IBM Storage The online community where IBM Storage users meet, share, discuss, and learn. Join the Community
The blog on Self-Encrypting Drive Support in ESS 188.8.131.52 provides overview of SED support and its enablement on IBM Storage Scale systems also known as ESS systems. The IBM Scale Erasure Code Edition (ECE) supports SED support from IBM Storage Scale 184.108.40.206 . The ECE supports SED only on Recovery Groups with SED capable NVMe drives. If any NVMe drive of Recovery Group is either under MegaRAID controller or not SED capable then SED support can't be enabled for that Recovery Group.
Before enabling SED support, the Remote Key Manager (RKM) server must be setup and it's backup servers also must be setup to restore RKM server when the recovery is needed. Once RKM server is setup the Master Encryption Key (MEK) also called Authentication Key (AK) needs to be configured on RKM servers using mmkeyserv command. See the mmkeyserv command for more details.
The SED support can be enabled on ECE Recovery Group when all the drives of the Recovery Group are in OK state using the mmvdisk sed enroll command as shown below.
# mmvdisk sed enroll --recovery-group <rg_name> --rkmid <RkmId> --key-uuid <KeyId>
Where <rg_name>, <RkmId> and <keyId> are the Recovery Group name, RKM Id and new MEK Id's respectively.
Once SED support is enabled for a ECE Recovery Group, it can't be disabled. The only way to disable the SED support is by recreating the Recovery Group. The recreation of the Recovery Group crypto-erases all the drives of Recovery Group which destroy the data on the drives.
The mmvdisk sed enroll command can also be used for enabling SED support on live Recovery Group which already has data and File Systems without affecting the data and IO operations on the Recovery Group.
Once SED support is enabled based on some polices of the Organization the MEK may needs to be changed periodically. Similarly if MEK is compromised, it is required to change the MEK for all the drives of Recovery Group. This can be done by running the mmvdisk sed rekey command as shown below.
# mmvdisk sed rekey --recovery-group <RgName> --rkmid <RkmId> --key-uuid <New_KeyId>
Where <RgName>, <RkmId> and <new_keyId> are the Recovery Group name, RKM Id and new MEK Id's respectively.
The details of mmvdisk sed command to manage and monitor the SED support on ECE system can be found here.