Skip to main content
SANtricity commands

Create storage array security key

Contributors netapp-driley

The create storageArray securityKey command creates or changes a new security key for a storage array that has full disk encryption (FDE) drives.

Supported Arrays

If external key management is enabled, then this command applies only to the E4000, E2800, E5700,EF600, and EF300 arrays. If internal key management is enabled, then the command applies to any individual storage array, as long as all SMcli packages are installed.

Roles

To execute this command on an E4000, E2800, E5700, EF600, or EF300 storage array, you must have the Security Admin role.

Context

For internal key management, this command enables the Internal Key Management feature and creates the security key. After creating the key, use the set storageArray securityKey command to put the key into use. This command can also be used to change the security key.

For external key management, this command creates a different key to replace the key initially created when you enabled the feature. Use the enable storageArray externalKeyManagement command to enable the External Key Management feature and create the initial security key. This command can also be used to change the security key.

Syntax

create storageArray securityKey
[keyIdentifier="keyIdentifierString"]
passPhrase="passPhraseString"
file="fileName"
[commitSecurityKey=(TRUE | FALSE)]

Parameters

Parameter Description

keyIdentifier - only applicable for internal key management

A character string that you can read that is a wrapper around a security key. Enclose the key identifier in double quotation marks (" ").

You can enter characters for the key identifier for internal security keys to help you identify the key later. These are the formatting rules:

  • You can enter up to 189 alphanumeric characters for a key identifier. The key identifier cannot have these characters:

    • Spaces

    • Punctuation

    • Symbols

  • If you do not enter the keyIdentifer parameter for internal keys, the controller automatically generates the keyIdentifer parameter.

Additional characters are automatically generated and appended to the end of the string that you enter for the key identifier. If you do not enter any string for the keyIdentifier parameter, the key identifier consists of only the characters that are automatically generated.

Note

This parameter is ignored for external key management, because the key identifier is completely automatically generated. If the storage array has a user label, this automatically generated string is composed of the characters sa., followed by the storage array user label, the storage array identifier, and a randomly generated string. Any characters in the user label that are not alpha-numeric are converted to an underscore (_) character. For example, a user label of abc#8 will be converted to sa.abc_8 before being prepended to the rest of the key identifier. For storage arrays without a user label, the key identifier is composed of the storage array identifier and a randomly generated string.

passPhrase

A character string that encrypts the security key so that you can store the security key in an external file. Enclose the pass phrase in double quotation marks (" ").

For information about the correct form for creating a valid pass phrase, refer to the Notes in this command description.

Your pass phrase must meet these criteria:

  • Must be between eight and 32 characters long.

  • Must contain no whitespace.

  • Must contain at least one uppercase letter.

  • Must contain at least one lowercase letter.

  • Must contain at least one number.

  • Must contain at least one non-alphanumeric character, for example, < > @ +.

Note

If your pass phrase does not meet these criteria, you will receive an error message and will be asked to retry the command.

file

The file path and the file name to which you want to save the security key. For example:

file="C:\Program Files\CLI\sup\drivesecurity.slk"
Note

The file name must have an extension of .slk .

Enclose the file path and name in double quotation marks (" ").

commitSecurityKey - only applicable for internal key management

This parameter commits the security key to the storage array for all FDE drives as well as the controllers. After the security key is committed, a key is required to access data on Security Enabled drives in the storage array. The data can only be read or changed by using a key, and the drive can never be used in a non-secure mode without rendering the data useless or totally erasing the drive.

The default value is FALSE. If this parameter is set to FALSE, send a separate set storageArray securityKey command to commit the security key to the storage array.

Minimum firmware level

7.40, introduced for internal key management

8.40, introduced for external key management