Self-encrypting drives
Self-encrypting drives (SED) are supported for the following models:
-
FortiAnalyzer-810G
-
FortiAnalyzer-3510G
The following type of key is supported for SED in FortiAnalyzer:
-
Encryption key: This key can only be changed/created by the user. Exercise caution when changing the encryption key because all of the data previously written to the drive will now be read and decrypted using the new key; therefore, it will become unrecoverable if the user forgets the new key during restoration. However, this is an effective technique for rendering data on the disk unusable and unreadable. It is referred to as an auto-lock feature, which is useful if a drive has to be repurposed (used in a different application where the data is neither required nor wanted) or scrapped.
The SED features are only available using the CLI, not the GUI.
Auto-lock feature
To protect the disk's contents, assign the SED encryption key after RAID has been setup. The disk's contents are protected if plugged into a system unless the encryption key is known and the system supports a similar RAID controller.
To use the auto-lock feature:
-
After RAID setup, enter the following command in the FortiAnalyzer CLI:
diagnose system disk sed {sed-key}
The key requires 8-32 characters, and it must include upper case, lower case, number, and special character (excluding '\).
|
If a foreign SED disk is installed, this disk will be unavailable due to auto-lock feature. |
Cryptographic erase
To quickly and securely dispose of disks, you can format the drives from the CLI and then use the auto-lock feature.
To complete a cryptographic erase:
-
In the FortiAnalyzer CLI, enter the following command:
execute format disks {raid-level}
-
In the FortiAnalyzer CLI, apply the auto-lock by entering the following command:
diagnose system disk sed {sed-key}
To change the SED key:
-
When the SED key has been set, it can be changed by entering the following command in the FortiAnalyzer CLI:
diagnose system disk sed {new-sed-key} {old-sed-key}
Examples
SED feature disabled
diagnose system raid status Storcli RAID: RAID Level: Raid-50 RAID Status: OK RAID Size: 52156GB File System: ext4 51337GB SED Encryption: Disabled Groups: 2 Disk 1: OK 3724GB Group-1 Disk 2: OK 3724GB Group-1 Disk 3: OK 3724GB Group-1
If there are non-SED disks, they are displayed in the output. For example:
diagnose system raid status Storcli RAID: RAID Level: Raid-50 RAID Status: OK RAID Size: 52156GB File System: ext4 51337GB SED Encryption: Disabled Groups: 2 Disk 1: OK 3724GB Group-1 Disk 2: OK 3724GB Group-1 non-SED Disk 3: OK 3724GB Group-1
SED feature enabled
-
Use the following command to provide the SED key:
diagnose system raid sed {sed-key}
Variable
Description
sed-key SED encryption key. 8-32 chars, must include upper case, lower case, number and special chars (exclude '\). -
Use the following command to verify SED encryption status:
diagnose system raid status Storcli RAID: RAID Level: Raid-50 RAID Status: OK RAID Size: 22353GB File System: ext4 22001GB SED Encryption: Enabled Groups: 2 Disk 1: OK 3724GB Group-1 Disk 2: OK 3724GB Group-1 Disk 3: OK 3724GB Group-1 Disk 4: OK 3724GB Group-1 Disk 5: OK 3724GB Group-2
Changing the SED key
-
In this example, the SED key is initially set to
Qq1!Qq1!using the following command:diagnose system raid sed {sed-key}
For example:
diagnose system raid sed Qq1!Qq1! OK diagnose system raid status Storcli RAID: RAID Level: Raid-50 RAID Status: OK RAID Size: 21.83T File System: ext4 21.49T SED Encryption: Enabled
-
The SED key is later changed to
Ee3#Ee3#using the following command:diagnose system raid sed {new-sed-key} {old-sed-key}
For example:
diagnose system raid sed Ee3#Ee3# Qq1!Qq1! OK diagnose system raid status Storcli RAID: RAID Level: Raid-50 RAID Status: OK RAID Size: 21.83T File System: ext4 21.49T SED Encryption: Enabled
Working with SED-based systems
To replace an SED disk:
You can replace disks that supports SED feature, regardless of brand, however it's optimal to use the same specification of hard drive in the existing array. The new disk will be automatically rebuilt by the system and it will have the same SED key used by the existing system. This will be transparent for the user.
To reformat after an SED-enabled RAID failure:
If an SED-enabled RAID failure occurs, formatting the drives will effectively clear the SED key. Thus, the user can assign an SED key. For example, see below.
FMG-410G # diagnose system raid status Storcli RAID: RAID Level: Raid-50 RAID Status: Failed RAID Size: 22353GB File System: ext4 22001GB SED Encryption: Enabled Groups: 2 Disk 1: OK 3724GB Group-1 Disk 2: OK 3724GB Group-1 Disk 3: OK 3724GB Group-1 Disk 4: OK 3724GB Group-1 Disk 5: OK 3724GB Group-2 Disk 6: OK 3724GB Group-2 Disk 7: Unused 3724GB Disk 8: Unused 3724GB Group-2 FMG-410G # execute format disk 50 This operation will format hard disk to ext4 filesystem. Do you want to continue? (y/n)y Resetting ... login as: admin Keyboard-interactive authentication prompts from server: | Password: End of keyboard-interactive prompts from server FMG-410G # diagnose system raid status Storcli RAID: RAID Level: Raid-50 RAID Status: OK RAID Size: 22353GB File System: ext4 22001GB SED Encryption: Disabled Groups: 2 Disk 1: OK 3724GB Group-1 Disk 2: OK 3724GB Group-1 Disk 3: OK 3724GB Group-1 Disk 4: OK 3724GB Group-1 Disk 5: OK 3724GB Group-2 Disk 6: OK 3724GB Group-2 Disk 7: OK 3724GB Group-2 Disk 8: OK 3724GB Group-2
To move SED-enabled disks to a new physical chassis:
In situations where SED-enabled disks need to be moved (re-homed) to a new physical chassis, the process will require additional steps. See below.
-
On the target unit, install the same build as the source unit. Install SED capable drives and setup the RAID similar to that of the source unit, and then enable SED using the same key as that of the source unit.
-
Shutdown both units and remove the drives from their respective chassis.
-
Move the source drives and install them to the target chassis.