Skip to main content

Manage the Self Encryption Drive Authentication Key (SED AK)

For ThinkEdge SE360 V2 with self-encrypted drives (SED) installed, the SED AK can be managed in Lenovo XClarity Controller. After setting up the server or making changes to the configuration, backing up the SED AK is essential to prevent data loss in the hardware failure case.

SED Authentication Key (AK) Manager

Log in to Lenovo XClarity Controller web interface, and go to BMC Configuration > Security > SED Authentication Key (AK) Manager to manage the SED AK.

Note
The operation of SED AK Manager is not allowed in the following conditions:
  • System Lockdown Mode is in Active state. SED AK is locked until the system is activated or unlocked. See Activate or unlock the system to activate or unlock the system.

  • Current user does not have the authority to manage SED AK.

    • To generate, backup, and recover the SED AK with passphrase or backup file, the role of XCC user should be Administrator.
    • To recover the SED AK from automatic backup, the role of XCC user should be Administrator+.

SED encryption

The status of SED encryption can be changed from Disabled to Enabled. Complete the following process to enable SED encryption.

  1. Press Enabled button.

  2. Select the SED AK generation method:

    • Generate key using Passphrase: Set the password and re-enter it for the confirmation.

    • Generate key randomly: A Random SED AK will be generated.

  3. Press Apply button.

Attention
  • Once SED encryption is Enabled, it cannot be changed back to Disabled.
  • When SED encryption is enabled, rebooting the system is required after installing a drive; without rebooting, the drive will not be recognized by the host OS.
  • When SED encryption is enabled, if emergency XCC password reset is performed, the SED AK stored in the server will be cleared as the default action. Data stored on the SED will no longer be accessible unless the SED AK is restored. Backing up the SED AK is strongly advised to reduce the risk of data loss. See Emergency XCC Password Reset for more information.

Change the SED AK

  • Generate key using Passphrase: Set the password and re-enter it for the confirmation. Click Re-generate to get the new SED AK.

  • Generate key randomly: Click Re-generate to get a Random SED AK.

Backup the SED AK

Set the password and re-enter it for the confirmation. Click Start Backup to backup the SED AK; then, download the SED AK file and store it safely for future use.

Note

If you use the backup SED AK file to restore a configuration, the system will ask for the password that you set here.

Recover the SED AK

  • Recover SED AK using Passphrase: Use the password that was set in Generate key using Passphrase to recover the SED AK.

  • Recover SED AK from Backup file: Upload the backup file generated in Backup the SED AK mode and enter the corresponding backup file password to recover the SED AK.

  • Recover SED AK from Automatic backup: After system board replacement, use automatic backup to recover the SED AK for the installed SED.

    Note
    To recover the SED AK from automatic backup, the role of XCC user should be Administrator+.