Enable iDRAC Local Key Management iLKM on Dell PowerEdge Servers

Enable iDRAC Local Key Management (iLKM) on Dell PowerEdge Servers
This Configuration and Deployment Guide describes the process of enabling the iLKM feature on PowerEdge servers. Key tips and troubleshooting techniques for using iLKM are also discussed.

Revisions

Acknowledgments

This Configuration and Deployment Guide was produced by the following members of the Dell Enterprise Server Solutions team:
Author—Sanjeev Dambal, Texas Roemer, Xavier Conley, Aaron Colichia and Craig Phelps.
Support—Sheshadri PR Rao

The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
© 2022 Dell Inc. or its subsidiaries. All Rights Reserved. Dell and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.
Dell believes the information in this document is accurate as of its publication date. The information is subject to change without notice.

Executive summary
iDRAC Local Key Management is a solution for users that do not plan to use Secure Enterprise Key Management (SEKM) immediately but would like to secure devices using iDRAC and migrate to SEKM at a later point in time. In this solution, iDRAC will act as a key manager and generate authentication keys that can then be used to secure supported storage devices. Once users decide to move to SEKM, they can then migrate from iDRAC based Local Key Management (LKM) to iDRAC based SEKM solution.

Setting up iLKM on iDRAC

Requirements
Licensing
iLKM is a licensed feature that requires SEKM license with iDRAC Data Center or Enterprise license as a pre-requisite. An additional iDRAC firmware update after installing the SEKM license is not required to enable iLKM.
Supported devices

iLKM currently only supports direct attached NVMe SED with TCG Opal 2.0 protocol and above.
Note: iLKM and PERC LKM are independent features for this release. This means that for PERC controllers, you must enable LKM on PERC using the existing PERC LKM feature and is independent of whether iLKM is enabled or not and vice versa. Also, iLKM cannot be enabled on iDRAC if SEKM is enabled.

Configure iLKM by using the iDRAC GUI

1. Start iDRAC by using any supported browser.

2. Click iDRAC Settings  Services.

3. Expand the iDRAC Key Management menu and select iLKM for Key Management Service.
   Figure 1 Enable iLKM using the iDRAC GUI
   Note: iLKM solution uses the iDRAC password strength requirements feature to validate the user provided passphrase. Both key ID and passphrase length are limited to 255 characters.
   Note: If Auto Secure option is enabled (default setting) before enabling iLKM, then iDRAC will auto secure all NVMe SEDs.

4. Click Apply and a message is displayed indicating a job ID has been created.

5. Go to the Job Queue page and ensure that the job ID is marked as successfully completed.
   Figure 3 iLKM is successfully configured.

6. View Lifecycle (LC) log entries to see that iDRAC successfully secured each supported NVMe drive.
   Figure 4 LC log entries after enabling iLKM with Auto Secure option enabled
   iLKM configuration is now complete.

Ensure that supported NVMe drives are secured

1. In iDRAC GUI, click Storage  Overview  Physical Disks.
2. Select Filter Drives, then select Secured for Security Status to find all drives currently secured by iDRAC.
   Figure 5 Ensure that supported NVMe drives are secured.

Configure iLKM solution by using iDRAC RACADM CLI

In the following workflow example, iDRAC RACADM is used to enable iLKM solution.
To set each attribute, run the SET command.

Note: The examples here use the default iDRAC username and password (root/calvin). Replace them with the appropriate iDRAC username and password set up on the PowerEdge server.

• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn get idrac.sekm
• [Key=idrac.Embedded.1#SEKM.1]
• AutoSecure=Enabled

• iLKMStatus=Disabled

• IPAddressInCertificate=Disabled

KeyAlgorithm=AES-256

• KeyCreationPolicy=Key per iDRAC

• KeyIdentifierN=

• KeyIdentifierNMinusOne=

KMSKeyPurgePolicy=Keep All Keys

• SecurityMode=None

• SEKMStatus=Disabled

• SupportStatus=LicenseOnly

• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn iLKM enable -keyid original_key_id -passphrase Dell123!
• SEKM0212: The operation is successfully started. To view the status of a job, run the “racadm jobqueue view -i JID_448784146122” command at the Command Line Interface (CLI).
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn jobqueue view -i JID_448784146122 —————————- JOB ————————-
  • [Job ID=JID_448784146122]
  • Job Name=iLKM Status Change
  • Status=Completed
  • Scheduled Start Time=[Not Applicable]
  • Expiration Time=[Not Applicable]
  • Actual Start Time=[Mon, 14 Feb 2022 16:40:14]
  • Actual Completion Time=[Mon, 14 Feb 2022 16:40:21]
  • Message=[SEKM069: iLKM was enabled successfully on iDRAC.]
  • Percent Complete=[100]
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn get idrac.sekm.iLKMStatus
  • [Key=idrac.Embedded.1#SEKM.1]
  • iLKMStatus=Enabled
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn get idrac.sekm
  • [Key=idrac.Embedded.1#SEKM.1]
  • AutoSecure=Enabled

