SED Management

• Security Policies for Self Encrypting Drives , on page 1

• Security Guidelines and Limitations for SED Management , on page 1

• Security Flags for Controller and Disk, on page 2

• Security Related Operations, on page 2

• Enabling Security on a Disk, on page 3

• Creating a Local Security Policy, on page 4

• Modifying the Security Policy from Local to Remote, on page 5

• Modifying the Security Key of a Local Security Policy, on page 6

Cisco UCS C-Series and S-Series servers.

SEDs are locked using a security key. The security key, which is also known as Key-Encryption Key or an

authentication passphrase, is used to encrypt the media encryption key. If the disk is not locked, no key is

required to fetch the data.

Cisco UCS Central enables you to configure security keys locally or remotely. When you configure the key

locally, you must remember the key. In case you forget the key, it cannot be retrieved and the data is lost.

You can configure the key remotely by using a key management server (also known as KMIP server). This

method addresses the issues related to safe-keeping and retrieval of the keys in the local management.

The encryption and decryption for SEDs is done through the hardware. Thus, it does not affect the overall

system performance. SEDs reduce the disk retirement and redeployment costs through instantaneous

• Storage operations get applied only when the server is powered on, and they do not trigger a server

reboot.

• A global service profile (GSP) with a security policy gets pushed to Cisco UCS Manager releases prior

to 3.1(3), and the security policies related operations are cleaned up and an unsecured LUN is created.

• A Cisco UCS Manager downgrade fails if a storage controller with Drive Security Enable is present in

the domain.

• A GSP association fails with a config-failure status/message if it is associated with an unsupported

server, or a supported server with unsupported firmware.

• A GSP association fails with a config-failure status/message if LUN security is set to Enabled

in the Disk Configuration Policy but if the Security policy is not created in the storage profile.

• Security Enable—Indicates that the security key is programmed on the controller, disk, or LUN, and

security is enabled on the device. This flag is set when you configure a security policy and associate it

to a server, making the controller and disk secure. This flag is not set on a Cisco HyperFlex device.

• Secured—Indicates that the security key is programmed on the disk, and security is enabled on the Cisco

HyperFlex device.

The following security flags are exclusive to storage disks:

• Locked—Indicates that the disk key does not match the key on the controller. This happens when you

move disks across servers that are programmed with different keys. The data on a locked disk is

inaccessible and the operating system cannot use the disk. To use this disk, you must either unlock the

disk or secure erase the foreign configuration.

servers. The following table lists the remote operations and their descriptions:

For more information about SED Management and security policies, see Cisco UCS Manager Storage

Management Guide.

Enabling Security on a Disk

UCSC(policy-mgr)# scope org org-name

UCSC(policy-mgr) /org # create

storage-profile profile-name

UCSC(policy-mgr) /org/storage-profile* #

create security

SED Management

Enabling Security on a Disk

PurposeCommand or Action

Step 5

Creates a local security policy for the specified

storage profile and enters the local policy mode.

UCSC(policy-mgr)

/org/storage-profile/security/drive-security* #

create local

Step 6

Sets the specified security key for the local

policy. The security key must have 32

characters.

UCSC(policy-mgr)

/org/storage-profile/security/drive-security/local*

# set security-keysecurity-key

Step 7

PurposeCommand or Action

Enters policy manager mode.UCSC# connect policy-mgr

Step 1

Enters organization mode for the specified

organization. To enter the root organization

mode, type / as the org-name .

UCSC(policy-mgr)# scope org org-name

Step 2

Creates the specified storage profile and enters

organization storage profile mode.

UCSC(policy-mgr) /org # create

Creates a drive security policy for the specified

storage profile security and enters the drive

security policy mode.

UCSC(policy-mgr)

/org/storage-profile/security* # create

drive-security

Step 5

Creates a local security policy for the specified

storage profile and enters the local policy mode.

UCSC(policy-mgr)

/org/storage-profile/security/drive-security* #

create local

Step 6

Sets the specified security key for the local

UCSC(policy-mgr)

SED Management

Modifying the Security Policy from Local to Remote

PurposeCommand or Action

Step 9

/org/storage-profile/security/drive-security/local*#

set security-keynew-security-key

UCSC(policy-mgr)

/org/storage-profile/security/drive-security/local*#

commit-buffer

Remote Operations

This section describes the options for configuring security related operations on the controller, local disk, or

Enters the specified UCS domain.UCSC(resource-mgr)/domain-mgmt# scope

Enters the specific chassis.UCSC(resource-mgr)/domain-mgmt/ucs-domain#

Enters the specific server.UCSC(resource-mgr)/domain-mgmt/ucs-domain/chassis#

for a list of the permitted security operations.

Unlock Disk for a Local Security Policy

requires a Key as a parameter. The Key must

be 32 characters long.

Commits the transaction to the system

configuration.

SED Management

Remote Operations

PurposeCommand or Action

Step 9

clear name

(Virtual-Disk)(Optional)

UCSC(resource-mgr)/domain-mgmt/ucs-domain/chassis/server/

Step 12

raid-controller/virtual-drive # set admin-state