Administrator Guide
Managing Secure Data
Secure Data provides data-at-rest encryption with key management for self-encrypting drives (SED). The Self-Encrypting Drives
feature must be licensed to use Secure Data.
How Secure Data Works
Using Secure Data to manage SEDs requires an external key management server. If a key management server has not been
congured or is unavailable,
Storage Center allows SEDs to be managed; however, it will not secure the SEDs until the key
management server is available and congured, at which point they will be secured.
NOTE: Create a backup for the key management server before removing an SED and after managing an SED.
Each FIPS disk in Storage Center has an internal Media Encryption Key (MEK). The key resides on the disk, providing encryption for
data written to the disk and decryption for data as it is read from the disk. Destroying the key makes any data on the disk
immediately and permanently unreadable, a process referred to as a crypto erase. When you add an SED to, or release an SED from a
Secure Data folder, the MEK is destroyed and a new key is generated. Creating a new key allows the disk to be reused, although all
previous data is lost.
WARNING: Managing a FIPS SED and assigning it to a Secure Data folder destroys the encryption key on the disk, which
makes any previous data on the disk unreadable.
Not to be confused with the MEK, the Storage Center manages a separate set of keys for providing data-at-rest encryption. These
keys are referred to as authority credentials. The purpose of these keys is to protect the theft of any number of drives. If a secured
drive from a Secure Data folder is removed from the system such that power is removed, the drive will be locked and customer data
will be unreadable.
WARNING: Storage Center will not be able to manage a previously-managed drive as an SED if the key has been deleted
from the drive or the key management server.
Authenticating to the drive using the authority credential is the only means of unlocking the drive while preserving customer data,
which can only be obtained by successfully authenticating to the related key management server through a secure channel.
Use the Copy Volumes to Disk Folder operation to copy volumes from a Secure Data folder to another folder. The destination folder
can be either a secure folder or a nonsecure folder.
To protect data at rest, all SEDs in a Secure Data disk folder lock when power is removed (lock on reset enabled). When power is
removed from the drive, the drive cannot be unlocked without an authority credential.
When replicating from a Secure Data volume to a non-Secure Data folder, that volume is no longer secure after it leaves the Secure
Data folder. When replicating a non-Secure Data volume to a Secure Data folder, that volume is not secure until it replicates to the
Secure Data folder and Data Progression runs.
Congure Key Server
Before managing SEDs in a Secure Data folder, congure communication between Storage Center and the key management server.
Prerequisite
The Storage Center must have the Self-Encrypting Drives license.
Steps
1. Select a Storage Center from the Storage view. (Data Collector connected Storage Manager Client only)
2. In the Summary tab, click Edit Settings. The Edit Storage Center Settings dialog box opens.
3. Click the Secure Data tab.
4. In the Hostname eld, type the host name or IP address of the key management server.
5. In the Port eld, type the number of a port with open communication with the key management server.
6. In the Timeout eld, type the amount of time in seconds after which Storage Center should stop attempting to reconnect to
the key management server after a failure.
286
Storage Center Maintenance