Fortinet white logo
Fortinet white logo

Administration Guide

Self-encrypting drives

Self-encrypting drives

Self-encrypting drives (SED) are supported for the following models:

  • FortiAnalyzer-810G

  • FortiAnalyzer-1000G

  • FortiAnalyzer-3100G

  • FortiAnalyzer-3510G

The following type of key is supported for SED in FortiAnalyzer:

  • Encryption key: This key can only be changed/created by the user. Exercise caution when changing the encryption key because all of the data previously written to the drive will now be read and decrypted using the new key; therefore, it will become unrecoverable if the user forgets the new key during restoration. However, this is an effective technique for rendering data on the disk unusable and unreadable. It is referred to as an auto-lock feature, which is useful if a drive has to be repurposed (used in a different application where the data is neither required nor wanted) or scrapped.

The SED features are only available using the CLI, not the GUI.

Auto-lock feature

To protect the disk's contents, assign the SED encryption key after RAID has been setup. The disk's contents are protected if plugged into a system unless the encryption key is known and the system supports a similar RAID controller.

To use the auto-lock feature:
  1. After RAID setup, enter the following command in the FortiAnalyzer CLI:

    diagnose system disk sed {sed-key}

    The key requires 8-32 characters, and it must include upper case, lower case, number, and special character (excluding '\).

Note

If a foreign SED disk is installed, this disk will be unavailable due to auto-lock feature.

Cryptographic erase

To quickly and securely dispose of disks, you can format the drives from the CLI and then use the auto-lock feature.

To complete a cryptographic erase:
  1. In the FortiAnalyzer CLI, enter the following command:

    execute format disks {raid-level}

  2. In the FortiAnalyzer CLI, apply the auto-lock by entering the following command:

    diagnose system disk sed {sed-key}

Examples

SED feature disabled

diagnose system raid status

Storcli RAID:

RAID Level: Raid-50

RAID Status: OK

RAID Size: 52156GB

File System: ext4 51337GB

SED Encryption: Disabled

Groups: 2

Disk 1: OK 3724GB Group-1

Disk 2: OK 3724GB Group-1

Disk 3: OK 3724GB Group-1

If there are non-SED disks, they are displayed in the output. For example:

diagnose system raid status

Storcli RAID:

RAID Level: Raid-50

RAID Status: OK

RAID Size: 52156GB

File System: ext4 51337GB

SED Encryption: Disabled

Groups: 2

Disk 1: OK 3724GB Group-1

Disk 2: OK 3724GB Group-1 non-SED

Disk 3: OK 3724GB Group-1

SED feature enabled
  1. Use the following command to provide the SED key:

    diagnose system raid sed {sed-key}

    Variable

    Description

    sed-key SED encryption key. 8-32 chars, must include upper case, lower case, number and special chars (exclude '\).
  2. Use the following command to verify SED encryption status:

    diagnose system raid status

    Storcli RAID:

    RAID Level: Raid-50

    RAID Status: OK

    RAID Size: 22353GB

    File System: ext4 22001GB

    SED Encryption: Enabled

    Groups: 2

    Disk 1: OK 3724GB Group-1

    Disk 2: OK 3724GB Group-1

    Disk 3: OK 3724GB Group-1

    Disk 4: OK 3724GB Group-1

    Disk 5: OK 3724GB Group-2

Working with SED-based systems

To replace an SED disk:

You can replace disks that supports SED feature, regardless of brand, however it's optimal to use the same specification of hard drive in the existing array. The new disk will be automatically rebuilt by the system and it will have the same SED key used by the existing system. This will be transparent for the user.

To reformat after an SED-enabled RAID failure:

If an SED-enabled RAID failure occurs, formatting the drives will effectively clear the SED key. Thus, the user can assign an SED key. For example, see below.

FMG-410G # diagnose system raid status

Storcli RAID:

RAID Level: Raid-50

RAID Status: Failed

RAID Size: 22353GB

File System: ext4 22001GB

SED Encryption: Enabled

Groups: 2

Disk 1: OK 3724GB Group-1

Disk 2: OK 3724GB Group-1

Disk 3: OK 3724GB Group-1

Disk 4: OK 3724GB Group-1

Disk 5: OK 3724GB Group-2

Disk 6: OK 3724GB Group-2

Disk 7: Unused 3724GB

Disk 8: Unused 3724GB Group-2

FMG-410G # execute format disk 50

This operation will format hard disk to ext4 filesystem.

Do you want to continue? (y/n)y

Resetting ...

login as: admin

Keyboard-interactive authentication prompts from server:

| Password:

End of keyboard-interactive prompts from server

FMG-410G # diagnose system raid status

Storcli RAID:

RAID Level: Raid-50

RAID Status: OK

RAID Size: 22353GB

File System: ext4 22001GB

SED Encryption: Disabled

Groups: 2

Disk 1: OK 3724GB Group-1

Disk 2: OK 3724GB Group-1

Disk 3: OK 3724GB Group-1

Disk 4: OK 3724GB Group-1

Disk 5: OK 3724GB Group-2

Disk 6: OK 3724GB Group-2

Disk 7: OK 3724GB Group-2

Disk 8: OK 3724GB Group-2

To move SED-enabled disks to a new physical chassis:

In situations where SED-enabled disks need to be moved (re-homed) to a new physical chassis, the process will require additional steps. See below.

  1. On the target unit, install the same build as the source unit. Install SED capable drives and setup the RAID similar to that of the source unit, and then enable SED using the same key as that of the source unit.