  • iLKMStatus=Enabled

  • IPAddressInCertificate=Disabled

KeyAlgorithm=AES-256

• KeyCreationPolicy=Key per iDRAC

• KeyIdentifierN=original_key_id

• KeyIdentifierNMinusOne=

KMSKeyPurgePolicy=Keep All Keys

• SecurityMode=iLKM

• SEKMStatus=Disabled

• SupportStatus=LicenseOnly

Rekey operation
iDRAC maintains 2 authentication keys – the current keyID (KeyIdentifierN) and the previous authentication key (KeyIdentifierNMinusOne). On initial iLKM enablement, iDRAC marks the generated authentication key as the current key with the previous key set to NULL.

On every rekey, iDRAC rotates the keys. The previous key is discarded, and the current key becomes the previous key, and the newly generated key becomes the current key. This is done to ensure that in case rekey fails for a specific device then iDRAC has the previous key to unlock the device.
C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn iLKM rekey -oldpassphrase Dell123! -newkeyid new_key_id -newpassphrase Dell1234!
SEKM0212: The operation is successfully started. To view the status of a job, run the “racadm jobqueue view -i JID_448791538898” command at the Command Line Interface (CLI).

• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn jobqueue view -i JID_448791538898 —————————- JOB ————————-
  • [Job ID=JID_448791538898]
  • Job Name=iLKM Configuration
  • Status=Completed
  • Scheduled Start Time=[Not Applicable]
  • Expiration Time=[Not Applicable]
  • Actual Start Time=[Mon, 14 Feb 2022 16:52:33]
  • Actual Completion Time=[Mon, 14 Feb 2022 16:52:40]
  • Message=[SEKM021: A request to rekey all devices was received successfully on the iDRAC.]
  • Percent Complete=[100]
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn get idrac.sekm
  • [Key=idrac.Embedded.1#SEKM.1]
  • AutoSecure=Enabled

  • iLKMStatus=Enabled

  • IPAddressInCertificate=Disabled
  • KeyAlgorithm=AES-256

  • KeyCreationPolicy=Key per iDRAC

  • KeyIdentifierN=new_key_id

  • KeyIdentifierNMinusOne=original_key_id

KMSKeyPurgePolicy=Keep All Keys

• SecurityMode=iLKM

• SEKMStatus=Disabled

• SupportStatus=LicenseOnly

• Disable iLKM operation
  Note: All supported NVMe drives must be cryptographically erased before disable operation can be attempted. Examples on how to erase these drives are in the next sections below.
  C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn iLKM disable SEKM0212: The operation is successfully started.To view the status of a job, run the “racadm jobqueue view -i JID_448811199202” command at the Command Line Interface (CLI).

C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn jobqueue view -i JID_448811199202 —————————- JOB ————————-

• * [Job ID=JID_448811199202]

  • Job Name=iLKM Status Change
  • Status=Completed
  • Scheduled Start Time=[Not Applicable]
  • Expiration Time=[Not Applicable]
  • Actual Start Time=[Mon, 14 Feb 2022 17:25:19]
  • Actual Completion Time=[Mon, 14 Feb 2022 17:25:20]
  • Message=[JCP000: New]
  • Percent Complete=[100]
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn get idrac.sekm
  • [Key=idrac.Embedded.1#SEKM.1]
  • AutoSecure=Disabled

  • iLKMStatus=Disabled

  • IPAddressInCertificate=Disabled

KeyAlgorithm=AES-256

• KeyCreationPolicy=Key per iDRAC

• KeyIdentifierN=

• KeyIdentifierNMinusOne=

KMSKeyPurgePolicy=Keep All Keys

• SecurityMode=None

• SEKMStatus=Disabled

• SupportStatus=LicenseOnly

• Cryptographic Erase SED
• Cryptographic erase is a process to erase all data permanently on an encryption-capable drive and also reset the security attributes on the drive. This is supported for SEDs behind PERC, HBA, and direct attach NVMe SEDs.
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn storage cryptographicerase:{SED FQDD}
  Note: Drives are secured again on the next system boot if Auto Secure is enabled. To prevent this, disable the Autosecure option before performing cryptographic erase on a SED.

