Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

Article Number: 000055170


Dell EMC Unity: Enabling Data-at-rest Encryption. (User Correctable)

Summary: Unity: Enabling Data-at-rest Encryption

Article Content


Symptoms



Data-at-rest Encryption not enabled on Unity Storage.

Cause

Not enabling D@RE during initial installation.

Resolution

To determine if the license file is D@RE entitled check the SO (Sales Order) which lists all enabled licenses. You can also open the license file with a text editor such as Windows Notepad and display all licenses contained within the file.


Sample Unity license bundle file D@RE license text:
 
INCREMENT DATA_AT_REST_ENCRYPTION EMCLM 1.0 30-sep-2016 uncounted \
     HOSTID=ANY ISSUER=EMC ISSUED=08-sep-2006 SIGN="00D4 DA62 C066 \
     C0CC C4B8 2C88 CCBE D100 F990 9081 A7B4 EA75 1A73 2398 BC81"



 ENABLING D@RE
D@RE is included by default on Unity arrays and included in the Unity license file unless otherwise requested during ordering. Therefore, all that is needed to activate D@RE is to install the D@RE enabled license file. The license installation process is not specific to D@RE, and is required to be performed before using the array. When logging into Unisphere for the first time, license installation appears as a step of the Unisphere Configuration Wizard, prompting the administrator to install the license file obtained from EMC. If this license file includes D@RE functionality, D@RE will be enabled once the license file is installed successfully. Encryption is either completely enabled or completely disabled at a system level; there is no ability to partially encrypt the system, such as specific disks, pools, or LUNs. Once the encryption enabled license is installed, the entire system will be encrypted.

kA2j0000000RDJNCA4_2_0

Figure 1 - Installing License

It is important to note that installing the license on the array is the point of no return with regard to D@RE activation. If the license file includes D@RE, D@RE will be permanently enabled on the system and cannot be disabled in the future. Similarly, if the license file does not include D@RE, D@RE will be permanently disabled on the system and cannot be enabled in the future. Unity D@RE can only be enabled at the time of initial installation, and does not support data-in-place upgrades on existing non-D@RE enabled systems. Once the license has been installed successfully, the D@RE feature will appear as licensed, which can be verified from within the Unisphere Configuration Wizard or from the Licenses page. If a license file without D@RE functionality was installed, D@RE will be permanently disabled and will not appear on the Licenses page.

kA2j0000000RDJNCA4_2_1
Figure 2 - Data at Rest Encryption License

Once D@RE is activated, the Scrubbing process will initiate, which will begin to overwrite all addressable space on the Unity drives. All drives will be overwritten with zeroes in order to sanitize any potential residual data on the drives, for example, if the drives has previously been used in another array. This is essentially a background zeroing process which will complete when all drives have been zeroed, which may take a long time depending on the capacity and speed of the drives in the array. When the scrubbing process is complete, the encryption status on the Encryption page in Unisphere will change to  Encrypted . Note that for SAS Flash 2 drives, unmap is used to scrub the drives rather than zeroing.

kA2j0000000RDJNCA4_2_2
Figure 3 - Data at Rest Encryption Page

Note that the scrubbing process is only concerned with sanitizing preexisting unencrypted addressable space on the drives, and any user data written to the storage array will still be encrypted inline while this process in ongoing. The array is protected and available to create pools and store data securely as soon as the D@RE feature is enabled. Also note that the scrubbing process does not sanitize non-addressable drive space which may contain hidden residual data if the drives were used previously. This data is not readily retrievable through standard interfaces, but may be accessible through advanced laboratory techniques. If potential access to data remnants from previous use of a drive violates your company s security policy, the drive must be independently sanitized prior to being used in an encrypted Unity storage system. Scrubbing also does not perform multiple overwrites of residual data. If this is a requirement, drives must be independently sanitized prior to being used in an encrypted Unity storage system
 

Note:

If the Unity Storage Array is in pre-production and D@RE was not enabled during initialization, then the storage system will have to be reinitialized.  Procedure for this can be found at the following link:
KB 485393 Reinitializing the Unity Operating Environment (OE)

Reinitializing the Unity OE is destructive,  as it completely removes all data and configuration that may already exist.  Therefore, this procedure is not intended to be used on a "Production" system, as it will reset the system to a 'back to factory' state based on the same OE version that was last in use.

Once reinitialized, follow the above procedure for enabling D@RE.

Additional Information

More information about Unity and D@RE can be found within the following white paper:

http://www.emc.com/collateral/white-papers/h15090-emc-unity-data-at-rest-encryption.pdf

Article Properties


Affected Product

Dell EMC Unity Family

Product

Dell Unity 300, Dell EMC Unity 300F, Dell EMC Unity 400, Dell EMC Unity 400F, Dell EMC Unity 500, Dell EMC Unity 500F, Dell EMC Unity 600, Dell EMC Unity 600F, Dell EMC Unity Family

Last Published Date

20 Nov 2020

Version

2

Article Type

Solution