Administrator Guide

ManualsBrandsDell ManualsConverged InfrastructurePowerEdge RAID Controller H840

Direct from Development

Server and Infrastructure

Engineering

PERC Self-Encrypting Drive (SED) Support and FAQs

Tech Note by:

Jeffrey Foss

SUMMARY

This tech note is designed to

educate and inform about Self

Encrypting Drive (SED) support

in PERC and answer frequently

asked questions.

Anyone who intends to use

SEDs in their system along with

a PERC card with enabled

security can benefit from this

information.

High level information is

provided in this document. For

more details on SED drives

please see the Additional

Information links at the end of

this tech note.

Before jumping into the topic, level-setting on some acronyms can be helpful:

TERM

Description

PERC

PowerEdge RAID Controller

PERC Virtual Disk

eHBA mode

Enhanced HBA mode

LKM

PERC Local Key Management

SED

Self-Encrypting Drive

TCG

Trusted Computing Group

AK or KEK

Authentication Key or Key Encryption Key

DEK or MEK

Data Encryption Key or Media Encryption Key

FIPS

Federal Information Processing Standardization

ISE

Instant Scramble Erase

IDRAC

Integrated Dell Remote Access Controller

HII

Human Interface Infrastructure Configuration Utility

PERCcli

PERC utility for managing storage controllers

Self-Encrypting Drives

Self-Encrypting Disks (SED) provide protection of data against physical loss or

theft of disks only. Protection is achieved by requiring a key to unlock the drives

before any data can be retrieved. The data on disks that support the SED

feature is always encrypted and protection from theft is only available if the

disks are secured.

NOTE: ISE capable drives have the same underlying encryption hardware

that SED drives do, but they do not allow the drives to be secured.

Threat Models Covered by SED Drives

Secured SED protect against theft of the drives only and the drives are only

locked after power is lost.

Support for SED drives on PERC (Local Key Management - LKM)

PERC controllers support the use of SED drives in all RAID levels. Virtual Disks

can be secured when they are created or after a VD is already in use. All disks

in the array must support SED to be secured. To enable the securing of Virtual

Disks, security must also be enabled on the controller, as shown in Figure 1

below. See the PERC User Guide for detailed instructions for enabling security.

A secured VD cannot be unsecured without erasing all data on the drive.

The user will be prompted to input and then confirm a passphrase, as shown in

Figure 2 below. The user-provided passphrase is hashed and stored locally on

the PERC controller. The key sent to the drive is derived from this hashed

value.

If a secured disk is detected during boot or discovery of a new drive, the PERC

controller will use the stored key to unlock the drive to allow data access. In the

case of foreign configurations or drive migration where the drive requires a

different passphrase than the one stored locally, the user will be required to

enter the passphrase for that drive, after which the drive will be re-keyed with

the local key.

Summary of content (6 pages)

PAGE 1
Direct from Development Server and Infrastructure Engineering PERC Self-Encrypting Drive (SED) Support and FAQs Tech Note by: Jeffrey Foss SUMMARY This tech note is designed to educate and inform about Self Encrypting Drive (SED) support in PERC and answer frequently asked questions. Anyone who intends to use SEDs in their system along with a PERC card with enabled security can benefit from this information. High level information is provided in this document.
PAGE 2
Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries Support for SED drives on PERC (OpenManage Secure Enterprise Key Management) PERC 10 FW 50.5.1-2633 added support for enterprise key management. Secure enterprise key management mode has the same support for drives as LKM and secured Virtual Disks are also managed the same way as in LKM.
PAGE 3
Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries PowerEdge Product Group LKM Passphrase Management in HII Figure 1: Selecting Local Key Management to enable security on the PERC. Figure 2: Creating a passphrase when enabling security on the PERC. Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc.
PAGE 4
Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries Figure 3: Changing security settings Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc.
PAGE 5
Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries PowerEdge Product Group Direct from Development Frequently Asked Questions: Where does the encryption happen? Encryption occurs on the drive whether the drive is secured or not. Any IO to the drive is encrypted/decrypted by hardware on the drive.
PAGE 6
Direct from Development Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries FAQ’s, continued: Can we mix RAID sets with some having normal drives and other RAID sets having SEDs? Yes, you can mix SEDs and non-SEDs but you will not be able to secure those Virtual Disks. Securing a Virtual Disk requires all disks in the array to support SED.