To use the Drive Security feature with a key management server, you must create an external key that is shared by the key management server and the secure-capable drives in the storage array.

Before you begin
About this task

In this task, you define the IP address of the key management server and the port number it uses, and then load certificates for external key management.

  1. Select Settings  System.

  2. Under Security key management, select Create External Key.

    If internal key management is currently configured, a dialog box opens and asks you to confirm that you want to switch to external key management.

    The Create External Security Key dialog box opens.

  3. Under Connect to Key Server, enter information in the following fields.

    • Key management server address — Enter the fully qualified domain name or the IP address (IPv4 or IPv6) of the server used for key management.

    • Key management port number — Enter the port number used for KMIP communications. The most common port number used for key management server communications is 5696.

      Optional: If you want to configure a backup key server, click Add Key Server, and then enter that server’s information. The second key server will be used if the primary key server cannot be reached. Make sure that each key server has access to the same database of keys; otherwise, the array will post errors and cannot use the backup server.

      Only a single key server is used at a time. If the storage array cannot reach the primary key server, the array will contact the backup key server. Be aware that you must maintain parity across both servers; failure to do so may result in errors.
    • Select client certificate — Click the first Browse button to select the certificate file for the storage array’s controllers.

    • Select key management server’s server certificate — Click the second Browse button to select the certificate file for the key management server. You can choose a root, intermediate, or server certificate for the key management server.

  4. Click Next.

  5. Under Create/Backup Key, you can create a backup key for security purposes.

    • (Recommended) To create a backup key, keep the checkbox selected, and then enter and confirm a pass phrase. The value can have between 8 and 32 characters, and must include each of the following:

      • An uppercase letter (one or more). Keep in mind that the pass phrase is case sensitive.

      • A number (one or more).

      • A non-alphanumeric character, such as !, *, @ (one or more).

    Be sure to record your entries for later use. If you need to move a secure-enabled drive from the storage array, you must know the pass phrase to unlock drive data.

    • If you do not want to create a backup key, deselect the checkbox.

      Be aware that if you lose access to the external key server and you do not have a backup key, you will lose access to data on the drives if they are migrated to another storage array. This option is the only method for creating a backup key in System Manager.

  6. Click Finish.

    The system connects to the key management server with the credentials you entered. A copy of the security key is then stored on your local system.

    The path for the downloaded file might depend on the default download location of your browser.

  7. Record your pass phrase and the location of the downloaded key file, and then click Close.

    The page displays the following message with additional links for external key management:

    Current key management method: External

  8. Test the connection between the storage array and the key management server by selecting Test Communication.

    Test results display in the dialog box.


When external key management is enabled, you can create secure-enabled volume groups or pools, or you can enable security on existing volume groups and pools.

Whenever power to the drives is turned off and then on again, all the secure-enabled drives change to a Security Locked state. In this state, the data is inaccessible until the controller applies the correct security key during drive initialization. If someone physically removes a locked drive and installs it in another system, the Security Locked state prevents unauthorized access to its data.

After you finish

You should validate the security key to make sure the key file is not corrupted.