IBM FlashSystem

 View Only
Expand all | Collapse all

FS7300 with FCM3 - encryption enablement with SEDs ?

  • 1.  FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted Mon June 12, 2023 08:43 AM

    Hi,

    We have an FS7300 with 38.4TB FCM3 modules configured in a standard pool.

    As I understand these FCMs are self-encrypting and this encryption is always active.

    But the recommendation in the product guide is to also activate the encryption feature on the storage to allow locking the drives

    when the storage is powered off. If activating and enabling the encryption feature after initial setup, will this be enough

    to enable automatic locking and unlocking of the drives, or will the array containing the drives have to be destroyed and

    recreated with encryption enabled ?



    ------------------------------
    Zaki Jääskeläinen
    ------------------------------


  • 2.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted Mon June 12, 2023 11:37 AM

    A  related question: adding an encryption license to a pre-existing system with a standard pool containing an array with SEDs; creating an encrypted child pool in the non-encrypted parent pool is not possible when the pool uses SEDs ? 



    ------------------------------
    Zaki Jääskeläinen
    ------------------------------

    Original Message


  • 3.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted Tue June 13, 2023 07:28 AM

    Hello!  These are great questions.

    With regard to self encryption - The SEDs are technically encrypted, however, in order to use a secure key you need to enable the encryption feature and create the arrays that use these drives as encrypted.

    You cannot enable encryption on pre-existing arrays, this is a creation time only setting on Virtualize hardware.  So if you have already configured a pool and the array in it, you cannot then enable the SED function, you would need to migrate, recreate the arrays and then migrate back.  See the IBM Documentation for how to create encrypted arrays: https://www.ibm.com/docs/en/flashsystem-7x00/8.5.x?topic=ce-creating-encrypted-array-1. (you'll note there is no charray option to change the state of encryption it is a creation time only parameter)

    Please also be aware of our Security Red paper: https://www.redbooks.ibm.com/abstracts/redp5716.html

    I hope that helps.



    ------------------------------
    Evelyn Perez
    IBM Senior Technical Staff Member
    IBM Storage Virtualize Software Architect for SVC and FlashSystem
    ------------------------------

    Original Message


  • 4.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted Tue June 13, 2023 09:37 AM

    Hello Zaki-  

    The encryption is at the pool level-so it'd need to be destroyed. Also, the parent pool needs to be encrypted, so for you other question, it'd also need to be recreated. 

    Bob Mayotte



    ------------------------------
    Bob Mayotte
    ------------------------------

    Original Message


  • 5.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted Tue June 13, 2023 09:41 AM

    Not entirely true - Software Level encryption is at the pool, however, on the NVMe based boxes with SEDs, we provide HW encryption on the raid array level. (hence the mkarry -encrypted option



    ------------------------------
    Evelyn Perez
    IBM Senior Technical Staff Member
    IBM Storage Virtualize Software Architect for SVC and FlashSystem
    ------------------------------

    Original Message


  • 6.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted Wed June 14, 2023 09:25 AM

    Thank you for the answers.

    Luckily we have a few spares so can create a new temporary array and pool and migrate all volumes there and then recreate the main array with encryption.



    ------------------------------
    Zaki Jääskeläinen
    ------------------------------

    Original Message


  • 7.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted 29 days ago

    Hello,

    I have IBM FS7300 storage. Encryption license is activated. But I want to see that Storage POOL and MDISK are encrypted or not? Can any once advise how we can confirm.

    Thanks & Regards

    HUJEFA



    ------------------------------
    Hujefa Garbadawala
    ------------------------------

    Original Message


  • 8.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted 29 days ago

    lsmdiskgrp will let you know if the pool is encrypted. If the pool is encrypted then all volumes are as well. Storage Virtualize doesn't do individual volumes.

     

    Ian Wright

    Systems Engineer – Storage, Automation, and Cloud

    301-514-0758

    ian.wright@mainline.com

     

    A blue and white logo Description automatically generated

     

     

     

    This e-mail and files transmitted with it are confidential, and are intended solely for the use of the individual or entity to whom this e-mail is addressed. If you are not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you are not one of the named recipient(s) or otherwise have reason to believe that you received this message in error, please immediately notify sender by e-mail, and destroy the original message.



    Original Message


  • 9.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted 27 days ago

    Hi

    Thanks for Support.



    ------------------------------
    Hujefa Garbadawala
    ------------------------------

    Original Message


  • 10.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted 29 days ago

    Hi Hujefa,

    From the GUI:

    Go to Pools, select the pool in question, the actions and Properties.  It will bring up the Properties modal (depending on version level it will look like this)

    Or you can do it from the CLI as per Ian's suggestion - (man lsmdiskgrp or lsmdiskgrp -help for more information on all the fields provided), or via the RestAPI (https://www.ibm.com/docs/en/flashsystem-7x00/8.7.x?topic=api-storage-virtualize-rest)

    I hope this helps!



    ------------------------------
    Evelyn Perez
    IBM Senior Technical Staff Member
    IBM Storage Virtualize Software Architect for SVC and FlashSystem
    ------------------------------

    Original Message


  • 11.  RE: FS7300 with FCM3 - encryption enablement with SEDs ?

    Posted 27 days ago

    Hi,

    thank for reply,

    I have one more query that I am going to update the FCM code from 3_0_1 to 3_1_15. So i need to go select FCM ---> update---> test only and once test completed successfully then i need to select the test & update the FCM.

    I want advise / suggestion that  I have total 12 FCM drives installed on FS7300 Storage. Do I need to run test for ALL 12 FCM drives? if yes, then i can select one shot all 12 FCM drives and run the Test. once test successful for all FCM then I can select the All 12 drives together and run FCM Test & update option?

    Or it can be batter do for one by one FCM drive update?

    FS7300 is running code with 7.5.0.3

    Actually this FCM code in not update since very long back and it passed 800 days. So i am going to power cycle the storage first and then i will do the FCM code update.

    Thanks & Regards

    HUJEFA



    ------------------------------
    Hujefa Garbadawala
    ------------------------------

    Original Message