Enabling Drive Security Using Avago SafeStore Encryption Services

Introduction


Setting up drive security is a great way to ensure access to data stored in disks removed from the hosts cannot be made without the knowledge of the security key. The drive data cannot be recovered without this key and hence makes the data in it safe in cloud environment.  At IBM Bluemix Infrastructure we provide Self Encrypting Drives (SED) at select Data centers for the drives that can be bought on a Bare metal server. To begin with we offer 10TB SATA drives in our US datacenters.

 

Prerequisites


Bare metal Server with SED Drives – 10TB SATA
LSI/AVAGO MegaRAID SAS 9361 -8i or Similar LSI/AVAGO RAID cards
Mega RAID Storage Manager Software installed

 

How to enable Drive Security  using MegaRAID Storage Manager (MSM)


In this guide we discuss how to set security key and safe guard data in it using the MegaRAID Storage Manager. User can also use WebBIOS interface which requires one at server Boot time enter MegaRAID card BIOS to configure the drive security setting. The official guide for setting up the Drive Security can be obtained at the following link accessible from here and it is recommended to refer the same for additional information and covers both WebBIOS and MSM usage to set drive security. All related documents on MegaRAID Controller Card SAS 9361-8i can be accessed from the Broadcom site.

How to identify SED drives present?

MSM should come preinstalled on the most of the supported OS ordered. If they are not present then users can manually install the same from Broadcom site. A link for the same is available here.
Please invoke the MSM by using the system credentials. In this guide a windows machine was used and MSM was preinstalled. On invoking MSM it will request for Username and Password which is the privileged user(Administrator) and password.

Please click on the Physical tab and click on the drives available on the system. The Properties pane will have the Drive Security Properties mentioning Full Disk Encryption capable field which should show Yes. In the example used we had 2 non SED disks and 4 SED disks.

 

Enable Drive security at the Controller

To enable Drive security right click on the Controller 0 :AVAGO MegaRAID SAS 9361-8i from the Physical tab and select Enable Drive Security.

This should bring up a screen where one can enter Security key identifier and the Security key. If there are multiple security key used then a Security key identifier can help user identify which security key to be used. Please note the Security key as this will be required especially when drives are removed and reinserted to complete foreign config import. Without the security key it will not be possible to retrieve back any data stored in a volume created out of the SEDs. There will be no way to retrieve back a forgotten security key. A boot time password can also be set which will hold the system pause for a password set here to be entered. This is optional and if set each time client will need to login into IPMI and type the boot password whenever the system is rebooted. Scroll down and check box which says I recorded the security settings for future reference and click Yes to enable drive security.



You can note now there is key Image in yellow near Controller 0 AVAGO MegaRAID SAS 9361-8i. This indicates the drive security is enabled.


Now a Secure Volume using these SEDs can be created. For this user can right click on the Controller0 from the Logical tab and user Create Virtual Drive.

Please choose the Advanced option. The following screen need to specify the RAID level , Drive security method as Full Disk encryption (FDE). Select FDE Drives required and click on Add. Click on Create Drive Group and click on Next.

Review if you require any changes to Read Write policy, Capacity and make any changes to them. It is recommended to use Write Back and Always Read Ahead. Click on Create Virtual Drive. Accept the Write Back policy impact due to BBU by clicking Yes . Click on Next and a summary screen on Virtual Drive is shown. Click on Finish which should show “The virtual drives successfully created”.

To confirm the VD is secured click on the Logical tab and Virtual Drive that was created. You should see in the Drive Security Properties the Secured  is marked Yes.

If the server came with RAID volumes already created using SED drives user can make the volume secured by following these steps. User can click on Logical tab and right click on Drive Group .  Please select the Secure Using FDE. If user has mixed FDE and Non FDE drives for a volume then this option will not be visible.


To remove drive security user needs to first delete secured VDs first and right click on Controller 0 to Disable Drive Security. This will secure erase the data in it and remove drive security.

In this guide we looked at enabling Drive Security using MSM software. You can also setup Drive Security using webBIOS by logging through the IPMI at the boot time and entering the RAID BIOS. Please refer the Avago SafeStore Encryption Services in the 12Gb/s MegaRAID SAS Software User Guide accessible here for additional details.