*Configuring NVH-CRYPT encryption

Owned by Tom Polman
Last updated: Sept 19, 2022
4 min read

Configuration Article | CA-20220518-MS-01

NVH Hardware |

The SafeStore software included in the NVH-CRYPT, together with self-encrypting drives (SEDs), secures a drive’s data from unauthorized access or modification resulting from theft, loss, or repurposing of drives. If you remove an SED drive from its storage system or the server in which it resides, the data on that drive is encrypted, and it becomes useless to anyone who attempts to access it without the appropriate security authorization.

 

Auto Lock with Local Key Management locks the SED using an authentication key. When secured in this manner, the drive’s data encryption key is locked whenever the drive is powered down. In other words, the moment the SED is switched off or unplugged, it automatically locks down the drive’s data. When the drive is powered back on, it requires authentication before being able to unlock its encryption key and read any data on the drive. This action protects against any type of insider or external theft of drives or systems.


The instant Secure Erase feature allows you to instantly and securely render data on SED drives unreadable, saving businesses time and money by simplifying the decommissioning of drives and preserving hardware value for returns and repurposing.


You can enable, change, and disable the drive security feature. You can also import a foreign configuration using the SafeStore Encryption Services advanced software.

 Instructions

Enabling Drive Security

  1. In the controller dashboard, select More Actions > Enable Security. The Enable Security dialog appears

  2. Select the Local Key Management (LKM) option from the Choose the security key management mode drop-down list.

  3. Enter a security key and a password and confirm the setting.

    1. Important : If you choose the option to pause for password, you are prompted to provide the password each time you restart your server.

    2. The system will not be booted without entering this password.

    3. The password box will be prompted after the POST of BIOS and is only accessible locally or remotely using the remote control option of the RMMv2 :

  4. The key icon will be light up yellow :

  5. After that you will be able to secure the drives using FDE (Full Disk Encryption)

  6. Open the drive group and select it. On the right in the screen you can now select ‘Secure using FDE’. Click this and confirm.

Ensure that you write down this security key and password for future reference. If you are unable to provide the security key or password when it is required by the system, you will lose access to your data !

Changing Drive Security Settings

  1. In the Controller dashboard, select More Actions > Change Security.
    The Change Security dialog appears.

  2. Either you can use the existing security key identifier assigned by the controller, or you can specify a new security key identifier. If you change the security key, you need to change the security key identifier. Otherwise, you cannot differentiate between the security keys.

  3. Enter a new security key and a password and confirm the setting.

Disabling Drive Security

  1. In the Controller dashboard, select More Actions > Disable Security.
    A warning message appears asking for your confirmation.

  2. Select Confirm and click Yes, Disable Security.
    The software disables drive security.

If you disable drive security, your existing data is not secure and you cannot create any new secure virtual drives. Disabling drive security does not affect the security of data on foreign drives. If you have removed any drives that were previously secured, you still need to enter the password when you import them. Otherwise, you cannot access the data on those drives. If there are any secure drive groups on the controller, you cannot disable drive security. A warning dialog appears if you attempt to do so. To disable drive security, you must first delete the virtual drives on all of the secure drive groups.

Importing or Clearing a Foreign Configuration – Security-Enabled Drives

  1. Enable drive security to allow importation of security-enabled foreign drives.

  2. After you create a security key, navigate to the Controller dashboard, and click Configure, then click Foreign Configuration. If locked drives (security is enabled) exist, the Unlock Foreign Drives dialog appears.

  3. Enter the security key to unlock the configuration. The Foreign Configuration window appears, which lists all of the foreign configurations.

  4. Click one of the following options: Import: Import the foreign configuration from all the foreign drives. Clear: Remove the configuration from all the foreign drives.

  5. Click Re-Scan to refresh the window.

  6. Repeat the import process for any remaining drives because locked drives can use different security key, and you must verify whether there are any remaining drives to be imported