Self Encrypting Drive (SED) Support and Functionality

You can configure SED functionality and enable locking on your Quantum F-Series (F2200) product.

To fully take advantage of SED, your hardware and software configuration must meet the following requirements:

  • The version of the BIOS on both of your controllers must be ATP2.02.09 or later.

What is a Self-Encrypting Drive (SED)?

A Self-Encrypting Drive (SED) is a type of storage device, which can be either a hard disk drive (HDD) or a solid-state drive (SSD).

SEDs are designed to automatically encrypt and decrypt drive data without requiring any user input or additional disk encryption software. Essentially, they act as built-in security guards for your data, protecting it from unauthorized access.

How Do Self-Encrypting Drives Work?

SEDs use advanced encryption algorithms to automatically encrypt all data written to the drive. The encryption keys used for this process are securely stored on the drive itself, ensuring that they cannot be accessed by unauthorized parties.

Advantages of Self-Encrypting Drives:

  • Efficiency: Encryption is performed at the hardware level, making it faster and more efficient than software-based encryption.

  • Automatic Protection: SEDs continuously encrypt data as it's written and decrypt it during reads, without any user intervention.

  • Security: By encrypting data at rest, SEDs enhance data security, especially for sensitive information.

Levels of Compliance and Standards

  • AES-Compliant: SEDs adhere to the Advanced Encryption Standard (AES).

  • FIPS 140-2-Compliant: SEDs meet the requirements set by the Federal Information Processing Standards (FIPS) 140-2.

  • Opal-Compliant: Opal is an industry standard for self-encrypting drives.

  • FIPS 140-2 SEDs: These drives achieve compliance and avoid pitfalls related to data security.

This section provides information on how to configure SED functionality on your Quantum F-Series (F2200).

  1. Before you configure SED functionality on your Quantum F-Series (F2200), you might require a BIOS firmware update on both controllers. Use the QBSP shell interface and execute the following command to verify the current SED status, which helps you to determine if you require a BIOS firmware update:

    sed_mgmt status

    Example of output

    SED Capable : False

    SED Type : Opal2

    SED Enabled : False

  2. If the SED Capable entry displays False, execute the following command to display the version of the BIOS:

    show_fw_ver

    Example of output

    BIOS : ATP2.02.08

    BMC : 2.20.00

    SES : 0452

    The version of the BIOS must be at ATP2.02.09 or later; if your system is running a previous version of the BIOS, then you must perform a BIOS firmware update on both controllers, one at a time.

  3. Verify there are no active users logged into the BMC web interface, and there are no open BMC KVM sessions open. If any BMC sessions are open, you might encounter the BIOS update failure described in the Troubleshooting section.

  4. Execute the following command to perform a BIOS firmware update on your primary controller:

    Caution: The storage services are stopped before the BIOS update commences, and the controller reboots after the BIOS flashing procedure is complete. The BIOS firmware update process results in a failover/failback of storage services between controllers; Quantum strongly recommends you perform the BIOS firmware update during a maintenance window. Since you are only updating one controller at a time, there is no storage I/O outage; however, during failover/failback the normal I/O pause occurs briefly.

    bios_update

    Example of output

    Current BIOS Version: ATP2.02.08

    DMIDecode information logged in '/mnt/data/FW_upgrade/dmidecode/2024-03-14_13-09-54.json'

    Updating BIOS Firmware using /opt/quantum/firmware/BIOS/ATP2.02.09.bin

    This may take a few minutes ...

    **************************************************************

    WARNING!

    Cluster services will stop on this controller

    Controller will reboot after update

    **************************************************************

    Continue with upgrade (yes/No)? yes

    ### Getting service "rc.pydlmd" status on client "10.17.21.197"...

    ### Stopping "rc.pydlmd" on client "10.17.21.197"...

    ### Getting service "rc.pacemaker" status on client "10.17.21.197"...

    ### Stopping "rc.pacemaker" on client "10.17.21.197"...

    ### Getting service "rc.corosync" status on client "10.17.21.197"...

    ### Stopping "rc.corosync" on client "10.17.21.197"...

    ### Getting service "rc.sbd" status on client "10.17.21.197"...

    ### Stopping "rc.sbd" on client "10.17.21.197"...

    Flashing the BIOS update...

    Successfully updated BIOS

    System reboot required for BIOS upgrade to take effect.

    Reboot system now (yes/No)? yes

    Rebooting system in 10 seconds ...

  5. Allow your primary controller to reboot. When the primary controller boots in to the operating system and the cluster has started, execute the following command to perform a BIOS firmware update on your secondary controller:

    Caution: The storage services are stopped before the BIOS update commences, and the controller reboots after the BIOS flashing procedure is complete. The BIOS firmware update process results in a failover/failback of storage services between controllers; Quantum strongly recommends you perform the BIOS firmware update during a maintenance window. Since you are only updating one controller at a time, there is no storage I/O.

    bios_update

    Example of output

    Current BIOS Version: ATP2.02.08

    DMIDecode information logged in '/mnt/data/FW_upgrade/dmidecode/2024-03-14_13-36-34.json'

    Updating BIOS Firmware using /opt/quantum/firmware/BIOS/ATP2.02.09.bin

    This may take a few minutes ...

    **************************************************************

    WARNING!

