Manualshelf

Reference Guide

ManualsBrandsDell ManualsCompellent (SCPowerStore 5000X
31323334353637383940
Unencrypted Encryption capability is not supported on the appliance.
Encrypting Appears during the encryption activation process. When the encryption process completes successfully, the
cluster level encryption status appears as encrypted.
Drive level encryption status is provided for each drive in an appliance and appears as one of the following:
Encrypted The drive is encrypted. This is the typical state of a drive in an appliance that is encryption capable.
Encrypting The appliance is enabling encryption on the drive. This status can be seen during the initial activation of
encryption on an appliance or during the addition of new drives to a configured appliance.
Disabled The drive cannot have encryption enabled due to country specific import restrictions. If any drives report this
status, then all drives in the cluster will also report the same status.
Unknown The appliance has not yet attempted to enable encryption on the drive. This status can be seen during the initial
activation of encryption on an appliance or during the addition of new drives to a configured appliance.
Unsupported The drive does not support encryption.
Foreign The drive is supported, but has been locked by another appliance. It needs to be decommissioned before it can be
used.
Key management
An embedded key manager service (KMS) runs on the active node of each PowerStore appliance. This service manages the
local keystore file lockbox storage to support automatic encryption key backup to system and boot drives. It also controls the
Self-Encrypting Drive (SED) lock and unlock process on the appliance and is responsible for managing the local keystore content
for the appliance. The local keystore file is encrypted with a 256-bit AES key and the keystore file lockbox storage leverages
RSAs BSAFE technology.
The KMS automatically generates a random authentication key for SEDs during the initialization of the appliance. Each drive has
a unique authentication key, including those that are added to the appliance later on, that is used in the SED lock and unlock
processes. A key encryption key encrypts authentication and encryption keys in the keystore file storage and in flight within the
appliance. Media encryption keys are stored on the dedicated hardware of the SEDs and cannot be accessed. When encryption
is enabled, all the authentication keys are stored within the appliance.
Keystore backup file
The KMS supports the creation and download of an off-appliance backup of the keystore archive file. The off-appliance backup
reduces the chances of a catastrophic key loss, which would render an appliance or cluster unusable. If a particular appliance is
unavailable when a cluster keystore backup is initiated, the overall operation will succeed, but a warning is issued that the
backup does not contain keystore files for all appliances in the cluster and that the operation should be retried when the offline
appliance is available.
NOTE:
The primary appliance in a cluster contains a cluster keystore archive file that contains a copy of keystore backups
from each appliance that is discovered in the cluster, including the primary appliance.
When changes to the configuration of a system within the cluster occur that result in changes to the keystore, it is
recommended that you generate a new keystore archive file for download. Only one backup download operation of the keystore
archive file can be run at a time.
NOTE:
It is strongly recommended that you download the generated keystore archive file to an external, secure location. If
the keystore files on a system become corrupted and inaccessible, that system will enter service mode. In this case, the
keystore archive file and a service engagement are required for resolution.
A user role of Administrator or Storage Administrator is required to back up the keystore archive file. To back up the keystore
archive file, click Settings and under Security select Encryption. On the Encryption page under Lockbox backup, click
Download Keystore Backup.
NOTE: To restore the keystore backup in case of a failure, contact your service provider.
Data security settings 35