Dell EqualLogic Group Manager

About Self-Encrypting Drives (SED)

SEDs (self-encrypting drives) are disk drives that use an encryption key to secure the data stored on the disk. This encryption protects the PS series array from data theft when a drive is removed from the array.

SED operates across all disks in an array at once. If one drive in a RAID set is removed from the array, a new set of encryption key shares is generated automatically and shared among the remaining disks. If a second drive is removed from the same RAID set, another set of encryption key shares is generated.

SED drives are configured at the factory. When the drives are installed into an array, the array automatically detects the new SED drives and locks them. This process is automatic; the GUI has no user controls for SED.

All of the drives in an array, including spares, must be of the same type and model, and must be running PS Series firmware 6.0 or higher. A SED drive installed into a mixed-disk configuration, or a configuration containing unencrypted drives, operates as an unencrypted disk. Likewise, a pool consisting of all SED drives might replicate to a pool with only a few SED drives or no SED drives at all.

NOTE: SED drives are identified in the GUI with a gold key icon.

How Key Shares Work

Each array has an overall shared encryption key that protects data on all of the disks in that array.

The shared encryption key is not stored in any one location on the array. Instead, the key is divided into portions called key shares. The number of key shares generated corresponds to the number of drives in the array (except for spares or other drives not used by the array). The key shares are distributed across all non-spare disks used in the RAID configuration. If your array has n non-spare disks, you must have (n+1)/2 of the key shares to unlock the data on the disks. If you are missing one or more of the key shares, you will not be able to recover the data.

You can back up the disk encryption key shares. Key shares are backed up in groups of three files. To unlock the array, you need to supply two backup shares. Under normal operation, the keys are not necessary because the data is redundant; however; they might be useful in the event that a disk needs to be sent to a data recovery service. Use the Maintenance tab to back up the disk encryption key shares.