MegaRaid SAS Software User Guide Chapter 3: SafeStore Disk Encryption | Overview

Chapter 3
SafeStore Disk Encryption
This chapter describes the LSI® SafeStore™ Disk Encryption service. The SafeStore Disk
Encryption service is a collection of features within LSI storage products that supports
self-encrypting disks. SafeStore encryption services supports Local Key Management.

3.1 Overview The SafeStore Disk Encryption service offers the ability to encrypt data on drives and
use disk-based key management to provide data security. This solution provides data
protection in the event of theft or loss of physical drives. With self-encrypting drives, if
you remove a drive from its storage system or the server it is housed in, the data on that
drive is encrypted and useless to anyone who attempts to access without the the
appropriate security authorization.
With the SafeStore encryption service, data is encrypted by the drives. You can
designate which data to encrypt at the individual virtual disk (VD) level.
Any encryption solution requires management of the encryption keys. The security
service provides a way to manage these keys. Both the WebBIOS Configuration Utility
(Chapter 4) and MegaRAID Storage Manager (Chapter 11) offer procedures that you
can use to manage the security settings for the drives.

3.2 Purpose and Benefits Security is a growing market concern and requirement. MegaRAID customers are
looking for a comprehensive storage encryption solution to protect data. You can use
the SafeStore encryption service to help protect your data.
In addition, SafeStore local key management removes the administrator from most of
the daily tasks of securing data, thereby reducing user error and decreasing the risk of
data loss. Also, SafeStore local key management supports instant secure erase of drives
that permanently removes data when repurposing or decommissioning drives. These
services provide a much more secure level of data erasure than other common erasure
methods, such as overwriting or degaussing.

LSI Corporation Confidential | June 2010 Page 43

Chapter 3: SafeStore Disk Encryption | Terminology MegaRaid SAS Software User Guide

3.3 Terminology Table 19 describes the terminology related to the SafeStore encryption feature.

Table 19: Terminology used in FDE

Option Description
Authenticated Mode The RAID configuration is keyed to a user password. The password must be provided on system boot to
authenticate the user and facilitate unlocking the configuration for user access to the encrypted data.
Blob A blob is created by encrypting a key(s) using another key. There are two types of blob in the system –
encryption key blob and security key blob.
Key backup You need to provide the controller with a lock key if the controller is replaced or if you choose to migrate
secure virtual disks. To do this, you must back up the security key.
Password An optional authenticated mode is supported in which you must provide a password on each boot to
make sure the system boots only if the user is authenticated. Firmware uses the user password to encrypt
the security key in the security key blob stored on the controller.
Re-provisioning Re-provisioning disables the security system of a device. For a controller, it involves destroying the
security key. For SafeStore encrypted drives, when the drive lock key is deleted, the drive is unlocked and
any user data on the drive is securely deleted. This does not apply to controller-encrypted drives, because
deleting the virtual disk destroys the encryption keys and causes a secure erase. See Section 3.5, Instant
Secure Erase, for information about the instant secure erase feature.
Security Key A key based on a user-provided string. The controller uses the security key to lock and unlock access to the
secure user data. This key is encrypted into the security key blob and stored on the controller. If the
security key is unavailable, user data is irretrievably lost. You must take all precautions to never lose the
security key.
Un-Authenticated Mode This mode allows controller to boot and unlock access to user configuration without user intervention. In
this mode, the security key is encrypted into a security key blob, stored on the controller, but instead of a
user password, an internal key specific to the controller is used to create the security key blob.
Volume Encryption Keys (VEK) The controller uses the Volume Encryption Keys to encrypt data when a controller-encrypted virtual disk
is created. These keys are not available to the user. The firmware (FW) uses a unique 512-bit key for each
virtual disk. The VEK for the VDs are stored on the physical disks in a VEK blob.

3.4 Workflow

3.4.1 Enable Security You can enable security on the controller. After you enable security, you have the
option to create secure virtual drives using a security key.
There are three procedures you can perform to create secure virtual drives using a
security key:
„ Create the security key identifier
„ Create the security key
„ Create a password (optional)

3.4.1.1 Create the Security Key The security key identifier appears whenever you enter the security key. If you have
Identifier multiple security keys, the identifier helps you determine which security key to enter.
The controller provides a default identifier for you. You can use the default or enter your
own identifier.

3.4.1.2 Create the Security Key You need to enter the security key to perform certain operations. You can choose a
strong security key that the controller suggests.

Page 44 LSI Corporation Confidential | June 2010

MegaRaid SAS Software User Guide Chapter 3: SafeStore Disk Encryption | Workflow

CAUTION: If you forget the security key, you will lose access to your data.

3.4.1.3 Create a Password The password provides additional security. The password should be different from the
security key. You can select a setting in the utilities so that you must enter the password
whenever you boot your server.

CAUTION: If you forget the password, you will lose access to your data.

When you use the specified security key identifier, security key, and password, security
will be enabled on the controller.

3.4.2 Change Security You can change the security settings on the controller, and you have the option to
change the security key identifier, security key, and password. If you have previously
removed any secured drives, you still need to supply the old security key to import
them.
There are three procedures you can perform to change the security settings on the
controller:
„ Change the security key identifier
„ Change the security key
„ Change a password
See Section 4.6, Selecting SafeStore Encryption Services Security Options for the
procedures used to change security options in WebBIOS or Section 11.5, LSI SafeStore
Encryption Services for the procedures used to change security options in MegaRAID
Storage Manager.

