Manualshelf

White Papers

ManualsBrandsDell ManualsConverged InfrastructureStorage Solution Resources
12345678910
Additional resources
9 Best Practices for Securing Dell EMC SC Series Storage | BP1082
3 Protect data at rest with self-encrypting drives
Data at rest is the data that resides on the physical hard drives within the SC Series enclosure. Though
difficult, it is possible that bits of data could be extracted from a conventional hard drive if physical security is
breached and the hard drive is removed from an enclosure.
Self-encrypting drives (SEDs) guard against this threat by encrypting data as it is written to the disk and
decrypting data as it is read. Starting in version 6.5, SCOS implements this technology in a licensed feature
called Secure Data which is transparent to the storage user. Since the encryption is offloaded to the SED,
performance impact is negligible.
The following points provide further information about Secure Data behavior:
An SED will not encrypt or decrypt data if Secure Data is unlicensed.
Secure Data requires an external key management server, such as Gemalto SafeNet
KeySecure.
A secure data folder can only contain disks identified by SCOS as FIPS1402 certified.
When an SED is assigned to a secure data folder, the existing media encryption key (MEK) on the
disk is destroyed and a new MEK is created, rendering all previous data unreadable. This process is
known as a cryptographic erase.
A cryptographic erase is also performed when an SED is removed from a secure data folder. If user
data is present on the SED, SCOS will issue a warning prior to un-assigning the drives and
destroying and recreating the MEK. This cryptographic erase obviates the need for time-consuming
hard-drive data wiping prior to recommissioning.
When an SED assigned to a secure data folder is physically removed from an enclosure, it locks on
reset and can only be unlocked using authority credentials stored on the key management server.
An SED will lock on reset after a loss of power to the controller and enclosure simultaneously or in the
event of a controller flash card failure. After the next SCOS boot, the startup wizard will prompt the
administrator to confirm the key management server configuration before unlocking the SED. If a
flash card fails, Dell Support can assist with replacing the flash card and unlocking the SED.
Replicating a secure data folder to an unsecure folder is permitted, but the data on the drives in the
unsecure folder will not be encrypted.
Note: For more information on the Dell EMC implementation of SED technology, see the Dell Compellent
Storage Center System Manager Administrator’s Guide on the Knowledge Center at the SC Series Customer
Portal, as well as the document, Using Self-Encrypting Drives (SEDs) with Dell EMC SC Series Storage.