Skip to main content

Sanitize a FIPS drive or SED

Contributors netapp-ahibbard netapp-thomi netapp-aherbin
PDFs

If you want to make data on a FIPS drive or SED permanently inaccessible, and use the drive for new data, you can use the storage encryption disk sanitize command to sanitize the drive.

About this task

When you sanitize a self-encrypting drive, the system changes the disk encryption key to a new random value, resets the power-on lock state to false, and sets the key ID to a default value, either the manufacturer secure ID 0x0 (SAS drives) or a null key (NVMe drives). Doing so renders the data on the disk inaccessible and impossible to retrieve. You can reuse sanitized disks as non-zeroed spare disks.

Before you begin

You must be a cluster administrator to perform this task.

Steps

  1. Migrate any data that needs to be preserved to an aggregate on another disk.

  2. Delete the aggregate on the FIPS drive or SED to be sanitized:

    storage aggregate delete -aggregate aggregate_name

    For complete command syntax, see the man page.

    cluster1::> storage aggregate delete -aggregate aggr1

  3. Identify the disk ID for the FIPS drive or SED to be sanitized:

    storage encryption disk show -fields data-key-id,fips-key-id,owner

    For complete command syntax, see the man page.

    cluster1::> storage encryption disk show
Disk    Mode Data Key ID
-----   ---- ----------------------------------------------------------------
0.0.0   data F1CB30AFF1CB30B00101000000000000A68B167F92DD54196297159B5968923C
0.0.1   data F1CB30AFF1CB30B00101000000000000A68B167F92DD54196297159B5968923C
1.10.2  data F1CB30AFF1CB30B00101000000000000CF0EFD81EA9F6324EA97B369351C56AC
[...]

  4. If a FIPS drive is running in FIPS-compliance mode, set the FIPS authentication key ID for the node back to the default MSID 0x0:

    storage encryption disk modify -disk disk_id -fips-key-id 0x0

    You can use the security key-manager query command to view key IDs.

    cluster1::> storage encryption disk modify -disk 1.10.2 -fips-key-id 0x0

Info: Starting modify on 1 disk.
      View the status of the operation by using the
      storage encryption disk show-status command.

  5. Sanitize the drive:

    storage encryption disk sanitize -disk disk_id

    You can use this command to sanitize hot spare or broken disks only. To sanitize all disks regardless of type, use the -force-all-state option. For complete command syntax, see the man page.

    Note ONTAP will prompt you to enter a confirmation phrase before continuing. Enter the phrase exactly as shown on the screen. 
    cluster1::> storage encryption disk sanitize -disk 1.10.2

Warning: This operation will cryptographically sanitize 1 spare or broken self-encrypting disk on 1 node.
         To continue, enter sanitize disk: sanitize disk

Info: Starting sanitize on 1 disk.
      View the status of the operation using the
      storage encryption disk show-status command.

  6. Unfail the sanitized disk: storage disk unfail -spare true -disk disk_id

  7. Check whether the disk has an owner: storage disk show -disk disk_id
    If the disk does not have an owner, assign one. storage disk assign -owner node -disk disk_id

  8. Enter the nodeshell for the node that owns the disks you want to sanitize:

    system node run -node node_name

    Run the disk sanitize release command.

  9. Exit the nodeshell. Unfail the disk again: storage disk unfail -spare true -disk disk_id

  10. Verify that the disk is now a spare and ready to be reused in an aggregate: storage disk show -disk disk_id