application commands
storage encryption disk show
Suggest changes
PDFs
Display self-encrypting disk attributes
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The storage encryption disk show command displays information about encrypting drives. When no parameters are specified, the command displays the following information about all encrypting drives:
-
Disk name
-
The protection mode of the device
-
The key ID associated with the data authentication key ("data AK")
In MetroCluster systems, the information is valid from the cluster that owns the drive, or from the DR cluster when in switchover mode. If information is not available, perform the show command from the cluster partner.
You can use the following parameters together with the -disk parameter to narrow the selection of displayed drives or the information displayed about them.
Parameters
- {
[-fields <fieldname>,…] -
If you specify the
-fields <fieldname>, …parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify. - |
[-fips ] -
If you specify this parameter, the command displays the key ID associated with the FIPS-compliance authentication key ("FIPS AK") instead of the data key ID.
- |
[-instance ]} -
If you specify this parameter, the command displays detailed disk information about all disks, or only those specified by a -disk parameter.
[-disk <disk path name>]- Disk Name-
If you specify this parameter, the command displays information about the specified disks. If you specify a single disk path name, the output is the same as when you use the -instance parameter. See the man page for the
storage disk modifycommand for information about disk-naming conventions. Default is all self-encrypting disks. [-container-name <text>]- Container Name-
This parameter specifies the container name associated with an encrypting drive. If you specify an aggregate name or other container name, only the encrypting drives in that container are displayed. See the man page for the storage disk show command for a description of the container name. Use the storage aggregate show-status and storage disk show commands to determine which aggregates the drives are in.
[-container-type {aggregate | broken | foreign | labelmaint | maintenance | mediator | remote | shared | spare | unassigned | unknown | unsupported}]- Container Type-
This parameter specifies the container type associated with an encrypting drive. If you specify a container type, only the drives with that container type are displayed. See the man page for the storage disk show command for a description of the container type.
[-data-key-id <text>]- Key ID of the Current Data Authentication Key-
This parameter specifies the key ID associated with the data AK that the encrypting drive requires for authentication with its data-protection authorities. The special key ID
0x0indicates that the current data AK of the drive is the default manufacture secure ID (MSID) that is not secret. Some devices employ an initial null default AK that appears as a blank data-key-id; you cannot specify a null data-key-id value. To properly protect data at rest on the device, modify the data AK using a key ID that is not a default value (MSID or null). When you modify the data AK with a non-MSID key ID, the system automatically sets the device's power-on lock enable control so that authentication with the data AK is required after a device power-cycle. Use storage encryption disk modify-data-key-id-fips-key-id`key-idto protect the data. Use storage encryption disk modify`key-idto place the drives into FIPS-compliance mode. [-fips-key-id <text>]- Key ID of the Current FIPS Authentication Key-
This parameter specifies the key ID associated with the FIPS authentication key ("FIPS AK") that the system must use to authenticate with FIPS-compliance authorities in FIPS-certified drives. This parameter may not be set to a non-MSID value in drives that are not FIPS-certified.
[-is-power-on-lock-enabled {true|false}]- Is Power-On Lock Protection Enabled?-
This parameter specifies the state of the control that determines whether the encrypting drive requires authentication with the data AK after a power-cycle. The system enables this control parameter automatically when you use the storage encryption disk modify
-data-key-idcommand to set the data AK to a value other than the default AK. Data is protected only when this parameter istrueand the data AK is not a default. Compare with the values of the-protection-modeparameter below. [-protection-mode <text>]- Mode of SED Data and FIPS-Compliance Protection-
The protection mode that the drive is in:
-
open - data is unprotected; drive is not in FIPS-compliance mode
-
data - data is protected; drive is not in FIPS-complance mode
-
part - data is unprotected; drive is otherwise in FIPS-compliance mode
-
full - data is protected; drive is in FIPS-compliance mode
-
miss - protection mode information is not available
-
[-type {ATA | BSAS | FCAL | FSAS | LUN | MSATA | SAS | SSD | VMDISK | SSD-NVM | SSD-CAP | SSD-ZNS | VMLUN | VMLUN-SSD}]- Disk Type-
This parameter selects the drive type to include in the output.
[-control-standard <text>]- Control Standard-
This parameter specifies the industry standard for control of encrypting drives that the drive implements.
[-compliance-standard <text>]- Compliance Standard-
This parameter specifies the industry compliance standard, if any, that the drive is certified as adhering to.
[-overall-security <text>]- Overall Security-
This parameter specifies the drive's certified security level as defined in the compliance-standard, if the drive is certified to a compliance standard.
Examples
The following command displays information about all encrypting drives:
cluster1::> storage encryption disk show Disk Mode Data Key ID ------- ---- ----------------------------------------------------------------- 0.0.0 open 0x0 0.0.1 part 0x0 0.0.2 data 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A 1.10.0 open 0A53ED2A000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B 1.10.1 part 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A 1.10.2 full 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A [...]
Note in the example that only disk 1.10.2 is fully protected with FIPS mode, power-on-lock enable, and an AK that is not the default MSID or a null key.
The following command displays information about the protection mode and FIPS key ID for all encrypting drives:
cluster1::> storage encryption disk show -fips Disk Mode FIPS-Compliance Key ID ------- ---- ----------------------------------------------------------------- 0.0.0 open 0x0 0.0.1 part 0A53ED2A000000000100000000000000C1B27AD3F0DB8891375AED2F34D0BBED 0.0.2 data 0x0 1.10.0 open 0A53ED2A000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B 1.10.1 part 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A 1.10.2 full 0A9C9CFC000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B [...]
Note again that only disk 1.10.2 is fully protected with FIPS-compliance mode set, power-on-lock enabled, and a data AK that is not the default MSID or a null key.
The following command displays the individual fields for disk 1.10.2:
cluster1::> storage encryption disk show -disk 1.10.2
Disk Name: 1.10.2
Container Name: aggr0
Container Type: shared
Is Drive FIPS-certified?: true
Key ID of the Current Data Authentication Key: 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
Key ID of the Current FIPS Authentication Key: 0A9C9CFC000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B
Is Power-On Lock Protection Enabled?: true
Mode of Data and FIPS-Compliance Protection: full
Drive Type: SSD
Control Standard: TCG Enterprise
Compliance Standard: FIPS 140-2
Overall Security: Level 2