Assigning a FIPS 140-2 authentication key to a FIPS drive

You can use the storage encryption disk modify command with the -fips-key-id option to assign a FIPS 140-2 authentication key to a FIPS drive. Cluster nodes use this key for drive operations other than data access, such as preventing denial-of-service attacks on the drive.

Before you begin

The drive firmware must support FIPS 140-2 compliance. The Interoperability Matrix contains information about supported drive firmware versions.

About this task

Your security setup may require you to use different keys for data authentication and FIPS 140-2 authentication. If that is not the case, you can use the same authentication key for FIPS compliance that you use for data access.

Steps

  1. Assign a FIPS 140-2 authentication key to SEDs: storage encryption disk modify -disk disk_id -fips-key-id fips_authentication_key_id
    You can use the security key-manager query command to view key IDs.
    Example
    cluster1::> storage encryption disk modify -disk 2.10.* -fips-key-id 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A 
    
    Info: Starting modify on 14 disks.
          View the status of the operation by using the
          storage encryption disk show-status command.
  2. Verify that the authentication key has been assigned: storage encryption disk show -fips
    For complete command syntax, see the man page.
    Example
    cluster1::> storage encryption disk show -fips
    Disk    Mode FIPS-Compliance Key ID
    ------  ---- ----------------------------------------------------------------
    2.10.0  full 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A 
    2.10.1  full 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A 
    [...]