    Cluster services will stop on this controller

    Controller will reboot after update

    **************************************************************

    Continue with upgrade (yes/No)? yes

    ### Getting service "rc.pydlmd" status on client "10.17.21.198"...

    ### Stopping "rc.pydlmd" on client "10.17.21.198"...

    ### Getting service "rc.pacemaker" status on client "10.17.21.198"...

    ### Stopping "rc.pacemaker" on client "10.17.21.198"...

    ### Getting service "rc.corosync" status on client "10.17.21.198"...

    ### Stopping "rc.corosync" on client "10.17.21.198"...

    ### Getting service "rc.sbd" status on client "10.17.21.198"...

    ### Stopping "rc.sbd" on client "10.17.21.198"...

    Flashing the BIOS update...

    Successfully updated BIOS

    System reboot required for BIOS upgrade to take effect.

    Reboot system now (yes/No)? yes

    Rebooting system in 10 seconds ...

  6. Allow your secondary controller to reboot. When the secondary controller boots in to the operating system and the storage services are running, execute the following command to verify the SED Capable entry displays True:

    sed_mgmt status

    Example of output

    SED Capable : True

    SED Type : Opal2

    SED Enabled : False

    Note: If the SED Capable entry does not display True, this could be caused by QSA caching and you should allow several minutes before the data is refreshed and displays a True value.

This section provides information on how to enable SED on your Quantum F-Series (F2200).

Before you continue, review the Hardware and Software Requirements.

Note: If the SED functionality in the left navigation of the F-Series UI is disabled after you upgrade to QBSP version 2.3.1 (or later) and update the BIOS on both controllers, click Refresh in the UI.

  1. In the top navigation, click CONFIGURATION.

  2. In the left navigation, click SED.

  3. Click the gray (disabled) Enable Self Encrypting Drives toggle. It turns blue (enabled).

    Note: This option enables SED for the RAID as a whole, not specific chassis, individual drives, or drive packs.

    If your system does not contain SED drives, you will see the following message:

    The system does not support drive encryption.

    If you see this message, you cannot configure the drives as SED, and can skip the rest of this procedure.

  4. Enter the SED Password to use for drive encryption.

  5. Enter the SED password again in the Confirm SED Password field.

  6. Click Apply to confirm the change.

Use the QBSP shell sed_mgmt command to enable or disable SED on all capable drives. For more information, see the QBSP shell sed_mgmt command help page.

During internal testing when running the QBSP shell command bios_update, Quantum observed one transient BIOS update failure, as follows.

Example of BIOS update failure

Current BIOS Version: ATP2.02.08

DMIDecode information logged in '/mnt/data/FW_upgrade/dmidecode/2024-03-22_15-19-15.json'

Updating BIOS Firmware using /opt/quantum/firmware/BIOS/ATP2.02.09.bin

This may take a few minutes ...

**************************************************************

WARNING!

Cluster services will stop on this controller

Controller will reboot after update

**************************************************************

Continue with upgrade (yes/No)? yes

### Getting service "rc.pydlmd" status on client "10.17.21.197"...

### Stopping "rc.pydlmd" on client "10.17.21.197"...

### Getting service "rc.pacemaker" status on client "10.17.21.197"...

### Stopping "rc.pacemaker" on client "10.17.21.197"...

### Getting service "rc.corosync" status on client "10.17.21.197"...

### Stopping "rc.corosync" on client "10.17.21.197"...

### Getting service "rc.sbd" status on client "10.17.21.197"...

### Stopping "rc.sbd" on client "10.17.21.197"...

Flashing the BIOS update...

Error updating BIOS {'cmd': ['/opt/quantum/sbin/CFUFLASH', '-cd', '-pc', '-d', '2', '/opt/quantum/firmware/BIOS/ATP2.02.09.bin'], 'ret_code': 255, 'stdout': 'INFO: CFUFLASH INI Configuration File not found... Default options will not be applied...\nFri Mar 22 15:20:16 2024\n\nCreating IPMI session via USB...Enabling USB Virtual CD,this may take a while\nOpenning usb virtual device cmd code:aa\n../../Common/flashcmds.c-2640:loading driver for kcs\n../../Common/main.c-4830 Enabling USB\n-------------------------------------------------\nOpen IPMI Drivers\n-------------------------------------------------\nUn-Loading ipmi_devintf\nUn-Loading ipmi_si\nUn-Loading ipmi_msghandler\nOpenning usb virtual device cmd code:aa\nAttaching CD-ROM cmd code:cb\n-------------------------------------------------\nOpen IPMI Drivers\n-------------------------------------------------\nLoading Open IPMI Driver:ipmi_devintf\nParsing.RebootFirmware:1,FlashSelected:0\nLoading Open IPMI Driver:ipmi_si\nLoading Open IPMI Driver:ipmi_msghandler\nDone\n\n-------------------------------------------------\nCFUFlash - Firmware Upgrade Utility (Version 4.118.0)\n-------------------------------------------------\n(C)Copyright 2017, Celestica Inc.\nFri Mar 22 15:21:35 2024\nError in identifying the Flash information\n', 'stderr': ''}

('Exception updating BIOS: ', 255)

Quantum believes the BIOS update failure occurs when you have an open BMC HTML5 KVM interface, while the controller operating system is booting up.

If you experience the BIOS update failure and attempt to reboot the controller or power down the controller, you cannot power on the controller using the BMC UI interface.

To workaround this BIOS update failure, do one of the following:

Option 1

  1. Manually remove the failed controller.

  2. Manually reinsert the failed controller.

  3. Restart the failed controller.

Option 2

  1. Power down and unplug both controllers.

  2. Plug in and power up both controllers.