Skip to main content

Configuring hardware-based encryption

Lenovo hardware-based encryption supports full-disk encryption (FDE) of data as it is written. The data cannot be read without an encryption key stored on the firmware. The encryption key, in turn, is accessible only to an authenticated node.

Understanding Lenovo hardware-based encryption

A node authenticates itself to a self-encrypting drive using an authentication key retrieved from an external key management server or Onboard Key Manager:

  • The external key management server is a third-party system in your storage environment that serves keys to nodes using the Key Management Interoperability Protocol (KMIP). It is a best practice to configure external key management servers on a different storage system from your data.

  • The Onboard Key Manager is a built-in tool that serves authentication keys to nodes from the same storage system as your data.

You can use Lenovo Volume Encryption with hardware-based encryption to “double encrypt” data on self-encrypting drives.

Note
Current all flash array (AFA) and Hybrid systems and their later systems store core dumps on their boot device. When self-encrypting drives are enabled on these systems, the core dump is also encrypted.

Supported drive types

Two types of self-encrypting drive are supported:

  • Self-encrypting FIPS-certified SAS or NVMe drives are supported on all Hybrid and AFA systems. These drives, called FIPS drives, conform to the requirements of Federal Information Processing Standard Publication 140-2, level 2. The certified capabilities enable protections in addition to encryption, such as preventing denial-of-service attacks on the drive. FIPS drives cannot be mixed with other types of drives on the same node or HA pair.

  • Self-encrypting NVMe drives that have not undergone FIPS testing, called SEDs, offer the same encryption capabilities as FIPS drives, but can be mixed with non-SEDs on the same node or HA pair.

When to use KMIP servers

Although it is less expensive and typically more convenient to use the onboard key manager, you should set up KMIP servers if any of the following are true:

  • Your encryption key management solution must comply with FIPS 140-2 level 2 or higher.

  • You need a multi-cluster solution, with centralized management of encryption keys.

  • Your business requires the added security of storing authentication keys on a system or in a location different from the data.

Support details

The following table shows important hardware encryption support details. See the Lenovo Storage Interoperation Center (LSIC) for the latest information about supported KMIP servers, storage systems, and disk shelves.

Resource or featureSupport details
Non-homogeneous disk sets

  • FIPS drives cannot be mixed with other types of drives on the same node or

    HA pair. Conforming HA pairs can coexist with non-conforming HA pairs in the same cluster.

  • SEDs can be mixed with non-SEDs on the same node or

    HA pair.
Drive type

  • FIPS drives can be SAS or NVMe drives.

  • SEDs must be NVMe drives.

10 Gb network interfacesKMIP key management configurations support 10 Gb network interfaces for communications with external key management servers.
Ports for communication with the key management serverYou can use any storage controller port for communication with the key management server. Depending on the storage controller model, certain network interfaces might not be available during the boot process for communication with key management servers.
MetroCluster (MCC)

  • NVMe drives support MCC.

  • SAS drives do not support MCC.

  • Hardware-based encryption workflow
    You must configure key management services before the cluster can authenticate itself to the self-encrypting drive. You can use an external key management server or an onboard key manager.
  • Configuring external key management
    You can use one or more external key management servers to secure the keys that the cluster uses to access encrypted data. An external key management server is a third-party system in your storage environment that serves keys to nodes using the Key Management Interoperability Protocol (KMIP).
  • Configuring onboard key management
    You can use the Onboard Key Manager to authenticate cluster nodes to a FIPS drive or SED. The Onboard Key Manager is a built-in tool that serves authentication keys to nodes from the same storage system as your data. The Onboard Key Manager is FIPS-140-2 level 1 compliant.
  • Assigning a FIPS 140-2 authentication key to a FIPS drive
    You can use the storage encryption disk modify command with the -fips-key-id option to assign a FIPS 140-2 authentication key to a FIPS drive. Cluster nodes use this key for drive operations other than data access, such as preventing denial-of-service attacks on the drive.
  • Enabling cluster-wide FIPS-compliant mode for KMIP server connections
    You can use the security config modify command with the -is-fips-enabled option to enable cluster-wide FIPS-compliant mode for data in flight. Doing so forces the cluster to use OpenSSL in FIPS mode when connecting to KMIP servers.