Why are enterprise self encrypting drives hard to find?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
Z

zachj

Active Member
Apr 17, 2019
159
104
43
I’ve been looking for enterprise nvme drives supporting TCG OPAL spec and while I do find a few (ex: intel p4510) it seems like every single manufacturer has elected to make both SED and non-SED versions of the same drive so you end up having to find a very specific SKU.

when looking in eBay it’s nearly impossible to find the SED-enabled variants.

whhhyyy?

I am reasonably confident most enterprises skipped the SED versions and just used software encryption because they didn’t want to deal with key management and passwords at boot time at the device level across 24 drives per server. And I’d guess that means few of them were sold and therefore few of them are being ewasted.

Is that the answer to my question or is it something else?

to me a self-encrypting drive is fabulous because it means if I have a hardware failure I don’t have to give a shit what was on the drive. And it means I can easily double encrypt my data (SED + software encryption) with no performance penalty compared to using exclusively software encryption, which protects me from any possible TCG OPAL exploits (of which I currently only know one).

I know I can get what I want from consumer drives but I can’t get sriov or namespace support from consumer drives.
 
I

i386

Well-Known Member
Mar 18, 2016
4,245
1,546
113
34
Germany
zachj said:
whhhyyy?
Click to expand...
If you care about keeping data "safe" it's very likely that these devices will be "safely" disposed?
I know that at our company hdds & ssds get shredded to bits when they get replaced or retired.
 
Z

zachj

Active Member
Apr 17, 2019
159
104
43
Homelab. These won’t get shredded.

Surely if they’re still functional at retirement I’ll wipe them but if they just break suddenly before I can wipe them I want the data to be safely inaccessible to somebody trying to read the flash.
 
N

nexox

Well-Known Member
May 3, 2023
675
280
63
I believe i386 was referring to the organizations that originally bought SED drives, they had a reason to go for encryption so they probably destroy the things when done rather than hand them over to a recycler who dumps them on eBay.
 
  • Like
Reactions: T_Minus and i386
CyklonDX

CyklonDX

Well-Known Member
Nov 8, 2022
848
279
63
Look at micron/crucial... i think almost all disks from them come with SED TCG.
(cheapest i think micron 7300 on ebay - all support tcg opal 2.0)
Same goes with toshiba.


In regards to safety - imagine parts of us gov like SEC accepts SED as form of data protection at rest. (instead of actually encrypted data in databases). It only protects them from physical theft - if only the disks are stolen - but many big corpo's treat them as encrypted data.
 
Last edited:
Z

zachj

Active Member
Apr 17, 2019
159
104
43
nexox said:
I believe i386 was referring to the organizations that originally bought SED drives, they had a reason to go for encryption so they probably destroy the things when done rather than hand them over to a recycler who dumps them on eBay.
Click to expand...
Ah yes this makes sense.
 
You must log in or register to reply here.
Top Bottom