Manualshelf

White Papers

ManualsBrandsDell ManualsConverged InfrastructureStorage Solution Resources
10111213141516171819
13 Dell PS Series Architecture: Self Encrypting Drive Management with PS Series Storage Arrays | TR1093
A PS Series SED storage procedures
A.1 Backing up the access key using the PS Series Group Manager GUI
The AutoSED machinery is very robust and remains functional even when severe failures have taken the
array offline. The backup is only needed in exceptional circumstances, such as the loss of more than half the
drives from an array.
The SED Access Key is never explicitly revealed as part of the backup process. Rather, it is cryptographically
rewritten into a set of three unique backup units. Any two backup units from the same backup set can be
combined by AutoSED to decode the Access Key. Although the key does not change until the member is
reset, each backup set is unique. No two sets are alike, and backup units from different sets cannot be
combined to recover the Access Key.
The array will automatically create and present a backup set during initial setup, when the RAID policy is
configured. Additional backup sets can be manually requested at any time.
1. Click Group and expand Members.
2. Click the name of the member identified for encryption key back up.
3. Click the Maintenance tab.
4. In the Disk Encryption panel, click Encryption Key Shares.
5. Enter the administrative password in the dialog box. The Information dialog will list the names and
location of the three files.
6. To download all three backup units as individual text files, click Download key shares and choose
the location where you want to store them. All three file names have the format membername-
backup-unit-N, where N stands for 1, 2 or 3.
7. Click Copy above each key share to copy the individual key share (backup unit) and paste it into a
file, if desired.
8. If one of the backup units is lost or compromised, refer to “Safeguarding the key backup” in the Dell
EqualLogic Group Manager Administrator’s Guide.
Note: If you generate a second set of key shares, the first set is not invalidated. Generating a second set of
key shares, therefore, does not protect the key shares from being compromised.
A.2 Unlocking a Self-Encrypting Drive
During normal operation, an SED automatically unlocks at startup. When you back up the key shares from the
GUI, the three parts of the key are saved as individual text files to the directory that you specify. To unlock a
locked drive, you must use the CLI.
1. From the CLI prompt, type keyd (but do not press [Enter]). This command invokes the keying
daemon.
2. Open the first key share file with a text editor (such as Notepad). The key share file name has the
form groupname-keyshare-number, where number represents 1, 2, or 3. The key share file has no file
extension.