Preparing to add a controller module when using Storage Encryption

If the existing controller module is configured for Storage Encryption, you must gather information from the system and rekey the self-encrypting disks (SEDs) before adding the new controller module.

About this task

You must enter the commands in the steps below in the nodeshell. For more information about the nodeshell, see the System Administration Reference.

Steps

  1. Enter the following command and note the key IDs on all disk drives that are using Storage Encryption: disk encrypt show
    Example
    The command displays the status of each self-encrypting disk:
    storage-system> disk encrypt show
    Disk       Key ID                                                            Locked?
    0c.00.1    080CF0C8000000000100000000000000A948EE8604F4598ADFFB185B5BB7FED3  Yes
    0c.00.0    080CF0C8000000000100000000000000A948EE8604F4598ADFFB185B5BB7FED3  Yes
    0c.00.3    080CF0C8000000000100000000000000A948EE8604F4598ADFFB185B5BB7FED3  Yes
    0c.00.4    080CF0C8000000000100000000000000A948EE8604F4598ADFFB185B5BB7FED3  Yes
    0c.00.2    080CF0C8000000000100000000000000A948EE8604F4598ADFFB185B5BB7FED3  Yes
    0c.00.5    080CF0C8000000000100000000000000A948EE8604F4598ADFFB185B5BB7FED3  Yes
  2. Enter the following command and note all the necessary certificate files (client.pem, client_private.pem, and ip_address_key_server_CA.pem) that have been installed: keymgr list cert
    Later in the procedure you need to install these same certificate files on the new partner controller module.
  3. Enter the following command to identify the IP address of the key servers: key_manager show
    All external key management servers associated with the storage system are listed. Later in the procedure you need to add these same key servers on the new partner controller module.
    Example
    The following command displays all external key management servers associated with the storage system:
    storage-system> key_manager show
      172.18.99.175
  4. Enter the following command and check that the key IDs listed match those shown by the disk encrypt show command in step 1: key_manager query
    Example
    The following command checks the status of all key management servers linked to the storage system and displays additional information:
    storage-system> key_manager query                         
    
    Key server 172.18.99.175 reports 4 keys.
    
    Key tag                           Key ID
    --------                          -------
    storage-system                    080CF0C80...
    storage-system                    080CF0C80...
    storage-system                    080CF0C80...
    storage-system                    080CF0C80...
    
  5. Back up all data on all aggregates using standard methods for your site.
  6. Enter the following command to reset the authentication key on the drives using Storage Encryption to their Manufacturing System ID (MSID): disk encrypt rekey 0x0 *
  7. Examine the CLI command output to ensure that there are no disk encrypt rekey failures.