After the smartfail process completes, the node deletes the drive access password from the keystore and the drive deletes its internal encryption key. How do I securely erase a functional SED drive? Smartfail the drive. After the PSID is entered in the OneFS command-line interface at the manual reversion prompt, all of the drive data is deleted and the SED drive is returned to an unowned state. PSIDs are printed on the drive’s label, and can be retrieved only by physically removing the drive from the node and reading its label. The PSID is a unique, static, 32-character key that is embedded in each drive at the factory. The drive is subsequently unusable, and it must be manually reverted to the unowned state by using its Physical Security ID (PSID).
This process is seen as cryptographic erasure, as the data still exists, but cannot be decrypted. If the internal drive key or the drive access password or both are lost or deleted, all of the data on the drive becomes permanently inaccessible and unreadable. If the SED drive is mishandled, such as interrupting the formatting process or removing the drive from a powered-on node, the node will delete its drive access password from the keystore database where the drive access passwords are stored. Now that encryption has been set up, the drive is in a secure, owned state and is ready to be formatted. Without the password, the drive is completely inaccessible. This password is used each time the drive is accessed by the node. The second step is to generate a drive control key or drive access password by using the OneFS key manager process. This key is used by the drive hardware to encrypt all incoming data before writing it to disk, and to decrypt any disk data being read by the node. The first initialization step is to generate a randomized internal drive encryption key by using the drive’s embedded encryption hardware. No encryption keys exist on the drive or node, and encryption is not enabled. SEDs 101 SED drives are initially in a factory-fresh state, known as the unowned state.
This article provides a general overview of how SED drives work, as well as answers to frequently asked questions about data erasure on SED drives.
If a SED drive’s internal key or drive access password is lost, the drive data will be permanently inaccessible and the drive must be reset and reformatted in order to be repurposed. Specifications were released by the Trusted Computing Group in January 2009, and the drives became available for purchase in March 2009 from suppliers such as Seagate, Hitachi, and Western Digital. Self-encrypting drives (SEDs) are hard drives that transparently encrypt all on-disk data using an internal key and a drive access password. NOTE: This topic is part of the Uptime Information Hub.
0 kommentar(er)
