Manualshelf

White Papers

ManualsBrandsDell ManualsAnalyticsVMware ESXi 6.5.X
12345678910
Introduction
5 Self-Encrypting Drives in Dell EMC PowerEdge servers with VMware vSphere | Technical White Paper |
411
1 Introduction
The Self-Encrypting Drives (SED) are hard disks or solid-state drives that integrate encryption of user data at
rest. SED perform encryption or decryption in real-time and these operations are entirely transparent to the
user.
The encryption and decryption are performed using a Media Encryption Key (MEK), also known as Data
Encryption Key (DEK) generated internally in the storage device. SED hardware handles this encryption in
real-time with no impact on performance. The MEK is not revealed anywhere externally on the drive.
SED provides two important features:
Protect the user data from unauthorized access by auto-locking in the event of the drive being
misplaced or stolen from a system while in use (secure DAR).
Cryptographic Erase or secure erase feature. This is a mechanism to securely erase the data on the
drive so that the drive can be repurposed or retired.
1.1 Audience and Scope
The intended audience for this whitepaper includes system administrators who are familiar with data center
operations. This white paper is mainly intended for users who wants to understand Self Encrypting Drives
significance from VMware vSphere perspective.
1.2 Self-Encrypting Drives (SED) support on VMware
Dell EMC supports SED drives for VMware vSphere however, support for vSAN is not provided. SED drives
can be used for vSAN by disabling encryption at the Hardware level if the same is listed in the vSAN HCL
Database. For more information on vSAN encryption, see vSAN Frequently Asked Questions (FAQ).
1.3 Hardware and software requirements
Dell PowerEdge RAID Controller (PERC) cards support Self-Encrypting Disks (SED) for protection of data
against loss or theft of SEDs. A security key known as KEK is assigned for each controller. The security key
can be managed under Local Key Management (LKM).
This security key is used by the controller to unlock the drive so that the drive can use the Data Encryption
Key (DEK). The hashed Key Encryption Key (KEK) is stored on the PERC controller and never exposed
outside to controller.
1.3.1 Prerequisites
The following are the prerequisites for utilizing SED drives on Dell EMC PowerEdge server:
PERC controllers with RAID qualified for encryption.
SED Drives
Security Key
Virtual disk with Security feature enabled.
All Self-Encrypting Disks are qualified for encryption however, the user needs to create virtual disks with
physical SED drives to secure the data.