I am not sure if I am reaching out to the correct team.
I am involved in a project where we use UCS C-series and by security compliance, we need to protect data at rest.
We thought about options like using DM-Crypt with LUKS to encrypt the full disk but I crossed a document talking about Cisco IMC supports self-encrypting drives (SED).
For us, it’s always better to use our solution and for this can anyone help with some details about this feature in UCS:
o Level of encryption on the disk?
o Used Cyphers, algorithm?
o Key management: should the key reside on the server or called from external location?
o Is the key needed for each reboot?
o What is the key lifecycle overview?
It’s urgent and any help will be appreciated.
Nice chatting with you the other day. As discussed, we have been supporting SEDs on our standalone C-Series servers for quite some time. Up until recently, the key management for these drives was a manual process. However, with our most recent 3.0(2) Cisco IMC FW, we now support both local and remote key management, specifically SafeNet and Vormetric key managers. This makes deploying SEDs at scale much more secure, and eliminates the need for remembering unique cryptographic keys for each drive.
I am working on getting answers to some of the more pinpointed questions, but please reach out should you need additional info.
Regarding your other queries:
Level of Encryption on the Disk: We use full disk encryption (FDE)
Used Cyphers/Algorithms: These are internal to the SED drives, they are not handled vy external software, MegaRAID, nor the Cisco IMC.
Key Management: for local key management, the key resides on the server/controller. For KMIP, the key resides on the key management server as well as the controller.
Key needed for each reboot: Not for MegaRAID. There is a "password" needed at every boot, if enabled, but we do not support this today.
Lifecycle: Today - once created, keys reside until they are changed. Most users will perform a re-key operation periodically as they do for passwords, etc.
Great help thanks Gregory