Skip to main content

Unlock drives when using internal key management

If you configured internal key management and then later move secure-enabled drives from one storage array to another, you must re-assign the security key to the new storage array to gain access to the encrypted data on the drives.

Before you begin

  • On the source array (the array where you are removing the drives), you have exported volume groups and removed the drives. On the target array, you have re-installed the drives. Note: The Export/Import function is not supported in the System Manager user interface; you must use the Command Line Interface (CLI) to export/import a volume group to a different storage array.
  • The Drive Security feature must be enabled. Otherwise, a Cannot Create Security Key dialog box opens during this task. If necessary, contact your storage vendor for instructions on enabling the Drive Security feature.
  • You must know the security key that is associated with the drives you want to unlock.
  • The security key file is available on the management client (the system with a browser used for accessing System Manager). If you are moving the drives to a storage array that is managed by a different system, you need to move the security key file to that management client.

About this task

When you use internal key management, the security key is stored locally on the storage array. A security key is a string of characters that is shared by the controller and drives for read/write access. When the drives are physically removed from the array and installed in another, they cannot operate until you provide the correct security key.
Note
You can create either an internal key from the controller's persistent memory or an external key from a key management server. This topic describes unlocking data when internal key management is used. If you used external key management, see Unlock drives when using external key management. If you are performing a controller upgrade and are swapping all controllers for the latest hardware, you must follow different steps as described in Upgrading DE Series Controllers, in the "Unlock drives" section.

Once you reinstall secure-enabled drives in another array, that array discovers the drives and displays a "Needs Attention" condition along with a status of "Security Key Needed." To unlock drive data, you select the security key file and enter the pass phrase for the key. (This pass phrase is not the same as the storage array's Administrator password.)

If other secure-enabled drives are installed in the new storage array, they might use a different security key than the one you are importing. During the import process, the old security key is used only to unlock the data for the drives you are installing. When the unlock process is successful, the newly installed drives are re-keyed to the target storage array's security key.

  1. Select Settings > System .
  2. Under Security key management , select Unlock Secure Drives .
    The Unlock Secure Drives dialog box opens. Any drives that require a security key are shown in the table.
  3. Optionally, hover the mouse over a drive number to see the location of the drive (shelf number and bay number).
  4. Click Browse , and then select the security key file that corresponds to the drive you want to unlock.
    The key file you selected appears in the dialog box.
  5. Enter the pass phrase associated with this key file.

    The characters you enter are masked.

  6. Click Unlock .
    If the unlock operation is successful, the dialog box displays: "The associated secure drives have been unlocked."

What happens next?

When all drives are locked and then unlocked, each controller in the storage array will reboot. However, if there are already some unlocked drives in the target storage array, then the controllers will not reboot.

After you finish

On the destination array (the array with the newly installed drives), you can now import volume groups.

Note
The Export/Import function is not supported in the System Manager user interface; you must use the Command Line Interface (CLI) to export/import a volume group to a different storage array.