PSID revert a SED
This feature is only supported on SAS SED connected to SAS HBA and NVMe SED. For PERC attached NVMe SEDs, PSID revert is not supported. The legacy cryptographic erase operation command above is sufficient.
PSID revert is required when a drive is secured by an authentication key that iDRAC has no access to and cannot be unlocked. All user data is permanently erased using this feature. Once the data has been erased, the drive is available to be secured again. If access to data on the drive is required, then the drive must be installed back to the original system to unlock it.
You may select an individual SED and perform a PSID revert operation by using the command below. The PSID is printed on the physical label of the drive and is not displayed in iDRAC drive inventory.
C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn storage cryptographicerase:{SED FQDD} -psid {PSID}

Manually enable security on NVMe SEDs
C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn storage
encryptpd:Disk.Bay.15:Enclosure.Internal.0-1
Note: This is a real-time operation, therefore a host reboot is not required.

The workflow below demonstrates how to enable security on direct attached NVMe SEDs.
It also includes disabling Auto Secure.

• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn get idrac.sekm.AutoSecure
  • [Key=idrac.Embedded.1#SEKM.1]
  • AutoSecure=Disabled
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn storage encryptpd:Disk.Bay.15:Enclosure.Internal.0-1
  • STOR094 : The storage configuration operation is successfully completed and the change is in pending state. To apply the configuration operation immediately, create a configuration job using the –realtime option. To apply the configuration after restarting the server, create a configuration job using the -r option. To create the necessary real-time and restart jobs, run the jobqueue command. For more information about jobqueue command, run the ‘racadm help jobqueue’ command.
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn jobqueue create
  • Disk.Bay.15:Enclosure.Internal.0- 1 –realtime -s TIME_NOW
  • RAC1024: Successfully scheduled a job.
  • Verify the job status using “racadm jobqueue view -i JID_xxxxx” command.
  • Commit JID = JID_384841257680
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn jobqueue view -i JID_384818826920 —————————- JOB ————————-
  • [Job ID=JID_384818826920]
  • Job Name=Configure: Disk.Bay.15:Enclosure.Internal.0-1
  • Status=Running Scheduled
  • Start Time=[Now]
  • Expiration Time=[Not Applicable]
  • Actual Start Time=[Thu, 02 Dec 2021 15:57:50]
  • Actual Completion Time=[Not Applicable]
  • Message=[PR20: Job in progress.]
  • Percent Complete=[1]
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn jobqueue view -i JID_384818826920 —————————- JOB ————————-
  • [Job ID=JID_384818826920]
  • Job Name=Configure: Disk.Bay.15:Enclosure.Internal.0-1
  • Status=Completed
  • Scheduled Start Time=[Now]
  • Expiration Time=[Not Applicable]
  • Actual Start Time=[Thu, 02 Dec 2021 15:57:50]
  • Actual Completion Time=[Thu, 02 Dec 2021 16:02:17]
  • Message=[PR19: Job completed successfully.]
  • Percent Complete=[100]
• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn storage get pdisks -o -p securitystatus
  • Disk.Bay.15:Enclosure.Internal.0-1
  • SecurityStatus = Secured

Configure iLKM using Server Configuration Profile (SCP)

In this workflow example, the Server Configuration Profile feature is used to set up iLKM solution for iDRAC. This SCP file has been edited to show you only the iLKM configuration changes required to enable iLKM on iDRAC:

• Enabled
• iLKM
• my_key_id
• my_passphrase

1. Run the RACADM set command to import this SCP file which is on a HTTP share
2. Ensure the SCP import job is marked as completed.
3. Check to validate iLKM is enabled.
   C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn get idrac.sekm.ilkmstatus [Key=idrac.Embedded.1#SEKM.1] iLKMStatus=Enabled

iLKM to SEKM transition

This section provides an overview of iLKM to SEKM transition. This feature will help in transitioning from iLKM to SEKM.
You must provide the iLKM passphrase to authenticate the transition along with the SEKM configuration details.
Note: For details on how to setup SEKM configuration, refer to SEKM whitepaper:
OpenManage Secure Enterprise Key Manager on PowerEdge Servers (dell.com)

The following will happen if the authentication is successful:

• iDRAC generates a new authentication key on the external KMS and rekey all secured devices with the new authentication key.
• iDRAC then deletes the current and previous iLKM key Id and key from its credential vault and disables iLKM

If either the iLKM authentication fails or the SEKM enablement fails (for e.g., invalid KMS IP address) then iDRAC will fail the iLKM to SEKM transition and leave the iDRAC security mode as iLKM. All the devices continue to remain secured by the iLKM key.
If the transition is successful iDRAC updates the SecurityMode attribute value to SEKM, sets the LKMStatus attribute value to Disabled and the SEKMStatus attribute value to Enabled.

