Skip to content

Drive encryption capabilities inclusion

Steve Laskaridis requested to merge slaskari/CASTOR:encryption_capability_enabled into master

Description

The aim of this merge request is to address issues related to encryption on drive without the encryption capability enabled.

More specifically:

  • It introduces a vendor-specific way of identifying if the drive has encryption capability enabled
    • IBM: Through the SPIN index SCSI page
    • Oracle: Through the general INQUIRY SCSI page
  • If the data to be written are to be encrypted, an additional check of the encryption capability of the drive is made. In case of encrypted data, but no encryption capability, the session fails.

In essence, all encryption related operations are made modulo the encryption capability of the drive.

Last, in case of unencrypted I/O, we clear the keys of the drive (if encryption capable) to avoid encrypted data with previous keys on CASTOR's system failure.

Testing

Before the merge request's submission, the following tests were passed:

On drives with encryption capability enabled:

  • Label session
  • Label with previously set encryption key
  • Write without encryption
  • Read without encryption
  • Write with encryption
  • Read with encryption
  • Write with previously set encryption key
  • Read with previously set encryption key

On drive with encryption cabability disabled:

  • Label session
  • Write without encryption
  • Read without encryption
  • Write with encryption - session should fail
  • Read with encryption - session should fail

Merge request reports