Self-Encrypting Drives; A Win for Data Security at Rest?
Protecting Data At Rest – Full Disk Encryption
In addition the ability to encrypt files and databases, there is technology that allows the full drive to be encrypted so that data is always protected from unauthorized access. There are a few different options for Full Disk Encryption; TrueCrypt, Bitlocker, Self-Encrypting Drives. The fastest option is to utilize Self-Encrypting Drives. These drives have an embedded encryption module in the drive that encrypts and decrypts all data on the fly. The drives use either AES-128 or AES-256 symmetric encryption algorithm. The Trusted Computing Group set a standard for self-encrypting drives named OPAL that most manufacturers follow. While there is a pretty extensive ecosystem for managing Full Disk Encryption on workstations and storage systems, the management and support for Full Disk Encryption for servers (especially single servers) is almost non-existent.
Self-Encrypting Drives: How Do They Work?
At time of manufacture, each Self-Encrypted Drive has a Data Encryption Key created and saved in its firmware. This is the key that encrypts and decrypts all data on read or write. Any data written to the drive goes through the encryption module and is saved in ciphertext. An optional feature to use in a Self-Encrypting Drive is the use of an authentication key. There can be one or a number of authentication keys based off how the drive is configured. The authentication key “locks” the drive. The hash of the authentication key is used to encrypt the Data Encryption Key and is saved in the encryption firmware. When the drive is powered on and is prepared for use, the authentication key is hashed and provided to the Self-Encrypting Drive. If the hash matches the one saved in the drive, the Data Encryption Key is decrypted and normal operations begin.
Self-Encrypting Drives can be “instantly erased”. The data is not actually erased but the Data Encryption Key is changed effectively making any data saved on the drive unrecoverable. This is orders of magnitude faster than wiping a drive using a software utility or hardware tool. The drive can then be sold, re purposed or recycled without any fear of someone stealing the data.
When you set an authentication key, the drive becomes unusable without that key. If the drive is removed from the server that is configured to unlock it, no one else can access it without the authentication key. This is the feature that is desired by those industries that cannot afford data loss through physical loss such as financial institutions, insurers, or members of the defense industrial complex.
If you are using these in a server as single disks, you will have to manage each disk separately. If you have a compatible RAID controller such as certain LSI MegaRAID controllers, you have the ability to set the authentication key in the controller and use the controller to unlock drives and create encrypted virtual disks. If you are using these disks in certain drive arrays such as Netapp, EMC or Dell storage arrays, you can then leverage devices such as Safenet’s Keysecure device. Most of these devices uses OASIS’ Key Management Interchange Protocol.
With the push to hyper-converged architecture and “cloud” storage solutions where local storage is shared across a cluster, such as VMWare’s vSAN, Ceph or Openstack’s storage. These disks are added to servers that may not have the capability for leveraging an enterprise level key management solution.
Where this matters
These drives are a great option if you are deploying them to workstations that are at a high risk to be stolen or on enterprise storage systems where disks are likely to fail and need to be replaced on a semi-regular basis. These drives become an operational and security nightmare if they are deployed to individual servers and have auto-locking enabled. Human nature would be to set all the drives to the same authentication key to ease management. This would weaken the protection of the drives in the same way a common password weakens access control.
Currently, there is no native ability to encrypt virtual storage such as vSAN. Therefore administrators must either encrypt at the hardware level (better performance but more complex operationally) or in software at the Virtual Machine or Operating System level (slower but more enterprise management options). At this point, I’d recommend at the software level unless you are leveraging a KMIP compliant RAID controller.
What is your experience with Self-Encrypting Drives? How widely have you implemented them on your servers? Have you configured auto-locking?