The controller uses the Volume Encryption Keys (VEK) to encrypt data
when a controller-encrypted virtual disk is created. These keys are not
available to the user. The firmware uses a unique 512-bit key for each
virtual disk. The VEK for the virtuals disks are stored on the physical
drives in a VEK blob.
Note:
For more information about Data Encryption terminology,
refer to the ServeRAID-MR Software User's Guide.
The Volume Encryption Key is used by physical drives in encrypted
volumes and has the following characteristics:
•
The keys are used to encrypt written data and decrypt read data
•
When the Volume Encryption Key is enabled, the controller encrypts
written data and decrypts read data
•
When the virtual disk is created without a Volume Encryption Key, it
behaves like a regular virtual disk
•
When the virtual disk is created with a Volume Encryption Key, it is
known as a secure drive group
The controller uses the Security Key to lock and unlock access to the
secure user data. The Security Key has the following characteristics:
•
The Security Key is generated by the user and stored in non-volatile
synchronous random access memory (NVSRAM) in the controller
•
To use the encryption feature, you have to use the security key; you
can have a Security Key and still create or import unsecured virtual
disks
•
The Volume Encryption Keys of all secure disks connected to a
ServeRAID-MR10is controller are protected by the same Security
Key
•
When the Security Key is enabled, secure disk groups can be
created or imported
Other important points to note about Data Encryption are as follows:
•
It is not possible to convert an encrypted volume group to a non-
encrypted volume group or vice versa
•
If you delete a secure virtual disk, the Volume Encryption Key is
destroyed, and the data will be undecipherable and irretrievable
Data Encryption
3-9