I have a question regarding hardware encryption. Some of newer RAID controllers come with on-board encryption mechanism. Does anybody know if it can be bypassed or backdoored? Currently, I am using TrueCrypt and it works great even performance is good. But I am considering switching to hardware encryption if it is beneficial.
RAID controllers and hardware encryption
- Thread starter archangel.dmitry
- Start date
Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Usually the encryption is done by the drive itself, but the drives need to support encryption. With LSI it looks like it's an add-on feature (LSI SafeStore). This is more to provide data encryption at rest.
I haven't heard yet of Self Encrypting Drives having back doors or being bypassed, but that doesn't mean it hasn't happened.
Hopefully someone with more experience with SED and Encryption at Rest will speak up
I haven't heard yet of Self Encrypting Drives having back doors or being bypassed, but that doesn't mean it hasn't happened.
Hopefully someone with more experience with SED and Encryption at Rest will speak up
I know for a fact that HDDs with ATA password set can be bypassed.
Areca has a line of RAID controllers that scramble data before passing to drives. That means any HDD would work.
Thank you the reply!
Areca has a line of RAID controllers that scramble data before passing to drives. That means any HDD would work.
Thank you the reply!
I wasn't talking about ATA password, I was talking about devices with full disk encryption. They are not the same things
After some reading, I have come to conclusion that there are at least 2 different ways to encrypt data on RAID level. First, this is more "poor" people solution sold by Areca. It implements encryption on RAID controller level and allows usage any disks. Second, this one seems to be more mature but expensive version sold by LSI. RAID controllers leverage FDE implemented on disk level (vanfawx mentioned by I ignored it). RAID stores keys and manages the drives by encryption happens on drive level. The question now, can you see a drive detached from LSI encrypted RAID on a different computer or it has to be unlocked first?..
Yup, second version is basically the more common; there are RAID controllers out there that have support for SED drives in that the controller is able to store/manage the keys needed to unlock the drives (seeing as they can't be passed through to the OS). The only method I'm familiar with for SED FDE is TCG-Opal and the only card I've come across with people using it in anger is the dell H800 - but as that's an LSI underneath I expect support is much broader than I'm aware of.
A little more reading shows that LSI call this technology "safestore" and it looks like one of those "How Much?!?!!!" add-ons. Compatible controllers listed on the specifications page.
Details on key management and recovery however seem... scant. Can't find any mention of how to back up the little key store, so if the controller went foom you'd find yourself in Excrement Brook without adequate manual propulsion techniques.
A little more reading shows that LSI call this technology "safestore" and it looks like one of those "How Much?!?!!!" add-ons. Compatible controllers listed on the specifications page.
Details on key management and recovery however seem... scant. Can't find any mention of how to back up the little key store, so if the controller went foom you'd find yourself in Excrement Brook without adequate manual propulsion techniques.
I actually managed to find some info regarding managing keys. There are 2 types sold. First, software key that you can add to the card through controller interface. Second, hardware key is a type of dongle that can be recognized by attached controllers. That basically answers questions regarding backing and restoring keys.
I couldn't find price tag from the manufacture for safestore. But, you can get it on Ebay for $25 (IBM) for RAID6 and RAID60 update (not sure what "update" implies here).
I couldn't find price tag from the manufacture for safestore. But, you can get it on Ebay for $25 (IBM) for RAID6 and RAID60 update (not sure what "update" implies here).