Technical White Paper Self-Encrypting Drives in Dell EMC PowerEdge servers with VMware vSphere Abstract This technical white paper introduces the Self Encrypting Drives (SED) offered by Dell EMC that helps in encrypting user data by using an encryption circuit built into the storage device controller. This paper describes the configurations required to enable this security feature on SED drives. The use cases demonstrated are for the VMware vSphere and vSAN environments.
Revisions Revisions Date Description June 2020 Initial release Acknowledgements Authors: Rakesh Senapati Support: Krishnaprasad K, Gurupreet Kaushik The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Table of contents Table of contents Revisions.............................................................................................................................................................................2 Acknowledgements .............................................................................................................................................................2 Table of contents .................................................................................................
Executive summary Executive summary Self-Encrypting Drives (SED) comply with the Opal Storage Specification, created by TCG Storage Security Subsystem. It is a set of security specifications for features of data storage devices such as disk drives that enhance their security. This document is intended to help the user build a configuration with encrypted virtual disks to get data-at-rest protection and use the same from a VMware vSphere point of view.
Introduction 1 Introduction The Self-Encrypting Drives (SED) are hard disks or solid-state drives that integrate encryption of user data at rest. SED perform encryption or decryption in real-time and these operations are entirely transparent to the user. The encryption and decryption are performed using a Media Encryption Key (MEK), also known as Data Encryption Key (DEK) generated internally in the storage device. SED hardware handles this encryption in real-time with no impact on performance.
Introduction 1.3.2 Hardware requirements Dell EMC offers SEDs only on PERC h7xx, h8x0, and PERC fd33xd controllers.The PERC h3xx (PERC H345, PERC H330 and PERC H310) series cards are not supported by Encryption Key Management features however, the SED drives can be used as standard hard drives. Managing the encryption key task is not supported on PERC hardware controllers running in HBA mode. SAS HBA controller does not support SED drives however, the SED drives can be used as standard hard drives.
UEFI or Human Interface Infrastructure (HII) RAID configuration utility 2 UEFI or Human Interface Infrastructure (HII) RAID configuration utility Note: A SED drive connected to PERC H745P MX storage controller placed in a Dell EMC PowerEdge MX840c server is used in this section to configure it as an Encrypted Virtual Disk. Follow the steps below: 1. Check the drive encryption capability by choosing Storage Dashboard > Physical Disk Management > Advanced. 2.
PERC Command Line Interface (CLI) on VMware ESXi 3 PERC Command Line Interface (CLI) on VMware ESXi Command line interfaces and GUIs are not availble on VMware ESXi to monitor the usage of the SED drive. However, there are vendor utilities such as, PERCCLI that provide this feature. Follow the steps below to install PERCCLI on VMware ESXi: 1. Download the PERCCLI utility compatible for VMware ESXi from www.dell.com/support. The perccli.gz file can be downloaded by using the keyword PERCCLI.
PERC Command Line Interface (CLI) on VMware ESXi • • PERC Storage Card Firmware 50.9.4-3025 SED Drive Model- SEAGATE (ST2400MM0149) Listed below are command lines offered in the PERCCLI package that can be used to monitor SED drives within VMware ESXi: 1. Run PERCCLI by browsing to the following location: cd /opt/lsi/perccli 2. The following PERCCLI utility screenshot displays information about Encryption Capable Drive and SED enabled Virtual Disk using the command: .
PERC Command Line Interface (CLI) on VMware ESXi Information on Encryption Capable Drive and SED enabled Virtual Disk 10 Self-Encrypting Drives in Dell EMC PowerEdge servers with VMware vSphere | Technical White Paper | 411
PERC Command Line Interface (CLI) on VMware ESXi 3. Following screenshot shows that the controller has configured with Local Key Manager making use of the following command: ./perccli /c0 show all Controller has been configured with Local Key Manager 4. To create a RAID volume using SED drive for a non-secured VD, use the following command: ./perccli /c0 add vd r0 drives=64:2 RAID volume using SED drive for a non-secured VD created 5. To encrypt the non-secured virtual disk using the following command: .
PERC Command Line Interface (CLI) on VMware ESXi Non-secure virtual disk encrypted 6. To create a RAID volume directly with SED capable drive, use the following command: ./perccli /c0 add vd r0 drives=64:2 sed Here, RAID type is RAID-0, Enclosure ID 64, Drive Slot ID 2 and sed option for creating securityenabled drive. RAID volume created directly with SED capable drive 7. To erase data and security information on the SED Physcial Drive, use the following command: .
PERC Command Line Interface (CLI) on VMware ESXi Display drive details 9. Check the mapped virtual disk information on VMware ESXi OS using the following command: esxcli storage core device list 10. To create multiple RAID 0 virtual disks with each SED drive connected to the drive backplane, use the following command: ./perccli /c0 add vd each r0 sed For more PERCCLI commands, see Dell EMC PowerEdge RAID Controller CLI Reference Guide.
iDRAC Storage Configuration 4 iDRAC Storage Configuration The Integrated Dell Remote Access Controller (iDRAC) embedded in Dell EMC PowerEdge servers allows you to deploy, update, monitor and maintain PowerEdge servers with or without a systems management software agent. iDRAC also helps to manage storage related functions on the system at run-time. You can perform virtual disk encryption with SED drives through iDRAC.
Dell OpenManage Server Administrator 5 Dell OpenManage Server Administrator Dell OpenManage Server Administrator (OMSA) is a complementary tool that provides a comprehensive, one-to-one systems management solution. OMSA provides this solution in two ways: • • An integrated, web browser-based graphical user interface (GUI) Command Line Interface (CLI) through the operating system. OMSA can be used to manage Local Key Manager (LKM) on storage controllers which helps in encrypting the virtual disk. 5.
vSAN with Self Encrypting Drive (SED) 6 vSAN with Self Encrypting Drive (SED) vSAN is a software defined storage which provides a software-based encryption to support data at rest encryption on any storage device. vSAN is also FIPS complaint and hence, there is no requirement for an SED drive which can be 15 to 30 percent more expensive than a standard drive. SED drives can still be used for vSAN by disabling the SED functionality in the hardware.
Summary 7 Summary This white paper introduces the Self Encrypting Drives (SED) feature offered by Dell EMC to administrators and users for enabling encryption to achieve data-at-rest protection and use the same from a VMware vSphere environment. This paper also describes how PERCCLI can be installed on VMware ESXi allowing us to monitor the secure virtual disks within VMware ESXi. iDRAC and OMSA configurations have also been described to help users manage LKM and encrypt virtual disks.
References 8 References • • • • • 18 VMware vSphere Virtual Machine Encryption Management vSAN Frequently Asked Questions (FAQ) Trusted Computing Group Trusted Computing Group and NVM Express Joint White Paper: TCG Storage, Opal, and NVMe NIST Guidelines for Media Sanitization Self-Encrypting Drives in Dell EMC PowerEdge servers with VMware vSphere | Technical White Paper | 411