Hardware Encryption
Self-Encrypting Drive (SED) / Full Drive Encryption (FDE) Media
QuantaStor currently supports Opal 2 compliant NVMe SED media which can be FIPS or non-FIPS compliant. For HDD based SED encryption we recommend using Seagate Corvault systems which allow us to offload the hardware encryption to the external system. SED/FDE HDD based encryption is planned for a future version of QuantaStor, please contact us (info (at) osnexus.com) for more information.
Controller Based Encryption
DEPRECATED - Controller based hardware encryption has been deprecated. This feature was limited to specific discontinued RAID controllers. Today we recommend using SAS/SATA controllers in HBA mode (IT) rather than HW RAID mode (IR) and have standardized on Broacomm SAS HBAs and their OEM derivatives.
There are three CLI commands for setting up hardware encryption using the 'qs' command line utility. They are 'hw-unit-encrypt', 'hw-controller-create-security-key', and 'hw-controller-change-security-key'. The process for setting up encryption is as follows:
1) Create a hardware RAID unit using the 'Create Unit..' dialog in the QuantaStor web management interface as per your workload requirements (RAID10, RAID6, etc).
2) Go to the console/ssh window and assign a security key to the controller if one is not already set.
hw-controller-create-security-key [hwc-create-security-key]
:: Create the security key for encryption on SED/FDE-enabled drives on hardware RAID
controller.
<--controller> :: Name or ID of a hardware RAID controller.
<--security-key> :: Security key on HW Controller card for encryption on FDE-enabled secure
disk drives.
3) Encrypt the hardware RAID unit that you created in step one.
hw-unit-encrypt [hwu-encrypt]
:: Enable hardware SED/FDE encryption for the specified hardware RAID unit.
<--unit> :: Name of a hardware RAID unit or it unique ID.
[--options] :: Special options to hardware encryption policy.
4) Create a new storage pool using the now encrypted RAID unit
Note that your system will be setup so that no pass-phrase is required at boot time. In this mode you're protected against someone taking all the hard drives from your system but if they can take the entire server and/or RAID controller with the disks then the drives can be decrypted without a password. In general the no pass-phrase option is preferred so that the system can be rebooted without administrative involvement but it is less secure.
Setting Up Boot Passphrase
As noted above, the hw-controller-create-security-key command will setup the hardware RAID controller so that no pass-phrase is required at boot time. To change the keys so that a pass-phrase is required at boot time you'll need to use the MegaCli CreateSecurityKey command to set a security key for the controller that includes a pass-phrase. Here's a snippet of the LSI documentation on how to create a key.
Syntax: MegaCli -CreateSecurityKey -SecurityKey sssssssssss | [-Passphrase sssssssssss] |[-KeyID kkkkkkkkkkk] -aN
Description:
Command enables security feature on specified controller.
The possible parameters are:
SecurityKey: Security key will be used to generate lock key when drive security is enabled.
Passphrase: Pass phrase to provide additional security.
KeyID: Security key Id.
Convention:
-aN N specifies the adapter number for the command.
Note:
- Security key is mandatory and pass phrase is optional.
- Security key and pass phrase have special requirements.
Security key & pass phrase should have 8 - 32 chars, case-sensitive; 1 number, 1 lowercase letter, 1 uppercase letter, 1 non-alphanumeric character (no spaces).
- In case of Unix based systems, if the character '!' is used as one of the input characters in the value of Security key or pass phrase, it must be preceded by a back slash character('\').
A good way to generate a secure passphrase and/or security key is to use the uuidgen tool as follows:
uuidgen | cut -c 25-
This will output a randomly generated string of characters that looks like '6bb45eb7b615'. You can then run the tool like so but be sure to replace the generated text '1dabc3b0d467' and '6bb45eb7b615' with your own unique keys generated by the uuidgen tool:
MegaCli -CreateSecurityKey -SecurityKey 1dabc3b0d467 -Passphrase 6bb45eb7b615 -a0
Be sure to write down both keys someplace safe. The pass-phrase will be needed every time the system boots and the security key will be needed in the event that you need to replace the RAID controller.