File and Object Storage

 View Only

Self-encrypting drive support by ECE from IBM Scale

By Ravindra Sure posted Thu February 08, 2024 01:05 AM


The  blog on  Self-Encrypting Drive Support in ESS  provides overview of SED support and its enablement on IBM Storage Scale systems also known as ESS systems. The IBM Scale Erasure Code Edition (ECE) supports SED support  from IBM Storage Scale . The ECE supports SED only on Recovery Groups with SED capable NVMe drives. If any NVMe drive of Recovery Group is either under MegaRAID controller or not SED capable then SED support can't be enabled for that Recovery Group.

Before enabling SED support, the Remote Key Manager (RKM) server must be setup and it's backup servers also must be setup to restore  RKM server when the recovery is needed. Once RKM server is setup  the Master Encryption Key (MEK) also called Authentication Key (AK) needs to be configured on RKM  servers using mmkeyserv command. See the mmkeyserv command for more details.

Enabling SED support on ECE Recovery Group

The SED support can be enabled on ECE Recovery Group when all the drives of the Recovery Group are in OK state using the mmvdisk sed enroll command as shown below.

# mmvdisk sed enroll --recovery-group <rg_name> --rkmid <RkmId> --key-uuid <KeyId>

Where <rg_name>, <RkmId> and <keyId>  are the Recovery Group name, RKM Id and new MEK Id's respectively.

Once SED support is enabled for a ECE Recovery Group, it can't  be disabled. The only way to disable the SED support is by recreating the Recovery Group. The recreation of the Recovery Group crypto-erases all the drives of Recovery Group which destroy the data on the drives.

The mmvdisk sed enroll command can also be used for enabling SED support on live Recovery Group which already has data and File Systems without affecting the data and IO operations on the Recovery Group. 

Changing the Master Encryption Key on ECE Recovery Group

Once SED support is enabled based on some polices of the Organization the MEK may needs to be changed periodically. Similarly if MEK is compromised,  it is required to change the MEK for all the drives of Recovery Group. This can be done by running the mmvdisk sed rekey command as shown below.

# mmvdisk sed rekey --recovery-group <RgName> --rkmid <RkmId> --key-uuid <New_KeyId>

Where <RgName>, <RkmId> and <new_keyId>  are the Recovery Group name, RKM Id and new MEK Id's respectively.

The details of mmvdisk sed command to manage and monitor  the SED support on ECE system can be found here.