Full Disk Encryption (FDE) is a premium feature that prevents unauthorized access to the data on a disk drive that is physically removed from the storage subsystem. Controllers in the storage subsystem have a security key. Secure disk drives provide access to data only through a controller that has the correct security key. FDE is a premium feature of the storage management software and must be enabled either by you or your storage vendor.
The FDE premium feature requires disk drives. A security capable disk drive encrypts data during writes and decrypts data during reads. Each security capable disk drive has a unique disk drive encryption key.
When you create a from security capable disk drives, the disk drives in that array become security enabled. When a security capable disk drive has been security enabled, the disk drive requires the correct security key from a controller to read or write the data. All of the disk drives and controllers in a storage subsystem share the same security key. The shared security key provides read and write access to the drives, while the disk drive encryption key on each disk drive is used to encrypt the data. A security capable disk drive works like any other disk drive until it is security enabled.
Whenever the power is turned off and turned on again, all of the security-enabled disk drives change to a security locked state. In this state, the data is inaccessible until the correct security key is provided by a controller.
You can view the FDE status of any disk drive in the storage subsystem from the Disk Drive Properties dialog. The status information reports whether the disk drive is:
You can view the FDE status of any array in the storage subsystem from the Array Properties dialog. The status information reports whether the storage subsystem is:
Table 77 shows how to interpret the security properties status of an array.
Security Capable – yes | Security Capable – no | |
---|---|---|
Secure – yes | The array is composed of all FDE disk drives and is in a Secure state. | Not applicable. Only FDE disk drives can be in a Secure state. |
Secure – no | The array is composed of all FDE disk drives and is in a Non-Secure state. | The array is not entirely composed of FDE disk drives. |
When the FDE premium feature has been enabled, the Disk Drive Security menu appears in the Storage Subsystem menu. The Disk Drive Security menu has these options:
Note:
If you have not created a security key for the storage subsystem, only the Create Security Key option is active.If you have created a security key for the storage subsystem, the Create Security Key option is inactive with a check mark to the left. The Change Security Key option and the Save Security Key option are now active.
The Unlock Drives option is active if there are any security locked disk drives in the storage subsystem.
When the FDE premium feature has been enabled, the Secure Disk Drives option appears in the Array menu. The Secure Disk Drives option is active if these conditions are true:
The Secure Disk Drives option is inactive with a check mark to the left if the array is already security enabled.
You can erase security-enabled disk drives so that you can reuse the drives in another array or in another storage subsystem. When you erase security-enabled drives, you make sure that the data cannot be read. When all of the disk drives that you have selected in the Physical pane are security enabled, and none of the selected disk drives is part of an array, the Secure Erase option appears in the Disk Drive menu.