Administrator Guide
Managing Secure Data
Secure Data provides data-at-rest encryption with key management for self-encrypting drives (SED). The Self-Encrypting Drives feature
must be licensed to use Secure Data.
How Secure Data Works
Using Secure Data to manage SEDs requires an external key management server. If a key management server has not been congured or is
unavailable, Storage Center allows SEDs to be managed; however, it will not secure the SEDs until the key management server is available
and congured, at which point they will be secured.
NOTE: Create a backup for the key management server before removing an SED and after managing an SED.
Each FIPS disk in Storage Center has an internal Media Encryption Key (MEK). The key resides on the disk, providing encryption for data
written to the disk and decryption for data as it is read from the disk. Destroying the key makes any data on the disk immediately and
permanently unreadable, a process referred to as a crypto erase. When you add an SED to, or release an SED from a Secure Data folder,
the MEK is destroyed and a new key is generated. Creating a new key allows the disk to be reused, although all previous data is lost.
WARNING: Managing a FIPS SED and assigning it to a Secure Data folder destroys the encryption key on the disk, which makes
any previous data on the disk unreadable.
Not to be confused with the MEK, the Storage Center manages a separate set of keys for providing data-at-rest encryption. These keys
are referred to as authority credentials. The purpose of these keys is to protect the theft of any number of drives. If a secured drive from a
Secure Data folder is removed from the system such that power is removed, the drive will be locked and customer data will be unreadable.
WARNING
: Storage Center will not be able to manage a previously-managed drive as an SED if the key has been deleted from
the drive or the key management server.
Authenticating to the drive using the authority credential is the only means of unlocking the drive while preserving customer data, which
can only be obtained by successfully authenticating to the related key management server through a secure channel.
Use the Copy Volumes to Disk Folder operation to copy volumes from a Secure Data folder to another folder. The destination folder can
be either a secure folder or a nonsecure folder.
To protect data at rest, all SEDs in a Secure Data disk folder lock when power is removed (lock on reset enabled). When power is removed
from the drive, the drive cannot be unlocked without an authority credential.
When replicating from a Secure Data volume to a non-Secure Data folder, that volume is no longer secure after it leaves the Secure Data
folder. When replicating a non-Secure Data volume to a Secure Data folder, that volume is not secure until it replicates to the Secure Data
folder and Data Progression runs.
Congure Key Server
Before managing SEDs in a Secure Data folder, congure communication between Storage Center and the key management server.
Prerequisite
The Storage Center must have the Self-Encrypting Drives license.
Steps
1 If the Storage Manager Client is connected to a Data Collector, select a Storage Center from the Storage view.
2 In the Summary tab, click Edit Settings.
The Edit Storage Center Settings dialog box opens.
3 Click the Secure Data tab.
4 In the Hostname eld, type the host name or IP address of the key management server.
Storage Center Maintenance
291