Administrator Guide
The self encrypting disk or a security capable physical disk encrypts data during writes and decrypts data during reads.
You can create a secure disk group from security capable physical disks. When you create a secure disk group from security capable
physical disks, the physical disks in that disk group become security enabled. When a security capable physical disk has been security
enabled, the physical disk requires the correct security key from a RAID controller module to read or write the data. All the physical disks
and RAID controller modules in a storage array share security key. The shared security key provides read and write access to the physical
disks, while the physical disk encryption key on each physical disk is used to encrypt the data. A security capable physical disk works like
any other physical disk until it is security enabled.
Whenever the power is turned off and turned on again, all the security enabled physical disks change to a security locked state. In this
state, the data is inaccessible until the correct security key is provided by a RAID controller module.
You can view the self encrypting disk status of any physical disk in the storage array from the Physical Disk Properties dialog. The status
information reports whether the physical disk is:
• Security capable
• Secure—Security enabled or disabled
• Read/Write Accessible—Security locked or unlocked
You can view the self encrypting disk status of any disk group in the storage array. The status information reports whether the storage
array is:
• Security capable
• Secure
Table 11. Interpretation of security status of disk group
Secure Security Capable - Yes Security Capable - No
Yes The disk group is composed of all SED physical
disks and is in a Secure state.
Not applicable. Only SED physical disks can be in a
Secure state.
No The disk group is composed of all SED physical
disks and is in a Non-Secure state.
The disk group is not entirely composed of SED physical
disks.
The Physical Disk Security menu is displayed in the Storage Array menu. The Physical Disk Security menu has the following options:
• Create Key
• Change Key
• Save Key
• Validate Key
• Import Key
• Unlock Drives
NOTE:
If you have not created a security key for the storage array, the Create Key option is active. If you have created a
security key for the storage array, the Create Key option is inactive with a check mark to the left. The Change Key
option, the Save Key option, and the Validate Key option are now active.
The Secure Physical Disks option is displayed in the Disk Group menu. The Secure Physical Disks option is active if these conditions
are true:
• The selected storage array is not security enabled but is comprised entirely of security capable physical disks.
• The storage array contains no snapshot base virtual disks or snapshot repository virtual disks.
• The disk group is in an Optimal state.
• A security key is set up for the storage array.
NOTE: The Secure Physical Disks option is inactive if these conditions are not true.
The Secure Physical Disks option is inactive with a check mark to the left if the disk group is already security enabled.
The Create a secure disk group option is displayed in the Create Disk Group Wizard–Disk Group Name and Physical Disk
Selection dialog. The Create a secure disk group option is active only when these conditions are met:
• A security key is installed in the storage array.
• At least one security capable physical disk is installed in the storage array.
• All the physical disks that you selected on the Hardware tab are security capable physical disks.
You can erase security enabled physical disks so that you can reuse the physical disks in another disk group or in another storage array.
When you erase security enabled physical disks, ensure that the data cannot be read. When all the physical disks that you have selected in
68
Disk groups, standard virtual disks, and thin virtual disks