The disks come with a default key, called the Manufacture Secure ID (MSID), that is unique to each disk. Once the controls are set, then all data on the disks is protected, whether it existed before or after the protections were applied. Data that is written to the disks in the period before KMIP server setup and AK changes is still present. Modifying authentication keys does not affect the encryption keys. Then, if the disks are power-cycled, such as would happen if a disk is removed and placed on another system, that system cannot give the required AK (safely on an SSL-protected key server) to unlock access to the data.
Thereafter, authentication keys can be created and the controls in the disks set to protect the data. When the servers are made available and the required SSL/TLS certificates are properly installed, the setup of the connections between the KMIP servers and the cluster is made. The NSE disks simply act like other disks. The system may be operated in this unprotected mode indefinitely. The controls are not yet set to protect a disk that leaves the system. The disks themselves automatically encrypt data written to them and decrypt it when read and maintain these disk encryption keys (AKA media encryption keys) within themselves. When a system is first brought up, the NSE disks are openly available to the system without need for authentication. NOTE: NSE must be ALL or NONE NSE per HA-PairĪuthentication Keys (AK) and changes to them do not affect the disk encryption keys
0 kommentar(er)
