Self-encrypting drives
Self-encrypting drives (SED) are supported for the following models:
-
FortiManager-410G
-
FortiManager-1000G
-
FortiManager-3100G
The following type of key is supported for SED in FortiManager:
-
Encryption key: This key can only be changed/created by the user. Exercise caution when changing the encryption key because all of the data previously written to the drive will now be read and decrypted using the new key; therefore, it will become unrecoverable if the user forgets the new key during restoration. However, this is an effective technique for rendering data on the disk unusable and unreadable. It is referred to as an auto-lock feature, which is useful if a drive has to be repurposed (used in a different application where the data is neither required nor wanted) or scrapped.
The SED features are only available using the CLI, not the GUI.
Auto-lock feature
To protect the disk's contents, assign the SED encryption key after RAID has been setup. The disk's contents are protected if plugged into a system unless the encryption key is known and the system supports a similar RAID controller.
To use the auto-lock feature:
-
After RAID setup, enter the following command in the FortiManager CLI:
diagnose system disk sed {sed-key}
The key requires 8-32 characters, and it must include upper case, lower case, number, and special character (excluding '\).
|
If a foreign SED disk is installed, this disk will be unavailable due to auto-lock feature. |
Cryptographic erase
To quickly and securely dispose of disks, you can format the drives from the CLI and then use the auto-lock feature.
To complete a cryptographic erase:
-
In the FortiManager CLI, enter the following command:
execute format disks {raid-level}
-
In the FortiManager CLI, apply the auto-lock by entering the following command:
diagnose system disk sed {sed-key}
Examples
SED feature disabled
diagnose system raid status
Storcli RAID:
RAID Level: Raid-50
RAID Status: OK
RAID Size: 52156GB
File System: ext4 51337GB
SED Encryption: Disabled
Groups: 2
Disk 1: OK 3724GB Group-1
Disk 2: OK 3724GB Group-1
Disk 3: OK 3724GB Group-1
If there are non-SED disks, they are displayed in the output. For example:
diagnose system raid status
Storcli RAID:
RAID Level: Raid-50
RAID Status: OK
RAID Size: 52156GB
File System: ext4 51337GB
SED Encryption: Disabled
Groups: 2
Disk 1: OK 3724GB Group-1
Disk 2: OK 3724GB Group-1 non-SED
Disk 3: OK 3724GB Group-1
SED feature enabled
-
Use the following command to provide the SED key:
diagnose system raid sed {sed-key}
Variable
Description
sed-key SED encryption key. 8-32 chars, must include upper case, lower case, number and special chars (exclude '\). -
Use the following command to verify SED encryption status:
diagnose system raid status
Storcli RAID:
RAID Level: Raid-50
RAID Status: OK
RAID Size: 22353GB
File System: ext4 22001GB
SED Encryption: Enabled
Groups: 2
Disk 1: OK 3724GB Group-1
Disk 2: OK 3724GB Group-1
Disk 3: OK 3724GB Group-1
Disk 4: OK 3724GB Group-1
Disk 5: OK 3724GB Group-2
Working with SED-based systems
To replace an SED disk:
You can replace disks that supports SED feature, regardless of brand, however it's optimal to use the same specification of hard drive in the existing array. The new disk will be automatically rebuilt by the system and it will have the same SED key used by the existing system. This will be transparent for the user.
To reformat after an SED-enabled RAID failure:
If an SED-enabled RAID failure occurs, formatting the drives will effectively clear the SED key. Thus, the user can assign an SED key. For example, see below.
FMG-410G # diagnose system raid status
Storcli RAID:
RAID Level: Raid-50
RAID Status: Failed
RAID Size: 22353GB
File System: ext4 22001GB
SED Encryption: Enabled
Groups: 2
Disk 1: OK 3724GB Group-1
Disk 2: OK 3724GB Group-1
Disk 3: OK 3724GB Group-1
Disk 4: OK 3724GB Group-1
Disk 5: OK 3724GB Group-2
Disk 6: OK 3724GB Group-2
Disk 7: Unused 3724GB
Disk 8: Unused 3724GB Group-2
FMG-410G # execute format disk 50
This operation will format hard disk to ext4 filesystem.
Do you want to continue? (y/n)y
Resetting ...
login as: admin
Keyboard-interactive authentication prompts from server:
| Password:
End of keyboard-interactive prompts from server
FMG-410G # diagnose system raid status
Storcli RAID:
RAID Level: Raid-50
RAID Status: OK
RAID Size: 22353GB
File System: ext4 22001GB
SED Encryption: Disabled
Groups: 2
Disk 1: OK 3724GB Group-1
Disk 2: OK 3724GB Group-1
Disk 3: OK 3724GB Group-1
Disk 4: OK 3724GB Group-1
Disk 5: OK 3724GB Group-2
Disk 6: OK 3724GB Group-2
Disk 7: OK 3724GB Group-2
Disk 8: OK 3724GB Group-2
To move SED-enabled disks to a new physical chassis:
In situations where SED-enabled disks need to be moved (re-homed) to a new physical chassis, the process will require additional steps. See below.
-
On the target unit, install the same build as the source unit. Install SED capable drives and setup the RAID similar to that of the source unit, and then enable SED using the same key as that of the source unit.
-
Shutdown both units and remove the drives from their respective chassis.
-
Move the source drives and install them to the target chassis.