Skip to main content
SANtricity 11.8

Create internal security key

Contributors netapp-jolieg

To use the Drive Security feature, you can create an internal security key that is shared by the controllers and secure-capable drives in the storage array. Internal keys are maintained on the controller's persistent memory.

Before you begin
  • Secure-capable drives must be installed in the storage array. These drives can be Full Disk Encryption (FDE) drives or Federal Information Processing Standard (FIPS) drives.

  • The Drive Security feature must be enabled. Otherwise, a Cannot Create Security Key dialog box opens during this task. If necessary, contact your storage vendor for instructions on enabling the Drive Security feature.

Note

If both FDE and FIPS drives are installed in the storage array, they all share the same security key.

About this task

In this task, you define an identifier and a pass phrase to associate with the internal security key.

Note

The pass phrase for Drive Security is independent from the storage array's Administrator password.

Steps
  1. Select Settings  System.

  2. Under Security key management, select Create Internal Key.

    If you have not yet generated a security key, the Create Security Key dialog box opens.

  3. Enter information in the following fields:

    • Define a security key identifier — You can either accept the default value (storage array name and time stamp, which is generated by the controller firmware) or enter your own value. You can enter up to 189 alphanumeric characters without spaces, punctuation, or symbols.

      Note

      Additional characters are generated automatically, appended to both ends of the string you enter. The generated characters ensure that the identifier is unique.

    • Define a pass phrase/Re-enter pass phrase — Enter and confirm a pass phrase. The value can have between 8 and 32 characters, and must include each of the following:

      • An uppercase letter (one or more). Keep in mind that the pass phrase is case sensitive.

      • A number (one or more).

      • A non-alphanumeric character, such as !, *, @ (one or more).

    Caution

    Be sure to record your entries for later use. If you need to move a secure-enabled drive from the storage array, you must know the identifier and pass phrase to unlock drive data.

  4. Click Create.

    The security key is stored on the controller in a non-accessible location. Along with the actual key, there is an encrypted key file that is downloaded from your browser.

    Note

    The path for the downloaded file might depend on the default download location of your browser.

  5. Record your key identifier, pass phrase, and the location of the downloaded key file, and then click Close.

Results

You can now create secure-enabled volume groups or pools, or you can enable security on existing volume groups and pools.

Note

Whenever power to the drives is turned off and then on again, all the secure-enabled drives change to a Security Locked state. In this state, the data is inaccessible until the controller applies the correct security key during drive initialization. If someone physically removes a locked drive and installs it in another system, the Security Locked state prevents unauthorized access to its data.

After you finish

You should validate the security key to make sure the key file is not corrupted.