iSCSI Discovery Filter	122
About Multihost Access to Targets	122
Allow or Disallow Multihost Volume Access	123
About Snapshot Access Controls	123
About Multihost Snapshot Access	123
Allow or Disallow Multihost Snapshot Access	123
About NAS Container Security	124
Modify the File Security Style for a NAS Container	124
Modify the UNIX Permissions for Windows Directories or Files	124
PS Series Group Operations	126
About Group Network Configuration	126
Modify the Group IP Address or Group Name	127
Add a Member to an Existing Group	127
Set the RAID Policy and Pool for a New Member	128
Convert a RAID Policy	128
Supported RAID Policy Conversions	129
RAID Sets	129
Enable and Disable a Volume RAID Preference	131
About Overriding Automatic Load Balancing	132
Shut Down a Group	132
Create an Empty Storage Pool	132
Create a Storage Pool from an Existing Member	133
Change a Storage Pool Name or Description	133
Merge Storage Pools	134
Delete a Storage Pool	134
About Groupwide Volume Defaults	134
Modify Groupwide Volume Settings	134
About Space Borrowing	135
Benefits of Space Borrowing	135
Displaying Space-Borrowing Information	135
Using Space-Borrowing Information	136
About Compression of Snapshots and Replicas	137
Compression Prerequisites	137
About Rehydration	137
About Compression Statistics	138
Compression Statistics by Pool	138
Compression Statistics by Member	138
Compression Statistics by Volume	138
Member Compression States	138
Enable Compression	139
Suspend Compression	139
Resume Compression	139
View Compression Statistics by Pool	139
View Compression Statistics by Member	140
View Compression Statistics by Volume	140
Compression Commands in the CLI	140
About Volumes	142
Create a Volume	142
Modify a Volume Name or Description	142
Modify a Volume Permission	142
Modify a Volume Alias	143
Modify the Administrator for a Volume	143
About Smart Tags	143
Predefined Smart Tags	144
Using Smart Tags	144
Set a Volume Offline or Online	145
Delete a Volume	146
About Volume Collections	146
Create a Volume Collection	146
Modify a Volume Collection	146
Delete a Volume Collection	147
About Volume Folders	147
Volume Folder Configuration Considerations	147
Create a Volume Folder	148
Display Volume Folders	148
Hide Volume Folders	148
Rename Volume Folders	148
Add and Remove Volumes from Folders	149
Move Volumes Between Volume Folders	149
Delete Volume Folders	149
About Restoring Deleted Volumes	150
Enable or Disable Volume Undelete	150
Display Deleted Volumes	150
Restore Deleted Volumes	151
Purge Deleted Volumes	151
About Changing the Reported Volume Size	152
Decrease the Reported Size of a Volume	152
Increase the Reported Size of a Volume	153
About Reclaiming Unallocated Space	153
Running Defrag Tools	154
XCopy Support for VVol Datastores	154
Unmapping with VMware	154
Unmapping with VVol Datastores	154
Unmapping Replicated Volumes	154
Unmapping with Red Hat Enterprise Linux	155
Unmapping with Windows Servers 2012 and 2016	155
Set a Volume or Snapshot with Lost Blocks Online	155
Volume and Snapshot Status	156
Volume and Snapshot Requested Status	157
About Managing Storage Capacity Utilization On Demand (Thin Provisioning)	157
Enable Thin Provisioning on a Volume	158
Thin-Provisioning Space Settings	159
Modify the Thin-Provisioning Space Settings	159
Disable Thin Provisioning on a Volume	160
About Improving Pool Space Utilization (Template Volumes and Thin Clones)	160
Space Considerations for Template Volumes and Thin Clones	161
Restrictions on Template Volumes and Thin Clones	162
Convert a Standard Volume to a Template Volume	162
Create a Thin Clone	163
Detach a Thin Clone from a Template Volume	163
Convert a Template Volume to a Standard Volume	164
About Data Center Bridging	164
Configure Data Center Bridging	165
Set the Data Center Bridging VLAN ID	165
Change the Data Center Bridging VLAN ID	165
Monitor Data Center Bridging Statistics and Configuration	166
VMware Group Access Panel	167
VMware Overview Panel	167
About Protocol Endpoints	168
About Storage Containers	168
Storage Container Limitations	168
Storage Container Space Limits	169
Create a Storage Container	169
Modify a Storage Container	169
Delete a Storage Container	170
Virtual Machines Tab	170
NAS Operations	172
NAS Cluster Operations	173
NAS Cluster Configuration	173
About Mixed-Model NAS Clusters	173
Configure a NAS Cluster	174
Resolve a Failed NAS Configuration	174
NAS Cluster Post-Setup Tasks	175
Modify a NAS Cluster Name	177
