Return a FIPS drive or SED to unprotected mode

Contributors

A FIPS drive or SED is protected from unauthorized access only if the authentication key ID for the node is set to a value other than the default. You can return a FIPS drive or SED to unprotected mode by using the storage encryption disk modify command to set the key ID to the default.

What you’ll need

You must be a cluster administrator to perform this task.

Steps
  1. Set the privilege level to advanced:

    set -privilege advanced

  2. If a FIPS drive is running in FIPS-compliance mode, set the FIPS authentication key ID for the node back to the default MSID 0x0:

    storage encryption disk modify -disk disk_id -fips-key-id 0x0

    You can use the security key-manager query command to view key IDs.

    cluster1::> storage encryption disk modify -disk 2.10.11 -fips-key-id 0x0
    
    Info: Starting modify on 14 disks.
          View the status of the operation by using the
          storage encryption disk show-status command.
  3. Set the data authentication key ID for the node back to the default MSID 0x0:

    storage encryption disk modify -disk disk_id -data-key-id 0x0

    The value of -data-key-id should be set to 0x0 whether you are returning a SAS or NVMe drive to unprotected mode.

    You can use the security key-manager query command to view key IDs.

    cluster1::> storage encryption disk modify -disk 2.10.11 -data-key-id 0x0
    
    Info: Starting modify on 14 disks.
          View the status of the operation by using the
          storage encryption disk show-status command.