ONTAP 9.14.1 commands

storage encryption disk show

Display self-encrypting disk attributes

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The storage encryption disk show command displays information about encrypting drives. When no parameters are specified, the command displays the following information about all encrypting drives:

  • Disk name

  • The protection mode of the device

  • The key ID associated with the data authentication key ("data AK")

In MetroCluster systems, the information is valid from the cluster that owns the drive, or from the DR cluster when in switchover mode. If information is not available, perform the show command from the cluster partner.

You can use the following parameters together with the -disk parameter to narrow the selection of displayed drives or the information displayed about them.

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>, …​ parameter, the command output also includes the specified field or fields. You can use '-fields ?' to display the fields to specify.

| [-fips ]

If you specify this parameter, the command displays the key ID associated with the FIPS-compliance authentication key ("FIPS AK") instead of the data key ID.

| [-instance ] }

If you specify this parameter, the command displays detailed disk information about all disks, or only those specified by a -disk parameter.

[-disk <disk path name>] - Disk Name

If you specify this parameter, the command displays information about the specified disks. If you specify a single disk path name, the output is the same as when you use the -instance parameter. See the man page for the storage disk modify command for information about disk-naming conventions. Default is all self-encrypting disks.

[-container-name <text>] - Container Name

This parameter specifies the container name associated with an encrypting drive. If you specify an aggregate name or other container name, only the encrypting drives in that container are displayed. See the man page for the storage disk show command for a description of the container name. Use the storage aggregate show-status and storage disk show commands to determine which aggregates the drives are in.

[-container-type {aggregate | broken | foreign | labelmaint | maintenance | mediator | remote | shared | spare | unassigned | unknown | unsupported}] - Container Type

This parameter specifies the container type associated with an encrypting drive. If you specify a container type, only the drives with that container type are displayed. See the man page for the storage disk show command for a description of the container type.

[-data-key-id <text>] - Key ID of the Current Data Authentication Key

This parameter specifies the key ID associated with the data AK that the encrypting drive requires for authentication with its data-protection authorities. The special key ID 0x0 indicates that the current data AK of the drive is the default manufacture secure ID (MSID) that is not secret. Some devices employ an initial null default AK that appears as a blank data-key-id; you cannot specify a null data-key-id value. To properly protect data at rest on the device, modify the data AK using a key ID that is not a default value (MSID or null). When you modify the data AK with a non-MSID key ID, the system automatically sets the device’s power-on lock enable control so that authentication with the data AK is required after a device power-cycle. Use storage encryption disk modify-data-key-id key-id to protect the data. Use storage encryption disk modify-fips-key-id key-id to place the drives into FIPS-compliance mode.

[-fips-key-id <text>] - Key ID of the Current FIPS Authentication Key

This parameter specifies the key ID associated with the FIPS authentication key ("FIPS AK") that the system must use to authenticate with FIPS-compliance authorities in FIPS-certified drives. This parameter may not be set to a non-MSID value in drives that are not FIPS-certified.

[-is-power-on-lock-enabled {true|false}] - Is Power-On Lock Protection Enabled?

This parameter specifies the state of the control that determines whether the encrypting drive requires authentication with the data AK after a power-cycle. The system enables this control parameter automatically when you use the storage encryption disk modify-data-key-id command to set the data AK to a value other than the default AK. Data is protected only when this parameter is true and the data AK is not a default. Compare with the values of the -protection-mode parameter below.

[-protection-mode <text>] - Mode of SED Data and FIPS-Compliance Protection

The protection mode that the drive is in:

  • open - data is unprotected; drive is not in FIPS-compliance mode

  • data - data is protected; drive is not in FIPS-complance mode

  • part - data is unprotected; drive is otherwise in FIPS-compliance mode

  • full - data is protected; drive is in FIPS-compliance mode

  • miss - protection mode information is not available

[-type {ATA | BSAS | FCAL | FSAS | LUN | MSATA | SAS | SSD | VMDISK | SSD-NVM | SSD-CAP | SSD-ZNS | VMLUN | VMLUN-SSD}] - Disk Type

This parameter selects the drive type to include in the output.

[-control-standard <text>] - Control Standard

This parameter specifies the industry standard for control of encrypting drives that the drive implements.

[-compliance-standard <text>] - Compliance Standard

This parameter specifies the industry compliance standard, if any, that the drive is certified as adhering to.

[-overall-security <text>] - Overall Security

This parameter specifies the drive’s certified security level as defined in the compliance-standard, if the drive is certified to a compliance standard.

Examples

The following command displays information about all encrypting drives:

cluster1::> storage encryption disk show
Disk    Mode Data Key ID
------- ---- -----------------------------------------------------------------
0.0.0   open 0x0
0.0.1   part 0x0
0.0.2   data 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
1.10.0  open 0A53ED2A000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B
1.10.1  part 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
1.10.2  full 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
[...]

Note in the example that only disk 1.10.2 is fully protected with FIPS mode, power-on-lock enable, and an AK that is not the default MSID or a null key.

The following command displays information about the protection mode and FIPS key ID for all encrypting drives:

cluster1::> storage encryption disk show -fips
Disk    Mode FIPS-Compliance Key ID
------- ---- -----------------------------------------------------------------
0.0.0   open 0x0
0.0.1   part 0A53ED2A000000000100000000000000C1B27AD3F0DB8891375AED2F34D0BBED
0.0.2   data 0x0
1.10.0  open 0A53ED2A000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B
1.10.1  part 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
1.10.2  full 0A9C9CFC000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B
[...]

Note again that only disk 1.10.2 is fully protected with FIPS-compliance mode set, power-on-lock enabled, and a data AK that is not the default MSID or a null key.

The following command displays the individual fields for disk 1.10.2:

cluster1::> storage encryption disk show -disk 1.10.2
Disk Name: 1.10.2
                                Container Name: aggr0
                                Container Type: shared
                      Is Drive FIPS-certified?: true
 Key ID of the Current Data Authentication Key: 0A9C9CFC000000000100000000000000345CFD1BAD310CA8EDB377D439FB5C9A
 Key ID of the Current FIPS Authentication Key: 0A9C9CFC000000000100000000000000BEDC1B27AD3F0DB8891375AED2F34D0B
          Is Power-On Lock Protection Enabled?: true
   Mode of Data and FIPS-Compliance Protection: full
                                    Drive Type: SSD
                              Control Standard: TCG Enterprise
                           Compliance Standard: FIPS 140-2
                              Overall Security: Level 2
Top of Page