This covers how to use LSI's SafeStore controller option along with Seagate Self-Encrypting Drives (SED). This provides protection of drive contents at rest and enables instant secure erase (ISE). This allows for the rapid and irreversible destruction of all data on the array(s) in seconds.

Keys

The first step is to purchase a SafeStore license (hardware or software key). If your controller supports hardware keys, follow the key's installation instructions. Once connected, the feature will immediately become available.

If you are using the software license, the steps are slightly more involved. These steps will be documented in the next section.

Software Key

You will need each controller's serial number and SafeID in order to activate the purchased license.

Getting the Serial Number and SafeID via WebBIOS

Reboot the computer and press ctrl + h when prompted during the boot sequence.

• Click on Advanced Software Options from the main page.
• The SafeID and Serial Number will be shown below the existing license box. Note these down carefully as they are long strings.

Getting the Serial Number and SafeID via MegaCli64

MegaCli64 AdpAllInfo a0 | grep "Serial No" && MegaCli64 ELF GetSafeId a0 | grep "Safe ID"

Serial No       : xxxxxxxxxxxxxxxx
Safe ID is yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

Getting the License from LSI

After purchasing the software key, you will get a License Authentication Code (LAC). This will be used in a moment.

Create (or log into) LSI's Advanced Software License Management Portal.

If you don't have an account, you will need to enter an LAC to start the account creation process.

Note: For this tutorial, we are using the Fujitsu D3116C controller, which is based on the LSI 9260-8i.

On the next window, you will be asked to enter the controller description.

• LAC or SCN #: <enter the LAC key given to you when you purchased SafeStore
• RAID Controller or Nytro Card Name: <enter a unique name to identify the controller, the host name is useful>

Once entered, press "Activate".

If you are a new user, a pop-up will ask you to enter your last name and your email address. Do so. Next you will be asked more information about you and your company, provide the information.

If you are an existing user, you will enter your registered email address and password.

Once logged in, you will be presented with the entitlement and a form to enter the controller's "Serial Number" and "Safe ID". To get this information, you can either look at the controller's information it the controller's BIOS or you can retrieve it via "MegaCli64".

• Enter the Serial Number and Safe ID into the form and the press Next.
• Read and agree to the EULA, enter the email address you want the key(s) sent to, enter a note if you wish and then click "Finish".
• You will see the new activation key on the screen, and a copy will also be emailed to you. You will enter this key to enable SafeStore on your controller.

Entering the SafeStore Activation Key in the WebBIOS

You need to be in the "Advanced Software Options" screen. If you were there already to gather the serial number and Safe ID, you are already in the right place.

• Click on Advanced Software Options from the main page.
• At the bottom of the screen, carefully type in the Activation Key that was sent to you (or that you recorded from the LSI website). When entered, click Activate.
• The new license(s) will be displayed in the review window. Confirm that this is what you expect and then click Finish.
• You are warned that you must restart the server for the changes to take effect. Click on OK.

Exit and reboot your server now. Re-enter the WebBIOS with ctrl + h when prompted to begin encryption configuration.

Entering the SafeStore Activation Key via MegaCli64

You will get an email with the activation key. This is what we will enter into the controller to enable the SafeStore option. You can either manually enter this key into the controller via the controller's BIOS, or you can enter it using the MegaCli64 tool, which we will do.

MegaCli64 -elf applykey key zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz -a0

Successfully applied the Activation key. Please restart the system for the changes to take effect.

FW error description: 
 To complete the requested operation, please reboot the system.  

Exit Code: 0x59

Done! You will now need to reboot to configure encryption.

Note: Your data is *NOT* encrypted at this stage.

Warning: In order to encrypt data, existing virtual disks will need to be destroyed and recreated. Make sure your data is backed up!

Using Encryption

Until now, we covered enabling the SafeStore function. Now we'll cover it's use.

Enabling Encryption

Reboot into the LSI WebBIOS by pressing ctrl + h during the boot sequence.

Click on Advanced Software Options.

Confirm that the SafeStore option is enabled, then click Back.

Now we can setup encryption.

First, we need to enable drive encryption.