The workflow below demonstrates how to transition from iLKM to SEKM.

• C:>racadm -r 192.168.0.120 -u root –p calvin –nocertwarn get idrac.sekm
• [Key=idrac.Embedded.1#SEKM.1]
• AutoSecure=Enabled

#iLKMStatus=Enabled

• IPAddressInCertificate=Disabled
• KeyAlgorithm=AES-256

• KeyCreationPolicy=Key per iDRAC

#KeyIdentifierN=test_key_id

• KeyIdentifierNMinusOne=

• KMSKeyPurgePolicy=Keep All Keys

• SecurityMode=iLKM

• SEKMStatus=Disabled

#SupportStatus=Installed

• C:>racadm -r 192.168.0.120 -u root –p calvin –nocertwarn sekm enable -passphrase Dell123! SEKM0212: The operation is successfully started.
  To view the status of a job, run the “racadm jobqueue view -i JID_448927023736” command at the Command Line Interface (CLI).

• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn jobqueue view -i JID_448927023736 —————————- JOB ————————-

• [Job ID=JID_448927023736]

• Job Name=SEKM Status Change

  • Status=Running
  • Scheduled Start Time=[Now]
  • Expiration Time=[Not Applicable]
  • Actual Start Time=[Mon, 14 Feb 2022 20:38:24]
  • Actual Completion Time=[Not Applicable]
  • Message=[PR20: Job in progress.]
  • Percent Complete=[1]

• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn jobqueue view -i JID_448927023736 —————————- JOB ————————-

  • [Job ID=JID_448927023736]
  • Job Name=SEKM Status Change
  • Status=Completed
  • Scheduled Start Time=[Now]
  • Expiration Time=[Not Applicable]
  • Actual Start Time=[Mon, 14 Feb 2022 20:38:24]
  • Actual Completion Time=[Mon, 14 Feb 2022 20:38:34]
  • Message=[SEKM020: The SEKM feature on the iDRAC is enabled.]

• Percent Complete=[100]

• C:>racadm -r 192.168.0.120 -u root -p calvin –nocertwarn get idrac.sekm

  • [Key=idrac.Embedded.1#SEKM.1]
  • AutoSecure=Enabled

• #iLKMStatus=Disabled

  • IPAddressInCertificate=Disabled
  • KeyAlgorithm=AES-256

  • KeyCreationPolicy=Key per iDRAC

• #KeyIdentifierN=9612f2f3945240a8b769147632081702316cf5779b15460f9e8d4705dc16edf3 #KeyIdentifierNMinusOne=test_key_id

• KMSKeyPurgePolicy=Keep All Keys

  • #SecurityMode=SEKM
  • #SEKMStatus=Enabled

  • SupportStatus=Installed

Configure iLKM solution using Redfish

This section demonstrates how to configure iLKM solution on iDRAC using Redfish interface.
Enable iLKM
POST
/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DelliDRACCardService/Actions/DelliDRACCardService.EnableiLKM

Example request body:

Disable iLKM
POST
/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DelliDRACCardService/Actions/DelliDRACCardService.DisableiLKM

Request body is not required.

Rekey

POST
/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DelliDRACCardService/Actions/DelliDRACCardService.Rekey

Example request body:

iLKM to SEKM transition

POST
/redfish/v1/Managers/iDRAC.Embedded.1/Oem/Dell/DelliDRACCardService/Actions/DelliDRACCardService.iLKMToSEK MTransition

Example request body:

Troubleshoot issues while setting up iLKM on iDRAC

This section addresses some of the common issues that are encountered while using iLKM.
I moved a SED from one iLKM enabled system to another iLKM enabled system and now my drive shows up as Locked. How do I unlock the drive?
Perform legacy storage unlock command from RACADM.
Example:
racadm storage unlock:{NVMe drive FQDD} –key {key_id} –passwd {passphrase}

Technical support and resources
Dell.com/support is focused on meeting customer needs with proven services and support.

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>