mmvdisk sed command
Manages IBM Spectrum Scale RAID self-encrypting drives (SED).
Synopsis
mmvdisk sed enroll --recovery-group RgName --rkmid RKMid --key-uuid KeyId [--confirm]mmvdisk sed rekey --recovery-group RgName --rkmid RKMid --key-uuid KeyId [--confirm]mmvdisk sed list {--all | --recovery-group RgName[,RgName...] |
--recovery-group RgName [--pdisk pdiskname] |
--pdisk-path pdisk-path} [-Y]mmvdisk sed verify {--all | --recovery-group RgName[,RgName...] |
--recovery-group RgName [--pdisk pdiskname] |
--pdisk-path pdisk-path} [-Y]Availability
Available on all IBM Spectrum Scale editions.
Description
Use the mmvdisk sed command to manage SEDs. The command sets a new authentication key (master encryption key), changes the authentication key (MEK) to a new key, manages the encryption of the data on SEDs and locks the drives automatically after a power recycle.
The mmvdisk sed command can be run from any ESS I/O node in an IBM
Spectrum Scale cluster. The RKM server, such as GKLM server,
must be set up before issuing these commands. The GNR I/O nodes must have direct network access to
the RKM server.
Note: The MEK is important and critical information. If it is lost, the access to the
encrypted data is also lost permanently. It is recommended to back up the keys by following the
remote key manager (RKM) backup procedures.
Parameters
- enroll
- Uses a master encryption key (MEK) from the RKM server and configures all the SEDs to enable encryption.
- --rkmid RKMiD
- Specifies a new RKM ID.
- --key-uuid KeyId
- Specifies an MEK key ID that is created by using the mmkeyserv command and whose key is used as an MEK. For more information about the mmkeyserv command, see IBM Spectrum Scale documentation.
- --confirm
- Confirmation by the user to enroll all recovery groups of the node class of the specified recovery group.
The mmvdisk sed enroll command completes the following tasks:- Stores the new RKM ID and the new MEK in the sedKeyId config variable.
- Updates the MEK key from default MSID to the specified new key.
- Enables the drives to get locked when the drives are power recycled.
An error message is displayed, if all the SEDs are not enrolled. If the command fails, it can be rerun to configure all the SEDs by using the same key.
- rekey
-
Uses a new MEK from the RKM server and configures all the SEDs to use a new key as MEK.
- --rkmid RKMiD
- Specifies a new RKM ID.
- --key-uuid KeyId
- Updates an MEK key from an old MEK to the specified new key for all SEDs of a recovery group.
- --confirm
- Confirmation by the user to rekey all recovery groups of the node class of the specified recovery group.
The mmvdisk sed rekey command completes the following tasks:- Updates sedKeyId config variable with the new RKM ID and the new MEK.
- Updates the MEK key from an old MEK to a new key specified for all SEDs of a recovery group.
An error message is displayed, if the command did not run successfully to rekey all the SEDs. If the command fails, it can be rerun to rekey all the SEDs by using the same new key. It required that all the drives are enrolled before running rekey.
- list
- Displays the SED configuration status of the SEDs of recovery groups. With the
pdisk option, the SED configuration status for the given pdisk is
displayed. The pdisk can be in states such as Enrolled with sedKeyId, Unenrolled, or info
unavailable. It also displays whether the pdisk is locked or unlocked.
- --all
- Selects all recovery groups.
- --recovery-group RgName[,RgName, ...]
- Specifies recovery group names.
- --pdisk
- Specifies the pdisk name of the specified recovery group name.
- --pdisk-path Pdisk-path
- Specifies the pdisk full path in the //<server_name>/dev/<drive_name> format.
- -Y
- Displays an output in the machine-readable format.
- verify
- Verifies whether the drives of a recovery group are SEDs. With the pdisk option, the SED support of the specified pdisk is displayed. The option verifies whether the drive is SED or not.
Exit status
- 0
- Successful completion.
- nonzero
- A failure has occurred.
Security
You must have the root authority to run the mmvdisk sed command.
The node on which the command is issued must be able to run remote shell commands on any other node in the cluster without the use of a password and without producing any extraneous messages.
Example
- Enroll a recovery
group.
