Skip to main content
A newer release of this product is available.

storage encryption disk show

Contributors
Suggest changes

Display self-encrypting disk attributes

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The storage encryption disk show command displays information about self-encrypting disks (SEDs), including FIPS-certified SEDs. By default, the command displays the following information about all SEDS:

  • Disk name

  • The protection mode of the SED

  • The key ID associated with the data authentication key (data AK)

You can use the following parameters together with the -disk parameter to narrow the selection of displayed SEDs or the information displayed about them.

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

| [-fips ]

If you specify this parameter, the command displays the key ID associated with the FIPS-compliance authentication key ("FIPS AK") instead of the data key ID.

| [-instance ] }

If you specify this parameter, the command displays detailed disk information about all disks, or only those specified by a -disk parameter.

[-disk <disk path name>] - Disk Name

If you specify this parameter, the command displays information about the specified disks. If you specify a single disk path name, the output is the same as when you use the -instance parameter. See the man page for the storage disk modify command for information about disk-naming conventions. Default is all self-encrypting disks.

[-container-name <text>] - Container Name

This parameter specifies the container name associated with a SED. If you specify an aggregate name or other container name, only the SEDs in that container are displayed. See the man page for the storage disk show command for a description of the container name. Use the storage aggregate show-status and storage disk show commands to determine which aggregates the SEDs are in.

[-container-type {aggregate | broken | foreign | labelmaint | maintenance | mediator | remote | shared | spare | unassigned | unknown | unsupported}] - Container Type

This parameter specifies the container type associated with a SED. If you specify a container type, only the SEDs with that container type are displayed. See the man page for the storage disk show command for a description of the container type.

[-data-key-id <text>] - Key ID of the Current Data Authentication Key

This parameter specifies the key ID associated with the data AK that the SED requires for authentication with the data-protection authorities in the SED. The special key ID 0x0 indicates that the current data AK of the SED is the default manufacture secure ID (MSID) that is not secret. Some devices employ an initial null default AK that appears as a blank data-key-id; you cannot specify a null data-key-id value. To properly protect data at rest on the device, modify the data AK using a key ID that is not the MSID. When you modify the data AK with a non-MSID key ID, the system automatically sets the device's power-on lock enable control so that authentication with the data AK is required after a device power-cycle. Use storage encryption disk modify-data-key-id`key-id to protect the data. Use storage encryption disk modify-fips-key-id`key-id to place the SED into FIPS-compliance mode.

[-fips-key-id <text>] - Key ID of the Current FIPS Authentication Key

This parameter specifies the key ID associated with the FIPS authentication key ("FIPS AK") that the system must use to authenticate with FIPS-compliance authorities in FIPS-certified SEDs. This parameter may not be set to a non-MSID value in SEDs that are not FIPS-certified SED.

[-is-power-on-lock-enabled {true|false}] - Is Power-On Lock Protection Enabled?

This parameter specifies the state of the SED control that determines whether the SED requires authentication with the data AK after a power-cycle. The system enables this control parameter automatically when you use the storage encryption disk modify-data-key-id command to set the data AK to a value other than the MSID. Data is protected only when this parameter is true and the data AK is not the MSID. Compare with the values of the -protection-mode parameter below.

[-protection-mode <text>] - Mode of SED Data and FIPS-Compliance Protection

The protection mode that the drive is in:

  • open - data is unprotected; SED is not in FIPS-compliance mode

  • data - data is protected; SED is not in FIPS-complance mode

  • part - data is unprotected; SED is in FIPS-compliance mode

  • full - data is protected; SED is in FIPS-compliance mode

[-type {ATA | BSAS | FCAL | FSAS | LUN | MSATA | SAS | SSD | VMDISK | SSD-NVM}] - Disk Type

This parameter selects the drive type to include in the output.

Examples

The following command displays information about all SEDs:

cluster1::> storage encryption disk show
Disk    Mode Data Key ID
------- ---- -----------------------------------------------------------------
0.0.0   open 0x0
0.0.1   part 0x0
0.0.2   data 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
1.10.0  open 0A53ED2A000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B
1.10.1  part 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
1.10.2  full 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
[...]

Note in the example that only disk 1.10.2 is fully protected with FIPS mode, power-on-lock enable, and an AK that is not the default MSID.

The following command displays information about the protection mode and FIPS key ID for all SEDs:

cluster1::> storage encryption disk show -fips
Disk    Mode FIPS-Compliance Key ID
------- ---- -----------------------------------------------------------------
0.0.0   open 0x0
0.0.1   part 0A53ED2A000000000100000000000000C1B27AD3F0DB8891375AED2F34D0BBED
0.0.2   data 0x0
1.10.0  open 0A53ED2A000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B
1.10.1  part 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
1.10.2  full 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
[...]

Note again that only disk 1.10.2 is fully protected with FIPS-compliance mode set, power-on-lock enabled, and a data AK that is not the default MSID.

The following command displays the individual fields for disk 1.10.1:

cluster1::> storage encryption disk show -disk 1.10.1
Disk Name: 1.10.1
                                 Container Name: aggr0
                                 Container Type: shared
                         Is SED FIPS-certified?: true
  Key ID of the Current Data Authentication Key: 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
  Key ID of the Current FIPS Authentication Key: 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
           Is Power-On Lock Protection Enabled?: true
Mode of SED Data and FIPS-Compliance Protection: open