NOTE: This topic is part of the Uptime Information Hub.
Self-encrypting drives (SEDs) are hard drives that transparently encrypt all on-disk data using an internal key and a drive access password. Specifications were released by the Trusted Computing Group in January 2009, and the drives became available for purchase in March 2009 from suppliers such as Seagate, Hitachi, and Western Digital.
If a SED drive’s internal key or drive access password is lost, the drive data will be permanently inaccessible and the drive must be reset and reformatted in order to be repurposed. This article provides a general overview of how SED drives work, as well as answers to frequently asked questions about data erasure on SED drives.
SED drives are initially in a factory-fresh state, known as the unowned state. No encryption keys exist on the drive or node, and encryption is not enabled. The first initialization step is to generate a randomized internal drive encryption key by using the drive’s embedded encryption hardware. This key is used by the drive hardware to encrypt all incoming data before writing it to disk, and to decrypt any disk data being read by the node.
The second step is to generate a drive control key or drive access password by using the OneFS key manager process. This password is used each time the drive is accessed by the node. Without the password, the drive is completely inaccessible. Now that encryption has been set up, the drive is in a secure, owned state and is ready to be formatted.
If the SED drive is mishandled, such as interrupting the formatting process or removing the drive from a powered-on node, the node will delete its drive access password from the keystore database where the drive access passwords are stored. If the internal drive key, or the drive access password, or both are lost or deleted, all of the data on the drive becomes permanently inaccessible and unreadable. This process is referred to as cryptographic erasure, as the data still exists, but can’t be decrypted. The drive is subsequently unusable, and it must be manually reverted to the unowned state by using its Physical Security ID (PSID). The PSID is a unique, static, 32-character key that is embedded in each drive at the factory. PSIDs are printed on the drive’s label, and can be retrieved only by physically removing the drive from the node and reading its label. After the PSID is entered in the OneFS command-line interface at the manual reversion prompt, all of the drive data is deleted and the SED drive is returned to an unowned state.
How do I securely erase a functional SED drive?
Smartfail the drive. After the smartfail process completes, the node deletes the drive access password from the keystore and the drive deletes its internal encryption key. As a result, the data is inaccessible and is considered cryptographically erased, and the drive is reset to the unowned state. The drive can then be reused after a new encryption key is generated, or safely returned to EMC, without any risk of EMC or a third party accessing the data. For a step-by-step procedure, see How to erase data on a self-encrypting drive (SED), article 205928 on the EMC Online Support site.
How do I erase a defective SED drive?
As in the previous question, the completion of the smartfail process prompts the node to delete the drive access password from the keystore.
The data on the drive can’t be accessed directly because the internal encryption key from the drive cannot be extracted, and the drive cannot be accessed normally without the drive access password. Therefore, the data on the drive is still permanently inaccessible and is considered cryptographically erased.
How do I erase all SED drives in an entire node or cluster?
To erase all SED drives in a single node that is being removed from a cluster, smartfail the node from the cluster. All drives will be automatically released and cryptographically erased by the node when the smartfail process completes.
To erase all SED drives in an entire cluster, or in a single node configured as a cluster of one, or in an unconfigured node, you can either reimage or reformat the node by running the isi_reformat_node command. Both processes will release the drives and then delete the node keystore. Any drives that fail to release properly will still be cryptographically erased because their drive access passwords are deleted with the rest of the keystore during the process. Any SED drives in nodes that will be redeployed elsewhere and that are currently in an unreleased state must be manually reverted by using their PSID before they can be used again.
For step-by-step procedures, see How to erase data on a self-encrypting drive (SED), article 205928 on the EMC Online Support site.
What if the drive is removed from a running node without smartfailing the drive first?
If a drive is removed from a running node, OneFS will assume that the drive has failed, and will initiate the smartfail process. If the drive is reinserted before the smartfail process completes, you can run the add and stopfail commands to bring the drive back online and return it to a healthy state. However, if the smartfail process is completed before you reinsert the drive, and you run the stopfail command, the drive access password for the removed drive is deleted from the node's keystore. If this occurs, the data on the drive can no longer be accessed and is considered cryptographically erased.
If the drive is reinserted and added back to the cluster after it has been smartfailed, it will be displayed as being in the SED_ERROR state because the drive still contains encrypted data but the drive access password no longer exists in the node's keystore. Although the data on the drive is inaccessible, you can revert the drive itself to an unowned state by using its PSID. You can then reuse the drive.
Why does smartfailing a drive not require you to enter the PSID in order for the drive to be erased and reset the drive to a factory-fresh state?
A SED drive can be cryptographically erased and reset to a factory-fresh state in two ways: by sending it the release command, or by sending the revert command. The release command requires the drive password to run, whereas the revert command requires the drive PSID. If the drive password is still known and functional, the node can release the drive after the smartfail process completes, or during a node reimage, without requiring manual intervention. If the drive password is lost or no longer functional, the revert command must be used instead, and the PSID must be entered manually.
How can I confirm that a SED has been cryptographically erased?
See How to erase data on a self-encrypting drive (SED), article 205928 on the EMC Online Support site.
How do I recover data from a defective or inaccessible SED drive?
If a SED drive becomes inaccessible for any reason, such as mishandling, malfunction, intentional release/revert, or loss of the data access password, the drive data cannot be recovered. Traditional data recovery techniques, such as direct media access and platter extraction, cannot be used on a SED drive because the data is encrypted, and the encryption key cannot be extracted from the drive hardware.
Is there a performance difference between a SED drive and a non-SED drive?
There is no difference in read or write performance between SED and non-SED drives. All data encryption and decryption is done at line speed by dedicated AES encryption hardware that is embedded in the drive.
How long does it take to format a SED node, and how do I know the format process is still running?
Format times may vary, but 90 minutes or more is the average for most 4TB SED nodes. The larger the drives, the longer the format process will take to complete. SED nodes take much longer to format than nodes with regular drives, because each drive must be fully overwritten with random data as part of the encryption initialization process. This is an industry-standard step in all full-disk encryption processes that is necessary to help secure the encrypted data against brute-force attacks on the encryption key, and this step cannot be skipped.
If the node is running an older OneFS version that displays format progress by printing dots, the formatting process is still running if new dots appear and no other output is being displayed. If the node is running a newer OneFS version that indicates numerical format progress by displaying numerical percentages for each drive, the format is still in progress as long as the completion percentage numbers are still increasing.
Do not allow a format in progress to be interrupted on a SED node. This will immediately make all the drives in the node unusable, and this will also require you to manually revert each individual drive by using its PSID before the format process can be restarted. This procedure will take several hours.