Dell PowerStore 1000T EMC PowerStore Security Configuration Guide - Page 33

4 Data security settings This section contains the following topics: Topics: • Data at Rest Encryption • Encryption activation • Encryption status • Key management • Keystore backup file • Re-purpose a drive in an appliance with encryption enabled • Replacing a base enclosure and nodes from a system with encryption enabled • Resetting an appliance to factory settings Data at Rest Encryption Data at Rest Encryption (D@RE) in PowerStore utilizes FIPS 140-2 validated Self-Encrypting Drives (SEDs) for primary storage (NVMe SSD, NVMe SCM and SAS SSD). The NVRAM caching device is encrypted but not FIPS 140-2 validated at this time. Encryption is performed within each drive before the data is written to the media. This protects the data on the drive against theft or loss and attempts to read the drive directly by physically de-constructing the drive. The encryption also provides a means to quickly and securely erase information on a drive to ensure that the information is not recoverable. In addition to protecting against threats related to physical removal of media, you can readily repurpose media by destroying the encryption key used for securing the data previously stored on that media. Reading encrypted data requires the authentication key for the SED to unlock the drive. Only authenticated SEDs will be unlocked and accessible. Once the drive is unlocked, the SED decrypts the encrypted data back to its original form. The PowerStore appliance must contain all SEDs. If you try to add a non-self-encrypting drive to an appliance, the appliance raises an error. Also, having un-encrypted appliances in an encrypted cluster is not supported. Encryption activation The Data at Rest Encryption feature on PowerStore appliances is set at the factory. In all countries that allow the import of an appliance that supports encryption, encryption is enabled by default. When enabled, encryption cannot be disabled. In all countries that do not allow the import of an appliance that supports encryption, the Data at Rest Encryption feature is disabled. NOTE: Appliances that do not support data at rest encryption are not allowed to cluster with encrypted appliances. Encryption status Encryption status for an appliance is reported at the following levels: • Cluster level • Appliance level • Drive level Cluster level encryption status simply reflects whether an appliance is encryption enabled. It is not related to drive status. Encryption status of an appliance appears as one of the following: • Encrypted - Encryption capability is enabled on the appliance. • Unencrypted - Encryption capability is not supported on the appliance. • Encrypting - Appears during the encryption activation process. When the encryption process completes successfully, the cluster level encryption status appears as encrypted. Data security settings 33