storage encryption disk sanitize
Cryptographically sanitize a self-encrypting disk
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The storage encryption disk sanitize
command cryptographically sanitizes one or more self-encrypting disks (SEDs), making the existing data on the SED impossible to retrieve. This operation employs the inherent erase capability of SEDs to perform all of the following changes:
-
Sanitizes all data by changing the disk encryption key to a new random value
-
Sets the data authentication key (AK) to the default AK (manufacture secure ID/MSID or null, depending on the device type)
-
Unlocks the data band
-
Resets the power-on lock state to
false
There is no method to restore the disk encryption key to its previous value, meaning that you cannot recover the data on the SED. Use this command with extreme care.
The sanitize command requires you to enter a confirmation phrase before proceeding with the operation.
The command releases the cluster shell after launching the operation. Monitor the output of the storage encryption disk show-status command for command completion.
When the operation is complete, it is possible to return the SED to service using the storage disk unfail command in advanced
privilege mode. To do so, you might also need to reestablish ownership of the SED using the storage disk assign command.
Parameters
-disk <disk path name>
- Disk Name-
This parameter specifies the name of the SEDs you want to cryptographically sanitize. See the man page for the
storage disk modify
command for information about disk-naming conventions. [-force-all-states <true>]
- Sanitize All Matching Disks-
When this parameter is
false
or not specified, the operation defaults to spare and broken disks only, as reported in the output of the storage disk show command. When you specify this parameter astrue
, it allows you to cryptographically sanitize all matching disk names regardless of their state, including those in active use in aggregates. This allows a quick erasure of all system data if you use the-disk
parameter with the asterisk wildcard (*). If you sanitize active disks, the nodes might not be able to continue operation, and might halt or panic.
Examples
The following command sanitizes the disk 1.10.20:
cluster1::> storage encryption disk sanitize 1.10.20 Warning: This operation will cryptographically sanitize 1 spare or broken self-encrypting disk on 1 node. To continue, enter sanitize disk :sanitize disk Info: Starting sanitize on 1 disk. View the status of the operation using the link:storage-encryption-disk-show-status.html[storage encryption disk show-status] command. cluster1::>
If you do not enter the correct confirmation phrase, the operation is aborted:
cluster1::> storage encryption disk sanitize 1.10.2* Warning: This operation will cryptographically sanitize 5 spare or broken self-encrypting disks on 1 node. To continue, enter sanitize disk :yes No disks sanitized. cluster1::>
The following command quickly cryptographically sanitizes all system disks, including those in active use in aggregates and shared devices:
cluster1::> storage encryption disk sanitize -force-all-states -disk * Warning: This operation will cryptographically sanitize 96 self-encrypting disks on 4 nodes. To continue, enter sanitize disk :sanitize disk Info: Starting sanitize on 96 disks. View the status of the operation by using the link:storage-encryption-disk-show-status.html[storage encryption disk show-status] command. cluster1::>