  2. Shutdown both units and remove the drives from their respective chassis.

  3. Move the source drives and install them to the target chassis.

Self-encrypting drives

Self-encrypting drives

Self-encrypting drives (SED) are supported for the following models:

  • FortiAnalyzer-810G

  • FortiAnalyzer-1000G

  • FortiAnalyzer-3100G

  • FortiAnalyzer-3510G

The following type of key is supported for SED in FortiAnalyzer:

  • Encryption key: This key can only be changed/created by the user. Exercise caution when changing the encryption key because all of the data previously written to the drive will now be read and decrypted using the new key; therefore, it will become unrecoverable if the user forgets the new key during restoration. However, this is an effective technique for rendering data on the disk unusable and unreadable. It is referred to as an auto-lock feature, which is useful if a drive has to be repurposed (used in a different application where the data is neither required nor wanted) or scrapped.

The SED features are only available using the CLI, not the GUI.

Auto-lock feature

To protect the disk's contents, assign the SED encryption key after RAID has been setup. The disk's contents are protected if plugged into a system unless the encryption key is known and the system supports a similar RAID controller.

To use the auto-lock feature:
  1. After RAID setup, enter the following command in the FortiAnalyzer CLI:

    diagnose system disk sed {sed-key}

    The key requires 8-32 characters, and it must include upper case, lower case, number, and special character (excluding '\).

Note

If a foreign SED disk is installed, this disk will be unavailable due to auto-lock feature.

Cryptographic erase

To quickly and securely dispose of disks, you can format the drives from the CLI and then use the auto-lock feature.

To complete a cryptographic erase:
  1. In the FortiAnalyzer CLI, enter the following command:

    execute format disks {raid-level}

  2. In the FortiAnalyzer CLI, apply the auto-lock by entering the following command:

    diagnose system disk sed {sed-key}

Examples

SED feature disabled

diagnose system raid status

Storcli RAID:

RAID Level: Raid-50

RAID Status: OK

RAID Size: 52156GB

File System: ext4 51337GB

SED Encryption: Disabled

Groups: 2

Disk 1: OK 3724GB Group-1

Disk 2: OK 3724GB Group-1

Disk 3: OK 3724GB Group-1

If there are non-SED disks, they are displayed in the output. For example:

diagnose system raid status

Storcli RAID:

RAID Level: Raid-50

RAID Status: OK

RAID Size: 52156GB

File System: ext4 51337GB

SED Encryption: Disabled

Groups: 2

Disk 1: OK 3724GB Group-1

Disk 2: OK 3724GB Group-1 non-SED

Disk 3: OK 3724GB Group-1

SED feature enabled
  1. Use the following command to provide the SED key:

    diagnose system raid sed {sed-key}

    Variable

    Description

    sed-key SED encryption key. 8-32 chars, must include upper case, lower case, number and special chars (exclude '\).
  2. Use the following command to verify SED encryption status:

    diagnose system raid status

    Storcli RAID:

    RAID Level: Raid-50

    RAID Status: OK

    RAID Size: 22353GB

    File System: ext4 22001GB

    SED Encryption: Enabled

    Groups: 2

    Disk 1: OK 3724GB Group-1

    Disk 2: OK 3724GB Group-1

    Disk 3: OK 3724GB Group-1

    Disk 4: OK 3724GB Group-1

    Disk 5: OK 3724GB Group-2

Working with SED-based systems

To replace an SED disk:

You can replace disks that supports SED feature, regardless of brand, however it's optimal to use the same specification of hard drive in the existing array. The new disk will be automatically rebuilt by the system and it will have the same SED key used by the existing system. This will be transparent for the user.

To reformat after an SED-enabled RAID failure:

If an SED-enabled RAID failure occurs, formatting the drives will effectively clear the SED key. Thus, the user can assign an SED key. For example, see below.

FMG-410G # diagnose system raid status

Storcli RAID:

RAID Level: Raid-50

RAID Status: Failed

RAID Size: 22353GB

File System: ext4 22001GB

SED Encryption: Enabled

Groups: 2

Disk 1: OK 3724GB Group-1

Disk 2: OK 3724GB Group-1

Disk 3: OK 3724GB Group-1

Disk 4: OK 3724GB Group-1

Disk 5: OK 3724GB Group-2

Disk 6: OK 3724GB Group-2

Disk 7: Unused 3724GB

Disk 8: Unused 3724GB Group-2

FMG-410G # execute format disk 50

This operation will format hard disk to ext4 filesystem.

Do you want to continue? (y/n)y

Resetting ...

login as: admin

Keyboard-interactive authentication prompts from server:

| Password:

End of keyboard-interactive prompts from server

FMG-410G # diagnose system raid status

Storcli RAID:

RAID Level: Raid-50

RAID Status: OK

RAID Size: 22353GB

File System: ext4 22001GB

SED Encryption: Disabled

Groups: 2

Disk 1: OK 3724GB Group-1

Disk 2: OK 3724GB Group-1

Disk 3: OK 3724GB Group-1

Disk 4: OK 3724GB Group-1

Disk 5: OK 3724GB Group-2

Disk 6: OK 3724GB Group-2

Disk 7: OK 3724GB Group-2

Disk 8: OK 3724GB Group-2

To move SED-enabled disks to a new physical chassis:

In situations where SED-enabled disks need to be moved (re-homed) to a new physical chassis, the process will require additional steps. See below.

  1. On the target unit, install the same build as the source unit. Install SED capable drives and setup the RAID similar to that of the source unit, and then enable SED using the same key as that of the source unit.

  2. Shutdown both units and remove the drives from their respective chassis.

  3. Move the source drives and install them to the target chassis.