Administrator Guide
Direct from
Development
PowerEdge Product Group
Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries
Copyright © 2019 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries
Frequently Asked Questions:
Where does the encryption happen?
Encryption occurs on the drive whether the drive is secured or not. Any IO to the drive is encrypted/decrypted by
hardware on the drive.
Where is the key stored, Drive or RAID controller?
KEK
Key Encryption Key
DEK
Data Encryption Key
There are multiple keys that are used between the drive and PERC. The DEK is what is used to encrypt the data on
the drive, and it is stored on the drive itself. The KEK is used to unlock the drive so the drive can use the DEK. The
hashed KEK is stored on the PERC controller.
The DEK is never revealed outside of the drive and the KEK is never revealed outside of the PERC controller.
Is the data encrypted by default?
The data is always encrypted but the drive needs to be secured to protect data from theft.
How to move disks between controllers, preserving the data?
Moving disks between different controllers is allowed and the passphrase that was originally used is needed to
unlock the SEDs when importing them on the new controller. See Importing secure Virtual Disk section in the User
Guide.
How to recover/access data in case of PERC card failure.
After replacing the failed controller with a working one and enabling security, the secured VDs can be imported using
the original passphrase, allowing access to the data on the disks.
Can the passphrase be changed multiple times?
Yes, you can change the passphrase if you know the existing passphrase. This rekeys the KEK but does not change
the DEK. See Changing Security Key section in the User Guide. The data will not be erased/lost when the new
passphrase is established. The only thing that is changing is the passphrase that is used to unlock the drive.
If we lost a drive (and someone finds it) is the data accessible by default? What are the minimum steps
required to ensure the data is protected?
If your drives are non-SED, then the data is accessible.
If your drives are SED and you did not secure them, then the data is accessible.
If your drives are SED and you secured them, then the data can only be accessed using the passphrase you have
set.
By default, the data is not protected from theft. The minimum steps needed to secure a drive is to enable the
controller security and securing the Virtual Disk. Please see Local Key Management section in the User Guide for
more information.
What are performance implications of a SED. Would they perform faster/slower depending on if they are
secured?
Data encryption occurs whether the drive is secured or not so there is no impact on performance.