Terminology; Workflow; Enable Security - Lenovo ThinkServer RD330 Software User's Manual

Chapter 3: SafeStore Disk Encryption
3.3

Terminology

Table 19: Terminology used in FDE
Option
Authenticated Mode
Blob
Key backup
Password
Re-provisioning
Security Key
Un-Authenticated Mode
Volume Encryption Keys (VEK)
3.4

Workflow

3.4.1

Enable Security

3.4.1.1 Create the Security Key
Identifier
3.4.1.2 Create the Security Key
Page 48
|
Terminology
Table 19
The RAID configuration is keyed to a user password. The password must be provided on system boot to
authenticate the user and facilitate unlocking the configuration for user access to the encrypted data.
A blob is created by encrypting a key(s) using another key. There are two types of blob in the system –
encryption key blob and security key blob.
You need to provide the controller with a lock key if the controller is replaced or if you choose to migrate
secure virtual disks. To do this, you must back up the security key.
An optional authenticated mode is supported in which you must provide a password on each boot to
make sure the system boots only if the user is authenticated. Firmware uses the user password to encrypt
the security key in the security key blob stored on the controller.
Re-provisioning disables the security system of a device. For a controller, it involves destroying the
security key. For SafeStore encrypted drives, when the drive lock key is deleted, the drive is unlocked and
any user data on the drive is securely deleted. This does not apply to controller-encrypted drives, because
deleting the virtual disk destroys the encryption keys and causes a secure erase. See
Secure Erase, for information about the instant secure erase feature.
A key based on a user-provided string. The controller uses the security key to lock and unlock access to the
secure user data. This key is encrypted into the security key blob and stored on the controller. If the
security key is unavailable, user data is irretrievably lost. You must take all precautions to never lose the
security key.
This mode allows controller to boot and unlock access to user configuration without user intervention. In
this mode, the security key is encrypted into a security key blob, stored on the controller, but instead of a
user password, an internal key specific to the controller is used to create the security key blob.
The controller uses the Volume Encryption Keys to encrypt data when a controller-encrypted virtual disk
is created. These keys are not available to the user. The firmware (FW) uses a unique 512-bit key for each
virtual disk. The VEK for the VDs are stored on the physical disks in a VEK blob.
You can enable security on the controller. After you enable security, you have the
option to create secure virtual drives using a security key.
There are three procedures you can perform to create secure virtual drives using a
security key:
 Create the security key identifier
 Create the security key
 Create a password (optional)
The security key identifier appears whenever you enter the security key. If you have
multiple security keys, the identifier helps you determine which security key to enter.
The controller provides a default identifier for you. You can use the default or enter your
own identifier.
You need to enter the security key to perform certain operations. You can choose a
strong security key that the controller suggests.
describes the terminology related to the SafeStore encryption feature.
Description
MegaRAID SAS Software User Guide
Section 3.5, Instant