Table of ContentsView in Frames

Returning SEDs to unprotected mode

If your storage system is configured to use Storage Encryption but you decide to stop using this feature, you can do so by returning the SEDs to unprotected mode. You cannot disable Storage Encryption altogether because SEDs always encrypt data for storage. However, you can return them to unprotected mode where they no longer use secret authentication keys, and use the default MSID instead.

Steps

  1. Access the nodeshell by entering the following command: system node run -node node_name
  2. To change the authentication key for all SEDs on the storage system back to the default MSID, enter the following command: disk encrypt rekey * 0x0
  3. If you expect to operate the storage system in unprotected mode permanently, you should also remove all key management servers by entering the following command for each one: key_manager remove -key_server key_server_ip_address
    -key_server key_server_ip_address specifies the IP address of the key management server you want to remove.
    The storage system displays two kmip_init errors during every bootup after you remove all key management servers. These errors are normal in this situation and you can disregard them.
  4. If you expect to operate the storage system in unprotected mode permanently and you removed all key management servers in the preceding step, you should view the list of installed Storage Encryption related SSL certificates, and then remove all key management server SSL certificates: keymgr cert listkeymgr delete cert client.pemkeymgr delete cert client_private.pemkeymgr delete cert key_management_server_ipaddress_CA.pem
    If you had multiple key management servers linked to the storage system, repeat the last command for each public certificate of each key management server.
  5. Exit the nodeshell and return to the clustershell by entering the following command: exit