SED Drives : How To ?
Posted 28 May 2013 - 08:14 AM
@moderators : sorry, but didn't find any dedicated category for this topic.
I started this topic because I have made a lot researchs without any interesting found information...
Indeed, I just want to use a SED drive in order to benefit of a real full encryption and gained performance.
While opting for hardware encryption, it seemed me obvious that setup didn't need more than plug and play hard drive...
But.... i can't find any article about these SED drives ?? Why ?
Just some advertising articles...
Just found about Enigma SED product, nothing more...
Can, please, anyone tell me his feedback / experience about it ?
By the way, as I understood, at least :
There's a pre-boot part associated with the SED drive. Is it already in SED drives or...does it need some third-party as Enigma SED ?
Has anyone tested Yubikeys ? I was thinking about a pre-boot password : one part typed by user and the other part inserted by Yubikey...
Thank you very much for any answer, article, link, etc.
Posted 31 May 2013 - 04:30 AM
Posted 31 May 2013 - 03:33 PM
SED Products like Samsung 840, 840 Pro or Intel 520 are using ATA-Securtiy feature set. This requires the SED SSD and a PC or notebook which supports this. PCs are very seldom, but many business notebook are supporting this via BIOS password, which is needed to unlock the SSD to boot the OS.
Thank you very much.
By the way, i've found this article that completes your statement.
Posted 01 August 2013 - 12:58 PM
Posted 05 August 2013 - 09:29 AM
We're also working on a piece with Micron right now around SED and practical application for IT admins.
Twitter - @StorageReview
Posted 15 September 2013 - 02:58 PM
Thank you for contacting Seagate Support.
I understand you have questions about our ISE, SED and SED with FIPS drives. I have included definitions and a link to help differentiate the products.
Self-Encrypting Drive (SED): user can take ownership and manage security of the data on the drive. The drive can also function without user management. all SED drives can cryptographically erase data using ISE.
SED with FIPS: These offer the same features as the SED, plus the cryptographically module of the drive is validated by the National Institute of Standards and Technology (NIST).
Instant Secure Erase: User cannot take ownership of the security of the drive. They can only cryptographically erase or reset to factory settings.
Link included on the ISE:
For additional assistance, feel free to contact us at: www.seagate.com/about/contact-us/technical-support/
I just want to take advantage of the full-speed encryption and longevity of these enterprise drives to run a NAS, but it is raising all sorts of problems:
-Does anyone offer a Mini-ITX or Micro-ATX Motherboard for Socket 1150 that supports ATA passwords?
-If they do, does it support ATA passwords for more than one drive (supposedly some desktop MBs only support ATA passwords for the first SATA connection)?
-If I can get a MB that supports multiple ATA passwords, will Linux and a software RAID filesystem have any troubles with this?
-If all of that is possible, is this something I should be worried about - (UTexas findings on the weakness of ATA Password security?
-If I do need to do something about that, is there an open-source or even a commercial product that will allow me to manage the encryption keys of an SED drive on my Linux-run NAS?
A decent amount of web searches has only really raised these questions. I haven't found any of these answers.
How do Linux-run enterprise systems manage their SED encryption keys?
Does anyone know a good resource that I'm missing?
Posted 16 September 2013 - 05:39 AM
It seems like SED just hasn't gotten the attention it deserves.
You're right about that, it is a confusing topic. That said, you're missing some bits.
There is "pre-boot encryption":
SED generally refers to a drive which can encrypt all data ever written to it. Together with your SED drive you must have a motherboard with a TPM chip (Trusted Platform Module, Wikipedia it). The TPM chip is a crytographic co-processor and key storage device.
So your motherboard TPM stores the encryption key, and your SED drive encrypts everything ever written to it with the key.
This functionality is generally disabled by default, and enabled by turning on BIOS passwords. So when the PC boots from cold (from a full power off), the BIOS will ask for a password. Entering this correctly makes the TPM unlock the encryption key, and send the right key to the SED. The boot process continues. This works with all operating systems, because the operating system doesn't even know that encryption is used.
For details on how to set the right BIOS passwords, you must see your motherboard/system manual.
When the computer is turned off, TPMs + SED are tamper-resistant. They won't stop someone with a budget in the millions from reading your files. But they will stop a common thief or someone who can only spend tens of thousands from reading your SED drive. The Texas U article you linked to was somewhat misleading in that regard; what it claims does not hold true for modern SED drives, and certainly not for any FIPS certified SED drives.
TPM + SED brings some issues of its own. If your motherboard dies, then everything on SED disks become un-readable.
Business-class laptops generally have TPMs. Most desktop motherboards do not. There are some business-oriented desktop motherboards that have TPMs, but they're getting scarce. Your best bet might be a business-class desktop system from somone like Dell, Lenovo, HP, etc.
There is also post-boot disk encryption, i.e. where the operating system or an application encrypts data in software. How this works will depend your operating system/software.
It can be a good idea to combine SED and OS encryption. For example, use a TPM + SED for your boot drive, so that you're booting the OS from a SED drive. Then use OS-level software encryption for your data drives. The benefit is key backup -- Windows and other good OS's make it easy to back up the keys. Thus if your motherboard or SED drive dies, you can buy a new one, reinstall the OS, reload keys for the datadisks from backups, and everything is there.
NB: Using encryption increases the risk of data loss. Be sure to have good backups, which are un-encrypted, or encrypted with a different system and with multiple backups of the keys used.
Edited by 270673, 16 September 2013 - 06:08 AM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users