Encryption is performed within each drive before the data is written to the media. This protects the data on the drive against theft or loss and attempts to read the drive directly by physically deconstructing the drive. The encryption also provides a means to erase information quickly and securely on a drive to ensure that the information is not recoverable.
Reading encrypted data requires the authentication key for the SED to unlock the drive. Only authenticated SEDs are unlocked and accessible. Once the drive is unlocked, the SED decrypts the encrypted data back to its original form. The lockbox keeps the keys to each drive in the appliance, which are each encrypted to keep sensitive data safe. We recommend that you download the generated keystore archive file to an external, secure location. The PowerStore appliance must contain all SEDs.
PowerStoreOS 3.0 supports the usage of external key management applications using the Key Management Interoperability Protocol (KMIP). External key managers for storage arrays provide extra protection in the event the array is stolen. If the external key server is not present to provide the relevant Key Encryption Key (KEK), the storage system cannot be powered on.
For more information, see the Dell PowerStore Security Configuration Guide.