Modify NAS Clusterwide Default NAS Container Settings	177
Select an NFS Protocol Version	177
Modify the Size of the NAS Reserve	177
Add a Local Group for a NAS Cluster	177
Delete a Local Group from a NAS Cluster	178
Add a Local User on a NAS Cluster	178
Modify a Local User on a NAS Cluster	178
Delete a Local User from a NAS Cluster	178
Map Users for a NAS Cluster	179
Set the User Mapping Policy for a NAS Cluster	179
Delete a User Mapping for a NAS Cluster	179
Configure an Active Directory for a NAS Cluster	179
Configure Preferred Domain Controllers	180
Leave Active Directory	180
Configure or Modify NIS or LDAP for a NAS Cluster	181
Delete NIS or LDAP Configuration for a NAS Cluster	181
Modify the Client Network Configuration	181
Configure DNS for a NAS Cluster	182
About the Internal Network Required for NAS Configuration	182
SAN Network Configuration Settings	182
Modify the SAN Network Configuration	183
About NAS Cluster Maintenance Mode	183
Set a NAS Cluster to Maintenance Mode	184
Resume Normal Cluster Operation	184
Shut Down and Restart a NAS Cluster Manually	184
About Deleting a NAS Cluster	185
Delete a NAS Cluster	185
NAS Controller Operations	186
Add Additional NAS Controllers	186
About Replacing a NAS Controller with Detach and Attach	187
Detach a NAS Controller	187
Attach a NAS Controller	188
About Updating NAS Controller Firmware	189
Update NAS Controller Firmware	189
Cleanly Shut Down a NAS Controller Pair	189
NAS Container Operations	191
Create a NAS Container	191
Modify NAS Clusterwide Default NAS Container Settings	192
Modify NAS Clusterwide Default NAS Container Permissions	192
Modify NAS Clusterwide Default NFS Export Settings	192
Modify NAS Clusterwide Default SMB Share Settings	192
Modify a NAS Container Name	192
Modify the Size of a NAS Container	192
Modify the Snapshot Reserve and Warning Limit for a NAS Container	193
Modify the In-Use Space Warning Limit for a NAS Container	193
Modify a NAS Container for Few Writers Workloads	193
Delete a NAS Container	193
NFS Netgroups	194
Access NFS Exports	194
Create an NFS Export	195
Modify the Client Access Setting for an NFS Export	195
Modify the Permission for an NFS Export	196
Modify the Trusted Users for an NFS Export	196
Modify NAS Clusterwide Default NFS Export Settings	196
Modify an NFS Export Directory	196
Modify an NFS Export	197
About NFS Export Security Methods	197
Delete an NFS Export	197
About SMB Shares	198
Access SMB Shares in Windows	198
Mount a NAS SMB Share from UNIX	198
Create an SMB Share	198
Set the SMB Password	199
Modify an SMB Share Directory	199
Delete an SMB Share	200
Rebalance SMB Client Connections Across NAS Controllers	200
Enable or Disable SMB Message Signing	200
Enable or Disable SMB Message Encryption	200
Modify SMB Share NAS Antivirus Settings	200
Access-Based Enumeration	201
About SMB Home Shares	202
Create a NAS Thin Clone	206
Client Networks	206
Optimal Virtual IP Assignment	207
Viewing or Modifying a Client Network	207
Deleting a Client Network	207
Modifying Client Network Properties	208
About NAS Antivirus Servers	208
How NAS Antivirus Protects Data	208
NAS Antivirus Server Specifications	209
Add a NAS Antivirus Server	209
Modify a NAS Antivirus Server	209
Delete a NAS Antivirus Server	210
About NAS Antivirus Clusterwide Defaults	210
Enable the NAS Antivirus Service on an SMB Share	211
Monitor the NAS Antivirus Service	212
NAS Directory Paths and File Types Scan	212
Antivirus Policy	214
Access Infected Files	214
Create a NAS Container Quota	214
Modify a NAS Container Quota	215
Modify the Default NAS Container Group Quota	215
Modify the Default NAS Container User Quota	215
Delete a NAS Container Quota	216
About Quota Directories	216
Configuring Quota Directories	216
Quotas and NAS Containers	216
External Authentication	217
Local Authentication	217
About NAS Thin Provisioning	217
NAS Container Storage Space Terminology	217
About NAS Containers	218
About Data Rehydration	219
NAS Container Data Reduction	220
Enable Data Reduction	221
Modify NAS Container Data Reduction Settings	222
Modify NAS Cluster Default Data Reduction Settings	222
Data Reduction Policy	223
Create Default Data Reduction Properties	224
About NAS Data Reduction Schedules	224
FS Series VAAI Plugin	226
Installation Instructions	226
Plugin Verification	226
Removal Instructions	227
Diagnose and Resolve NAS Cluster and PS Series Issues	228
NAS Cluster Diagnostics	228
About Current and Past NAS Network Performance Statistics	228
