Skip to main content

storage encryption disk modify

Modify self-encrypting disk parameters

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The storage encryption disk modify command changes the data and FIPS-compliance protection parameters of self-encrypting disks (SEDs). The current data AK and FIPS AK of the SED are required to effect changes to the respective AKs and FIPS compliance, and must also be available from the key servers.

The command releases the cluster shell after launching the operation. Monitor the output of the storage encryption disk show-status command for command completion.

Note
To properly protect data at rest on a SED and place it into compliance with its FIPS certification requirements, set both the Data and FIPS-compliance AKs to a value other than the device's default key; depending on the device type, the default may be manufacture secure ID (MSID), indicated by a key ID with the special value 0x0, or a null key represented by a blank AK. Verify the key IDs by using the storage encryption disk show and storage encryption disk show-fips commands.

Parameters

-disk <disk path name> - Disk Name
This parameter specifies the name of the SED that you want to modify.
{ [-data-key-id <text>] - Key ID of the New Data Authentication Key
This parameter specifies the key ID associated with the data AK that you want the SED to use for future authentications. When the provided key ID is the MSID, data at rest on the SED is not protected from unauthorized access. Setting this parameter to a non-MSID value automatically engages the power-on-lock protections of the device, so that when the device is power-cycled, the system must authenticate with the device using the AK to reenable I/O operations. You cannot specify the null default key; use MSID instead.
| [-fips-key-id <text>]} - Key ID of the New Authentication Key for FIPS Compliance
This parameter specifies the key ID associated with the FIPS AK that you want the SED to apply to SED credentials other than the one that protects the data. When the value is not the MSID, these credentials are changed to the indicated AK, and other security-related items are set to conform to the FIPS certification requirements ("FIPS compliance mode") of the device. You may set the -fips-key-id to any one of the key IDs known to the system. The FIPS key ID may, but does not have to, be the same as the data key ID parameter. Setting -fips-key-id to the MSID key ID value disables FIPS compliance mode and restores the FIPS-related authorites and other components as required (other than data) to their default settings. The MSID is required when reverting to a version of Data ONTAP that does not manipulate the FIPS-compliance device components.

Examples

The following command changes both the AK and the power-cycle protection to values that protect the data at rest on the disk. Note that the -data-key-id and -fips-key-id parameters require one of the key IDs that appear in the output of the security key-manager query command.

cluster1::> storage encryption disk modify -data-key-id 6A1E21D8000000000100000000000000F5A1EB48EF26FD6A8E76549C019F2350 -disk 2.10.*

Info: Starting modify on 14 disks.
      View the status of the operation by using the
      storage encryption disk show-status command.


The following command changes the FIPS AK and sets the device into FIPS-compliance mode. Note that the -fips-key-id parameter requires one of the key IDs that appear in the output of the security key-manager query command.

cluster1::> storage encryption disk modify -fips-key-id 6A1E21D80000000001000000000000005A1FB4EE8F62FD6D8AE6754C9019F35A 2.10.*

Info: Starting modify on 14 disks.
      View the status of the operation by using the
      storage encryption disk show-status command.


Related reference