Sanitize a FIPS drive or SED

Contributors

If you want to make data on a FIPS drive or SED permanently inaccessible, and use the drive for new data, you can use the storage encryption disk sanitize command to sanitize the drive.

What you’ll need

You must be a cluster administrator to perform this task.

About this task

When you sanitize a self-encrypting drive, the system changes the disk encryption key to a new random value, resets the power-on lock state to false, and sets the key ID to a default value, either the manufacturer secure ID 0x0 (SAS drives) or a null key (NVMe drives). Doing so renders the data on the disk inaccessible and impossible to retrieve. You can reuse sanitized disks as non-zeroed spare disks.

Steps
  1. Migrate any data that needs to be preserved to an aggregate on another disk.

  2. Delete the aggregate on the FIPS drive or SED to be sanitized:

    storage aggregate delete -aggregate aggregate_name

    For complete command syntax, see the man page.

    cluster1::> storage aggregate delete -aggregate aggr1
  3. Identify the disk ID for the FIPS drive or SED to be sanitized:

    storage encryption disk show

    For complete command syntax, see the man page.

    cluster1::> storage encryption disk show
    Disk    Mode Data Key ID
    -----   ---- ----------------------------------------------------------------
    0.0.0   data F1CB30AFF1CB30B00101000000000000A68B167F92DD54196297159B5968923C
    0.0.1   data F1CB30AFF1CB30B00101000000000000A68B167F92DD54196297159B5968923C
    1.10.2  data F1CB30AFF1CB30B00101000000000000CF0EFD81EA9F6324EA97B369351C56AC
    [...]
  4. Sanitize the drive:

    storage encryption disk sanitize -disk disk_id

    You can use this command to sanitize hot spare or broken disks only. To sanitize all disks regardless of type, use the -force-all-state option. For complete command syntax, see the man page.

    Note

    You are prompted to enter a confirmation phrase before continuing. Enter the phrase exactly as shown on the screen.

    cluster1::> storage encryption disk sanitize -disk 1.10.2
    
    Warning: This operation will cryptographically sanitize 1 spare or broken self-encrypting disk on 1 node.
             To continue, enter sanitize disk: sanitize disk
    
    Info: Starting sanitize on 1 disk.
          View the status of the operation using the
          storage encryption disk show-status command.