whats the state of support for self-encrypting drives in CentOS 6 ? these are becoming increasingly common on both laptops and for enterprise storage (particularlly nearline), with features like instant-erase via key destruction. -- john r pierce N 37, W 122 santa cruz ca mid-left coast
Hello John, On Tue, 2012-09-18 at 18:12 -0700, John R Pierce wrote:> whats the state of support for self-encrypting drives in CentOS 6 ? > these are becoming increasingly common on both laptops and for > enterprise storage (particularlly nearline),>From what I read onhttp://www.trustedcomputinggroup.org/resources/commonly_asked_questions_and_answers_on_selfencrypting_drives the key is randomly generated on board and gets encrypted with the "authorization key" when it's set, which I suppose is either or both of the master and user ATA drive passwords. On normal drives (non SEDs) these are used to lock and unlock the drive. Since the key is stored (and generated) on the drive I/O should be transparent. I assume you just need to prime the SED by setting an "authorization key" with hdparm and unlock the drive on use. Although I've implemented most of the ATA security commands in hdparm I've never attempted to boot from a locked drive. You'd have to do a hdparm call in rc.sysinit and get the drive password before / is mounted.> with features like > instant-erase via key destruction.Would that be done using the security erase ATA command? Does it regenerate the key? Smart reuse of a command :) . An ATA option to set the drive key - not just reset and regenerate it - would be desirable. (Master and user key commands could be repurposed to implement this. When implemented as a new ATA command there's an issue with syncing the master and user key x drive key crypts when updating the drive key.) Please share any experiences and rc.sysinit patches when implementing this. Regards, Leonard. -- mount -t life -o ro /dev/dna /genetic/research
On Tue, 18 Sep 2012, John R Pierce wrote:> whats the state of support for self-encrypting drives in CentOS 6 ? > these are becoming increasingly common on both laptops and for > enterprise storage (particularlly nearline), with features like > instant-erase via key destruction.Management of Full Disk Encryption (FDE) drives is usually handled in BIOS or via central Windows application. I've never installed FDE drives in servers, but they work well in laptops running Linux. We use BIOS-level passphrases (centrally escrowed, just in case), but we're a small shop. Performance seems within the realm of acceptable. The encryption is always-on. That is, data is always encrypted when written to disk. Whether that data is readily readable depends on whether the drive's encryption key has been encrypted. Once the key is encrypted, a passphase must be presented to unlock it. Once the key has been encrypted, the drive cannot be accessed unless connected directly to, say, the system's SATA bus. I haven't seen any mechanisms by which the key can be unlocked via things like external USB adapters. -- Paul Heinlein heinlein at madboa.com 45?38' N, 122?6' W