3 terminology, 4 workflow, 1 enable security – Avago Technologies MegaRAID Fast Path Software User Manual

Page 48

LSI Corporation Confidential

|

July 2011

MegaRAID SAS Software User Guide

Chapter 3: SafeStore Disk Encryption

|

Terminology

3.3

Terminology

Table 19

describes the terminology related to the SafeStore encryption feature.

3.4

Workflow

3.4.1

Enable Security

You can enable security on the controller. After you enable security, you have the
option to create secure virtual drives using a security key.

There are three procedures you can perform to create secure virtual drives using a
security key:



Create the security key identifier



Create the security key



Create a password (optional)

3.4.1.1

Create the Security Key

Identifier

The security key identifier appears whenever you enter the security key. If you have
multiple security keys, the identifier helps you determine which security key to enter.
The controller provides a default identifier for you. You can use the default setting or
enter your own identifier.

Table 19: Terminology Used in FDE

Option

Description

Authenticated Mode

The RAID configuration is keyed to a user password. The password must be provided on system boot to
authenticate the user and facilitate unlocking the configuration for user access to the encrypted data.

Blob

A blob is created by encrypting a keys using another key. There are two types of blob in the system –
encryption key blob and security key blob.

Key backup

You need to provide the controller with a lock key if the controller is replaced or if you choose to migrate
secure virtual disks. To do this task, you must back up the security key.

Password

An optional authenticated mode is supported in which you must provide a password on each boot to
make sure the system boots only if the user is authenticated. Firmware uses the user password to encrypt
the security key in the security key blob stored on the controller.

Re-provisioning

Re-provisioning disables the security system of a device. For a controller, it involves destroying the
security key. For SafeStore encrypted drives, when the drive lock key is deleted, the drive is unlocked and
any user data on the drive is securely deleted. This situation does not apply to controller-encrypted drives,
because deleting the virtual disk destroys the encryption keys and causes a secure erase. See

Section 3.5,

Instant Secure Erase

, for information about the instant secure erase feature.

Security Key

A key based on a user-provided string. The controller uses the security key to lock and unlock access to the
secure user data. This key is encrypted into the security key blob and stored on the controller. If the
security key is unavailable, user data is irretrievably lost. You must take all precautions to never lose the
security key.

Un-Authenticated Mode

This mode allows controller to boot and unlock access to user configuration without user intervention. In
this mode, the security key is encrypted into a security key blob, stored on the controller, but instead of a
user password, an internal key specific to the controller is used to create the security key blob.

Volume Encryption Keys (VEK)

The controller uses the volume encryption keys to encrypt data when a controller-encrypted virtual disk is
created. These keys are not available to the user. The firmware uses a unique 512-bit key for each virtual
disk. The VEKs for the virtual disks are stored on the physical disks in a VEK blob.