Managing Encrypted Drives

The following procedures explain what you need to do to return encrypted drives to an operational state in the event of power failures, blade replacements, upgrades, and failover operations. This section also covers two periodic maintenance tasks: backing up the keystore and rotating the keys.

Warning: If you lose your encryption keys, you need to open a case with Yellowbrick Customer Support and run an "emergency unlock" command. Although this procedure will bring your encryption setup back to a clean state, your data will be lost.
After a power failure (total system)
If there is a power failure on the whole appliance, follow these steps to recover access to the drives:
  1. Restart the system. (Not everything will be operational.)
  2. Start the ybcli.
  3. Respond to the prompt to unlock the keystore and enter the authentication key.
  4. Power on the blades: blade poweron all
  5. Run the encryption unlock command.
After a power failure (manager nodes only)
If power fails only on the manager nodes, run the first three steps from the previous section.
After a power failure (blades only)
If power fails only on the compute blades, follow these steps:
  1. Power on the blades: blade poweron all
  2. Run the encryption unlock command.
  3. Respond to the prompt to unlock the keystore and enter the authentication key.
During an upgrade
During an upgrade on a system with encrypted drives, the Yellowbrick Installer will prompt you to unlock the keystore and run the encryption unlock command.
Replacing a blade
The steps for replacing a compute blade depend on whether you are going to use the same blade or a new one:
  • If you are replacing a failed blade with the same blade (after fixing the problem), run the encryption unlock command. If the command fails for some reason, you will probably need to replace the blade with another blade.
  • If you are replacing a failed blade with a new blade, run the encryption enable command and respond to the prompts to unlock the keystore and authenticate.
Adding one or more blades (expansion)
You can add one or more new blades to expand the capacity of the system. On a system that uses encryption:
  1. Make sure the new blade is a supported SED blade before inserting it into the chassis.
  2. Power on the new blade, using the blade poweron command.
  3. Run the encryption enable command and respond to the prompts.
  4. Run the blade add command.
After a manager node failover (or a reboot of the manager nodes)
The keystore is replicated on both manager nodes, so failing over does not require any user intervention. Encryption continues to work as normal.

If you need to run any encryption commands, you will see a prompt to unlock the keystore.

Key rotation
As an additional security measure, you can periodically generate new encryption keys for the drives. See the encryption rotate command. You can do the same thing with the unlock keys and authentication key by using the keystore rotate command.
Backup and restore operations
Whenever the keystore is modified in response to encryption enable and encryption rotate operations, a keystore backup happens automatically. Backup files are saved to the ybcli user's home directory. The files are very small and have a timestamped name.
Note: Always move new backup files to a remote system for secure storage.

You can back up the keystore manually at any time by using the keystore backup command.