3.4.2.1 Change the Security Key You have the option to edit the security key identifier. If you plan to change the security
Identifier key, it is highly recommended that you change the security key identifier. Otherwise,
you will not be able to differentiate between the security keys.
You can select whether you want to keep the current security key identifier or enter a
new one. To change the security key identifier, enter a new security key identifier.

3.4.2.2 Change the Security Key You can choose to keep the current security key or enter a new one. To change the
security key, you can either enter the new security key or accept the security key that
the controller suggests.

3.4.2.3 Add or Change the Pass You have the option to add a password or change the existing one. To change the
Word password, enter the new password. To keep the existing password, enter the current
password. If you choose this option, you must enter the password whenever you boot
your server.
This procedure updates the existing configuration on the controller to use the new
security settings.

3.4.3 Create Secure Virtual Drives You can create a secure virtual drive and set their parameters as desired. To create a
secure virtual drive, select a configuration method. You can select either simple
configuration or advanced configuration.

LSI Corporation Confidential | June 2010 Page 45

Chapter 3: SafeStore Disk Encryption | Instant Secure Erase MegaRaid SAS Software User Guide

3.4.3.1 Simple Configuration If you select simple configuration, select the redundancy type and drive security
method to use for the drive group.
See Section 8.1.2, Creating a Virtual Drive Using Simple Configuration for the procedures
used to select the redundancy type and drive security method for a configuration.

3.4.3.2 Advanced Configuration If you select advanced configuration, select the drive security method, and add the
drives to the drive group.
See Section 8.1.3, Creating a Virtual Drive Using Advanced Configuration for the
procedures used to import a foreign configuration.
After the drive group is secured, you cannot remove the security without deleting the
virtual drives.

3.4.4 Import a Foreign Configuration After you create a security key, you can run a scan for a foreign configuration and
import a locked configuration. (You can import unsecured or unlocked configurations
when security is disabled.) A foreign configuration is a RAID configuration that already
exists on a replacement set of drives that you install in a computer system. WebBIOS
Configuration Utility and MSM allows you to import the existing configuration to the
RAID controller or clear the configuration so you can create a new one.
See Section 4.6.4, Importing Foreign Configurations for the procedure used to import a
foreign configuration in WebBIOS or Section 11.5.4, Importing or Clearing a Foreign
Configuration for the procedure in MegaRAID Storage Manager.
To import a foreign configuration, you must first enable security to allow importation of
locked foreign drives. If the drives are locked and the controller security is disabled, you
cannot import the foreign drives. Only unlocked drives can be imported when security
is disabled.
After you enable the security, you can import the locked drives. To import the locked
drives, you must provide the security key used to secure them. Verify whether any
drives are left to import as the locked drives can use different security keys. If there are
any drives left, repeat the import process for the remaining drives. After all of the drives
are imported, there is no configuration to import.

3.5 Instant Secure Erase Instant Secure Erase is a feature used to erase data from encrypted drives. After the
initial investment for an encrypted disk, there is no additional cost in dollars or time to
erase data using the Instant Secure Erase feature.
You can change the encryption key for all MegaRAID RAID controllers that are
connected to encrypted drives. All encrypted drives, whether locked or unlocked,
always have an encryption key. This key is set by the drive and is always active. When
the drive is unlocked, the data to host from the drive (on reads) and from the host to
the drive cache (on writes) is always provided. However, when resting on the drive
platters, the data is always encrypted by the drive.
You might not want to lock your drives because you have to manage a password if they
are locked. Even if you do not lock the drives, there is still a benefit to using encrypted
disks.
If you are concerned about data theft or other security issues, you might already invest
in drive disposal costs, and there are benefits to using SafeStore encryption over other
technologies that exists today, both in terms of the security provided and time saved.

Page 46 LSI Corporation Confidential | June 2010

MegaRaid SAS Software User Guide Chapter 3: SafeStore Disk Encryption | Instant Secure Erase

If the encryption key on the drive changes, the drive cannot decrypt the data on the
platters, effectively erasing the data on the disks. The National Institute of Standards
and Technology (http://www.nist.gov) values this type of data erasure above secure
erase and below physical destruction of the device.
There are three major reasons for using instant secure erase.

If there is a need to repurpose the hard drive for a different application. You
might need to move the drive to another server to expand storage elsewhere, but the
drive is in use. The data on the drive might contain sensitive data including customer
information that, if lost or divulged, could cause an embarrassing disclosure of a
security hole. You can use the instant secure erase feature to effectively erase the data
so the drive can be moved to another server or area without concern that old data
could be found.

If there is a need to replace drives. If the amount of data has outgrown the storage
system, and there is no room to expand capacity by adding drives, you might choose to
purchase upgrade drives. If the older drives support encryption, you can erase the data
instantly so the new drives can be used.

If there is a need to return a disk for warranty activity. If the drive is beginning to
show SMART predictive failure alerts, you might want to return the drive for
replacement. If so, the drive needs to be effectively erased if there is sensitive data.
Occasionally a drive is in such bad condition that standard erasure applications do not
work. If the drive still allows any access, it might be possible to destroy the encryption
key.

LSI Corporation Confidential | June 2010 Page 47