• Click on Controller Properties
• Click Next through the first three pages.
• On the fourth page, on the bottom-left, you see Drive Security. Click on Enable.
• A dialogue box will tell you about the encryption process. Read it and, when ready, click Next.
• The controller will next suggest a Security key identifier. You can use it as-is or replace it with your own string. When ready, click Next.
• Next, enter (or click Suggest to generate) a key to encrypt and decrypt the data with. Once entered, click Next.

Warning: If you set a Pass Phrase in the next section, you will need to enter it on every reboot.

Warning: If you do NOT set a Pass Phrase in the next section, the data will not be protected if an attacker gains physical access to the server (or at least the controller). In this case, the benefit of the encrypted configuration is that drives alone can not be read and ISE (instant secure erase) can be used.

• Next, if you want to require that a pass phrase be used to unlock the controller on boot, enter it on this window. If you want the server to be able to boot autonomously, do not set a pass phrase here.
• You will now see a dialogue explaining you configuration. Read it, understand it and then click Yes.

Proceed to the next section to create the encrypted partition.

Encrypting the Data

Note: Any existing virtual disks that you wish to encrypt will need to be recreated, causing their data to be lost.

• Click on Configuration Wizard.
• Click on New Configuration.
• Read the warning, understand that your existing data will be lost, and then click on Yes.
• Make sure that Manual Configuration is selected and then clock Next.

Note: If you plan to configure Hot-Spare drives, so not select them in the next step. They will be configured later.

Selecting Drives for the Virtual Disk:

• Ensure that Encryption is set to Full Disk Encryption.
• Click on the first drive under the Drives column. With the first drive highlighted, press and hold the ctrl key and click to select the rest of the drives.
• With the desired drives highlights, click Add to Array.
• The right Drive Group will now show the selected drives. Confirm that this is correct and then click Accept DG.
• The screen will reload, but the Accept DG button will now be gone. Click on Next to proceed.
• On the left column will be a drop-down select box showing the new drive group. If you have multiple drive groups, be sure the new one is selected. Click on Add to Span.
• The drive group will now be listed under the right Span column. Click on Next.

Configuring the virtual disk

• Choose the RAID level you wish to use. The default is RAID level 6.
• Assuming you have a BBU or FBU option and cache on your controller, change Write Policy to Write Back with BBU
• The Select Size option will be black. You can auto-fill it by clicking on Update Size. Alternatively, manually enter the array size based on the sizes listed under the empty Virtual Drives window.
• Click on Accept to create the virtual drive.
• A dialogue box explaining the Write Back with BBU implication will be shown. Read it, understand it and the click Yes.
• You will return to the virtual drive configuration screen, but now your new virtual drive will be shown. Click Next to proceed.
• The virtual drive will now be shown in the right Virtual Drives column. Click on Accept to proceed.
• You will be asked to save the configuration. Click on Yes.
• You will be warned that any existing data on the drive will be lost. Click Yes to confirm and proceed.

Note: In some occasions, you will get a warning that the Initialization process failed to start. This is OK, but it does mean that you will have to wait until the initialization of the drive has completed. You can track the progress by clicking in Virtual Drives from the main menu.

• If you didn't get the warning mentioned above, you will see a summary of the new virtual disk. The last radio button will show Set Boot Drive (current=NONE). Click to select this option and then click on Go.

Note: In some occasions, you will get a warning that you 'must wait for the current operation to complete'. This is OK, but it does mean that you will have to wait until the initialization of the drive has completed. You can track the progress by clicking in Virtual Drives from the main menu.

• The last radio button show now show Set Boot Drive (Current=0).

If you had to wait for the initialization to complete, you can come back and set the boot drive by clicking on Virtual Drives from the main page.

Using the Encryption

If you configured the system to require a pass phrase, you will need to manually enter it during the system boot in order to unlock the drives.

If you didn't use a pass phrase, then there is nothing more to do on a day to day bases. If you remove a drive (be it because it was defective or what have you), the contents of that data will not be recoverable by anyone unless they have the key you entered when you setup the encryption.

Self-Destruct - aka; Instant Secure Erase

Warning: This process is irreversible (that's kind of the point...)!

A major benefit of the encryption setup is the ability to very rapidly destroy the data. There are many reasons this feature might be needed, but those reasons are outside the scope of this document.

To destroy the data, you need to: