- Notes, cautions, and warnings
- Getting started
- System concepts
- Storage environment
- Virtual storage
- Linear storage
- Disk groups
- RAID levels
- ADAPT
- Disk group utilities
- SSDs
- Spares
- Pools
- Changing pool settings
- Volumes and volume groups
- Volume cache options
- Overcommitting volumes
- About automated tiered storage
- Initiators, hosts, and host groups
- CHAP
- Host ports
- Attaching volumes to hosts
- Operating with a single controller
- Snapshots
- Copying volumes or snapshots
- Reconstruction
- Quick rebuild
- Updating firmware
- Managed logs
- LDAP
- DNS settings
- Peer connections
- Replication
- Full disk encryption
- Rescanning disks
- Clearing disk metadata
- Data protection during failover to a single controller
- SupportAssist
- About APEX AIOps Infrastructure Observability
- Event history
- Audit logs
- System metrics
- Dashboard
- Provisioning
- Working with volumes
- Volumes table
- Data protection table
- Creating volumes
- Modifying volumes
- Deleting volumes and snapshots
- Attaching volumes to hosts
- Detaching volumes from hosts
- Expanding volumes
- Rolling back virtual volumes
- Creating snapshots
- Resetting snapshots
- Copying volumes or snapshots
- Aborting a volume copy
- Add data protection
- Creating a replication set
- Modifying a replication set
- Deleting a replication set
- Initiating or scheduling a replication
- Suspending a replication
- Aborting a replication set
- Resuming a replication
- Managing replication schedules
- Working with hosts
- Working with volumes
- Settings
- Maintenance
- Other management interfaces
- Administering a log-collection system
- Settings changed by restoring defaults
- System configuration limits
- Best practices
- Glossary of terms
Dell PowerVault ME5 Series Administrator's Guide
Full disk encryption
Full Disk Encryption (FDE) is a method by which you can secure the data residing on the disks. It uses self-encrypting drives (SED), which are also referred to as FDE-capable disks. When secured and removed from a secured system, FDE-capable disks cannot be read by other systems.
The ability to secure a disk and system relies on passphrases and lock keys. A passphrase is a user-created password that allows users to manage lock keys. You can enable FDE protection by setting the FDE passphrase the system uses to write to and read from FDE-capable disks (Settings > System > Security). From the passphrase, the system generates the lock key ID that is used to secure the FDE-capable disks. If the system is unable to interpret the lock key on the FDE-capable disk, the encrypted data on the disk is inaccessible.
NOTE:Be sure to record the passphrase as it cannot be recovered if lost.
A lock key is generated by the system, based upon the passphrase, and manages the encryption and decryption of data on the disks. A lock key is persisted on the storage system and is not available outside the storage system.
Data that was present on the system before it was secured is accessible in the same way it was when the system was unsecured. However, if a disk is transferred to an unsecured system or a system with a different passphrase, the data is not accessible.
Clearing the lock keys and power cycling the system denies access to data on the disks. Clear lock keys only when the system will not be under your physical control.
If the lock keys are cleared while the system is secured, the system will enter the FDE lock-ready state, in preparation for the system being powered down and transported. After the system has been transported and powered up, the system and disks will enter the secured, locked state; disks will be in the UNUSABLE state. Pools and disk-groups will be unavailable. All data on the disks is inaccessible until the system is secured with the original passphrase and lock key ID.
A system and the FDE-capable disks in the system are initially unsecured but can be secured at any point. Until the system is secured, FDE-capable disks function exactly like disks that do not support FDE.
FDE operates on a per-system basis, not a per-disk group basis. To use FDE, all disks in the system must be FDE-capable.
CAUTION: Do not change FDE configuration settings while running I/O. Temporary data unavailability may result, and the proper setting of lock keys from the passphrase could potentially be impacted.
Secured disks and systems can be repurposed. You can repurpose a system to erase all data on the system and return its FDE state to unsecured. You can repurpose a disk that is no longer part of a disk group. After a disk is repurposed in a secured system, the disk is secured using the system lock key ID and the new encryption key on the disk, making the disk usable to the system. Repurposing a disk in an unsecured system removes all associated lock keys and makes that disk available to any system
CAUTION: Repurposing a disk changes the encryption key on the disk and effectively deletes all data on the disk. Repurpose a disk only if you no longer need the data on the disk.
NOTE:If you insert an FDE disk into a secured system and the disk does not come up in the expected state, perform a manual rescan. See
Rescanning disks.
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\