Manualshelf

Reference Guide

ManualsBrandsDell ManualsCompellent (SCPowerStore 5000X
31323334353637383940
Data security settings
This section contains the following topics:
Topics:
Data at Rest Encryption
Encryption activation
Encryption status
Key management
Keystore backup file
Re-purpose a drive in an appliance with encryption enabled
Replacing a base enclosure and nodes from a system with encryption enabled
Resetting an appliance to factory settings
Data at Rest Encryption
Data at Rest Encryption (D@RE) in PowerStore utilizes FIPS 140-2 validated Self-Encrypting Drives (SEDs) by respective drive
vendors for primary storage (NVMe SSD, NVMe SCM and SAS SSD). The NVRAM caching device is encrypted but not FIPS
140-2 validated at this time.
Encryption is performed within each drive before the data is written to the media. This protects the data on the drive against
theft or loss and attempts to read the drive directly by physically de-constructing the drive. The encryption also provides a
means to quickly and securely erase information on a drive to ensure that the information is not recoverable. In addition to
protecting against threats related to physical removal of media, you can readily repurpose media by destroying the encryption
key used for securing the data previously stored on that media.
Reading encrypted data requires the authentication key for the SED to unlock the drive. Only authenticated SEDs will be
unlocked and accessible. Once the drive is unlocked, the SED decrypts the encrypted data back to its original form.
The PowerStore appliance must contain all SEDs. If you try to add a non-self-encrypting drive to an appliance, the appliance
raises an error. Also, having un-encrypted appliances in an encrypted cluster is not supported.
Encryption activation
The Data at Rest Encryption feature on PowerStore appliances is set at the factory. In all countries that allow the import of an
appliance that supports encryption, encryption is enabled by default. When enabled, encryption cannot be disabled. In all
countries that do not allow the import of an appliance that supports encryption, the Data at Rest Encryption feature is disabled.
NOTE: Appliances that do not support data at rest encryption are not allowed to cluster with encrypted appliances.
Encryption status
Encryption status for an appliance is reported at the following levels:
Cluster level
Appliance level
Drive level
Cluster level encryption status simply reflects whether an appliance is encryption enabled. It is not related to drive status.
Encryption status of an appliance appears as one of the following:
Encrypted Encryption capability is enabled on the appliance.
4
34 Data security settings