Online Diagnostics	229
Offline Diagnostics	229
Generating PS Series and NAS Cluster Diagnostics Reports	230
Adding SMTP Servers	230
Modifying SMTP Server Properties	230
Deleting SMTP Servers	230
Reinstall FS Series Firmware v4 from an Internal USB	231
About Backing Up and Protecting Your Data	232
About Volume Data Protection	232
Protect NAS Container Data with NDMP	233
Configure NDMP for a NAS Cluster	233
About Snapshots	233
How Snapshots Work	234
About Snapshot Reserve	234
Create a Snapshot	236
Set a Snapshot Online or Offline	237
Clone a Snapshot to Create a New Volume	237
Modify a Snapshot Name or Description	237
Delete Snapshots	238
Restore a Volume from a Snapshot	238
About Snapshots and NAS Container Data	239
About Snapshot Collections	241
About Snapshot Space Borrowing	242
About Replication	244
Replication Types	245
Plan Your Volume Replication Environment	245
About Replication Space	248
About Replication Partners	256
Configure a Volume for Replication	258
Replicate Volume Collections	263
About Replicas	264
About Replication Borrowing	267
About Cross-Platform Replication	268
About Schedules	269
Create a Schedule	270
Modify a Schedule	270
Delete a Schedule	271
Create a NAS Container Snapshot Schedule	271
Modify a NAS Container Snapshot Schedule	271
Monitor NAS Snapshot Schedules	271
Disable a NAS Container Snapshot Schedule	272
Delete a NAS Container Snapshot Schedule	272
About Data Recovery	273
About Recovering Data from a Snapshot	274
Requirements and Restrictions	274
Failback to Primary Operation (Manual)	275
Move a Failback Replica Set to a Different Pool	275
Replicate to Partner Operation (Manual)	275
Switch Partner Roles Permanently	276
Make an Inbound Replica Set Promotion Permanent	276
Convert a Failback Replica Set to an Inbound Replica Set	277
Make a Temporary Volume Available on the Secondary Group	278
Replicate a Recovery Volume to the Primary Group	278
Promote an Inbound Replica Set to a Recovery Volume	279
Recovery Volume Options	280
Recovery Volume Restrictions	280
How to Handle a Failed Operation	280
Fail Back to the Primary Group	281
Volume Failover and Failback	281
Recover Data from a Replica	282
About Data Recovery from a Replica	282
About Permanently Promoting a Replica Set to a Volume	282
Permanently Promote a Replica Set to a Volume	283
About Failing Over and Failing Back a Volume	284
About NAS Disaster Recovery	287
About NAS Replication	287
Recover from an Offline or Unavailable NAS	300
About Cloning Volumes	304
Clone a Volume	304
About Cloning an Inbound Replica	304
Clone an Inbound Replica	305
About Synchronous Replication	306
How Synchronous Replication Works	306
Compare SyncRep and Traditional Replication	306
How Synchronous Replication Protects Volume Availability in Different Scenarios	308
Normal Synchronous Replication Operation	308
SyncAlternate Volume Unavailable	309
SyncActive Volume Unavailable	310
Requirements for Using Synchronous Replication	311
Synchronous Replication States	311
About System Snapshots and SyncRep	312
Protected System Snapshots	312
Failback System Snapshots	312
About Synchronous Replication and Snapshots	312
Automatic Snapshot Creation	313
About Synchronous Replication Switches and Failovers	313
SyncRep SwitchesSyncRep Failovers	313
About Synchronous Replication Volume Collections	314
About Using Thin Clones and Templates with Synchronous Replication	315
Thin Clones	315
Templates	315
Configure Synchronous Replication (SyncRep) on a Volume	316
Disable Synchronous Replication (SyncRep) for a Volume	316
Monitor Synchronous Replication (SyncRep) Volumes	316
Pause Synchronous Replication (SyncRep)	316
Resume Synchronous Replication (SyncRep)	317
Enable Synchronous Replication (SyncRep) for a Volume Collection	317
Disable Synchronous Replication (SyncRep) for a Volume Collection	317
Change the Pool Assignment of a Synchronous Replication (SyncRep) Volume	318
View the Distribution of a Volume Across Pools	318
About Switching and Failing Over SyncRep Pools	318
Switch from SyncActive to SyncAlternate	318
Fail Over from SyncActive to SyncAlternate	318
Switch Synchronous Replication (SyncRep) Collection Pools	319
Disconnect the SyncActive Volume	319
About Self-Encrypting Drives (SEDs) and AutoSED	320
Scenarios Covered by AutoSED	320
Scenarios Not Covered by AutoSED	320
About Self-Encrypting Drives (SED)	321
How Key Shares Work	321
How Self-Encryption Protects Data	321
About SED Members in a Group	322
Examples	322