A sample output is as follows:# mmvdisk sed enroll --recovery-group rg1_3500_P12N --rkmid rkm_sedKeyId --key-uuid KEY-86a24d4-13894496-36b6-4688-b638-bfb2698bde39 --confirmmmvdisk: Enrolling disks in recoverygroup rg1_3500_P12N with new key from default MSID mmvdisk: Verifying the disks of RG rg1_3500_P12N for SED support. mmvdisk: Successfully enrolled e1s01 with sedKeyId mmvdisk: Successfully enrolled e1s02 with sedKeyId mmvdisk: Successfully enrolled e1s03 with sedKeyId mmvdisk: Successfully enrolled e1s04 with sedKeyId mmvdisk: Successfully enrolled e1s05 with sedKeyId mmvdisk: Successfully enrolled e1s06 with sedKeyId mmvdisk: Successfully enrolled e1s13 with sedKeyId mmvdisk: Successfully enrolled e1s14 with sedKeyId mmvdisk: Successfully enrolled e1s15 with sedKeyId mmvdisk: Successfully enrolled e1s16 with sedKeyId mmvdisk: Successfully enrolled e1s17 with sedKeyId mmvdisk: Successfully enrolled e1s18 with sedKeyId - Change the MEK on the SEDs to use a new
MEK.
A sample output is as follows:# mmvdisk sed rekey --recovery-group rg1_3500_P12N --rkmid rkm_sedKeyId --key-uuid KEY-86a24d4-66b6f796-b178-4778-b45e-2745765d6886mmvdisk: Reenrolling disks in recoverygroup rg1_3500_P12N with new key mmvdisk: Successfully enrolled e1s01 with sedNewKeyId mmvdisk: Successfully enrolled e1s02 with sedNewKeyId mmvdisk: Successfully enrolled e1s03 with sedNewKeyId mmvdisk: Successfully enrolled e1s04 with sedNewKeyId mmvdisk: Successfully enrolled e1s05 with sedNewKeyId mmvdisk: Successfully enrolled e1s06 with sedNewKeyId mmvdisk: Successfully enrolled e1s13 with sedNewKeyId mmvdisk: Successfully enrolled e1s14 with sedNewKeyId mmvdisk: Successfully enrolled e1s15 with sedNewKeyId mmvdisk: Successfully enrolled e1s16 with sedNewKeyId mmvdisk: Successfully enrolled e1s17 with sedNewKeyId mmvdisk: Successfully enrolled e1s18 with sedNewKeyId - Check the status of
drives.
# mmvdisk sed list --recovery-group BB01LA sample output is as follows:
In nodeclass nc2 SED Configured: True Disk name Recovery group EnrolledStatus/LockedStatus --------- -------------- --------------------------- e1s001 BB01L Enrolled with sedKeyId/Unlocked e1s002 BB01L Enrolled with sedKeyId/Unlocked e1s003 BB01L Enrolled with sedKeyId/Unlocked e1s004 BB01L Enrolled with sedKeyId/Unlocked e1s005 BB01L Enrolled with sedKeyId/Unlocked e1s006 BB01L Enrolled with sedKeyId/Unlocked e1s013 BB01L Enrolled with sedKeyId/Unlocked e1s014 BB01L Enrolled with sedKeyId/Unlocked e1s015 BB01L Enrolled with sedKeyId/Unlocked e1s016 BB01L Enrolled with sedKeyId/Unlocked e1s017 BB01L Enrolled with sedKeyId/Unlocked e1s018 BB01L Enrolled with sedKeyId/Unlocked e1s025 BB01L Enrolled with sedKeyId/Unlocked e1s026 BB01L Enrolled with sedKeyId/Unlocked e1s027 BB01L Enrolled with sedKeyId/Unlocked e1s028 BB01L Enrolled with sedKeyId/Unlocked e1s029 BB01L Enrolled with sedKeyId/Unlocked e1s037 BB01L Enrolled with sedKeyId/Unlocked e1s038 BB01L Enrolled with sedKeyId/Unlocked e1s039 BB01L Enrolled with sedKeyId/Unlocked e1s040 BB01L Enrolled with sedKeyId/Unlocked e1s042 BB01L Enrolled with sedKeyId/Unlocked e1s049 BB01L Enrolled with sedKeyId/Unlocked - Verify whether the drives of recovery groups are
SEDs.
# mmvdisk sed verify --recovery-group BB01LA sample output is as follows:
Disk name Recovery group SED Drive --------- -------------- --------- e1s001 BB01L Yes e1s002 BB01L Yes e1s003 BB01L Yes e1s004 BB01L Yes e1s005 BB01L Yes e1s006 BB01L Yes e1s013 BB01L Yes e1s014 BB01L Yes e1s015 BB01L Yes e1s016 BB01L Yes e1s017 BB01L Yes e1s018 BB01L Yes e1s025 BB01L Yes e1s026 BB01L Yes e1s027 BB01L Yes e1s028 BB01L Yes e1s029 BB01L Yes e1s037 BB01L Yes e1s038 BB01L Yes e1s039 BB01L Yes e1s040 BB01L Yes
Location
/usr/lpp/mmfs/bin