Match case Limit results 1 per page

During normal operation, the array has the information it needs to operate SED disks. The key shares are stored across the array on

the non-spare disks. If a disk fails and is replaced by a spare, the

conﬁguration

generates a new set of key shares, and the original key

shares are discarded.

If a SED disk goes

oﬄine

due to power failure, removal from the array, or disk failure, the disk is automatically locked, and any data

residing in memory about that disk drive is automatically wiped. To recover the data on that disk, you must provide two of the three

key shares to unlock the disk. Backing up the key shares ensures that you have current copies in case you need to recover the data

on a locked disk.

Click

Group

and then expand

Members

Select the name of the member whose encryption key you want to back up.

Click the

Maintenance

tab.

In the Disk Encryption panel, click the

Encryption Key Shares

button.

Enter the administrative password in the dialog box. The

Information

dialog box lists the names and code string of each key

share.

To download all three key shares (backup units) as individual text

ﬁles,

click

Save all...

and choose the location where you want

to store them. All three

ﬁle

names have the format

membername-keyshare-n

, where

stands for 1, 2, or 3.

Use the

Copy

buttons above each key share to copy the individual key share (backup unit) and paste it into a

ﬁle,

if desired.

Select

Copy all

if you want to copy all three key shares to the clipboard.

NOTE: If you generate a second set of key shares, the

ﬁrst

set is not invalidated. Generating a second set of key shares,

therefore, does not protect the key shares from being compromised.

Self-Encrypting Drives (SED) Frequently Asked Questions (FAQ)

Why are my backups always

diﬀerent?

Although the encryption key never changes, the backup looks

diﬀerent

each time it is generated. The three backup units are

cryptographic images of the key, and are never generated the same way twice.

Why is a secure-erase command not available?

The command is not needed. Whenever it is safe to erase a drive, AutoSED will always do so, without intervention. A manual secure-

erase is never necessary, so no command is provided to perform it.

NOTE: Secure-erase is also known as cryptographical erase or crypto-erase.

What is the

diﬀerence

between a locked drive and a securely erased drive?

Data that is locked is inaccessible without the SEDset key. Data that is securely erased has been cryptographically destroyed.

I accidentally reset an SED array. What can I do?

Nothing. Every drive in the member has been securely erased, and the data has been cryptographically destroyed. Recovery is

impossible.

What if the entire array is stolen?

Security is compromised. The array will unlock itself when it boots, as it did before it was stolen.

What if the grpadmin password is stolen?

Security is compromised. The adversary can connect to the array over the network and read the data. SED is irrelevant in this case.

About Self-Encrypting Drives (SEDs) and AutoSED

323