Is there such thing as hardware encrypted raid disk?
Solution 1
Yes. You can encrypt a RAID volume, using TrueCrypt or any other whole-disk encryption software. The contents of the volume will be unreadable without the encryption key, regardless of who powers up the machine.
The traditional "benefit" of hardware encryption is added performance, not added security. Because many of today's high-end processors include support for hardware-assisted AES encryption, you are likely to experience similar (or perhaps even better) performance using software encryption.
Solution 2
Don't do this.
I'm in the process of trying to recover data from an encrypted RAID array that failed, and it's already cost my employer more than the data's worth. If you must encrypt, either encrypt individual disks, or create an encrypted partition for the important stuff.
Solution 3
Already one great answer but I'll toss in my answer as well.
As with all security it always comes down to what is acceptable to you. How much security does your system actually need? Everything you are talking about could be fixed with better physical security, in example a much better door, a better lock, and a guard.
Once the system IS booted (I'm guessing it will actually be booted sometimes) the SYSTEM account on Windows and Root Account on Linux will generally have full access to the contents of the disk regardless of encryption, if someone actually hacks the system and gets one of these accounts they will have access to data. What you are really going to prevent is someone pulling a drive and physically taking it.
If after having as much security as you can possibly afford physically, your data requires (BY company policy, law, or contract) encryption then you again need to ask, how much?
-
Should I use Self Encrypted Hard drives? Password Protected?
-
Should I use a TPM to encrypt the data coming into the RAID controller?
-
Should I encrypt the whole disk using TrueCrypt or BitLocker?
-
Do I just need to encrypt a few files?
-
DO I need to turn off memory cache on the raid controller?
If you encrypt both the logical disk (With TrueCrypt) and the RAID itself you prevent someone being able to just swap in a non-encrypted HDD & from being able to recover Keys from Windows/Linux repository on the software side. They would require both.
Related videos on Youtube
Dumitrescu Bogdan
Updated on September 18, 2022Comments
-
Dumitrescu Bogdan almost 2 years
I have a server for which I want to protect the content. The server is located on a clients premises.
Is there a way to encrypt the content of a RAID DISK (at hardware level) ? What I need is that the server will not be able to start as long as the required password is not provided (the encryption key)
I will give the best answer to Miles, though the answer was not exactly to my question. But from all the comments, it seems that it cannot be done hardware or .. it cannot be done as I would like to.
-
gparent over 11 yearsI don't understand what you mean. Hardware encryption also requires booting the machine if you ever want to see what's on the disk.
-
Hennes over 11 yearsto further clarify gparents point: You only have to choices. 1) manually enter a password, regardless of HW or SW. 2) Enter a password in a script on an unencrypted part (which would not be safe, just security by obscurity).
-
Dumitrescu Bogdan over 11 yearsAgreed. I do not know if it is possible what I want. But the idea is that if I do not key in the password, the bios should not recognize the disk. The raid should be able to form if and only if the encryption key is correct. (again I do not know if it even exists)
-
gparent over 11 yearsYou can't not have to enter a password and still have things secure by complete magic. Software or hardware will not change this.
-
Dan over 11 years@DumitrescuBogdan That doesn't make sense. RAID is all about presentation - it doesn't (and shouldn't) care about the data.
-
Bonsi Scott over 11 years"What I need is that the server will not be able to start as long as the required password is not provided (the encryption key)" - For example: What about a power outage at your client... who will enter the password, if the system is restarted?
-
Dumitrescu Bogdan over 11 yearsWe can start it, that is not a problem ..
-
Bonsi Scott over 11 yearsOk. How's the password being input into the system?
-
-
Dumitrescu Bogdan over 11 yearsYes, true. But this is not the point of the question. If the "intruder" somehow guesses a password of the OS, then all the settings on the machine are vulnerable to export. This is not a question on security, is more a hardware related question, as I did not find data on raids capable to do this
-
Dan over 11 years@DumitrescuBogdan How is guessing the keyphrase of the encryption in softwar any different to guessing the keyphrase of the encryption in hardware? Also, the OS password is a different thing altogether
-
Dumitrescu Bogdan over 11 yearsOne course in my university (a long time ago), stated that if you have physical access to data, then you can find any password. I do not know if that is still correct, but if it is so, if then an unprotected disk can reveal all the data that it contains. So an OS password can be bypassed. What I wanted is that the RAID cannot be formed as long as the correct encryption password was not present.
-
Hecter over 11 yearsThe information that you received in your course is obsolete. Today you need physical access to data and access to unlimited computing resources in order to crack something like a 30-character passphrase. The current conventional wisdom is that a strong TrueCrypt passphrase cannot be cracked by even a determined attacker, unless that attacker has access to supercomputers.
-
gparent over 11 yearsWell if everything can be bypassed, don't run a server at all. That can't be hacked. Obviously if you're using a password system, then the correct password will work, no matter how you acquired it.
-
Dan over 11 yearsThere is another dimension here, you're forgetting that the RAID controller is separate from the disks. What happens when I take my disk out and plug it into a normal controller?
-
Hecter over 11 yearsEncryption always complicates data recovery. However, if you are in the process of attempting to recover data from a failed RAID array, encrypted or not, your employer has bigger problems than the one immediately at hand. Why wasn't there a backup? Surely your employer knows that RAID is no substitute for backups.
-
HopelessN00b over 11 years@MilesErickson Encryption on a RAID volume complicates things much more than on a normal disk, believe me. Not only do you have to worry about getting the data off without being able to read it while you're recovering it, you now have to worry about your stripe size and block size the encryption algorithm works on, disk order and whatever vendor-specific fun the RAID card's done as well. Without being able to read the data raw to see if you're on the right track. As to my employer, well... job security or something, sigh .
-
MadHatter about 8 yearsAt the moment, this answer reads like a snake-oil-encryption rant. If I were you, I would try to trim this down from two illegible pages to one or two informative paragraphs.
-
Nick Young about 8 yearsIn my opinion using hardware raid increases your attack surface not decreases it. You are saying that the person has physical access to your closet, at this point you have failed at a fundamental level, physical security. But lets say you are at this point, say you use encrypting HDD where the encryption is built into the HDD not the controller or other hardware. It prevents someone from taking that drive away because they could grab it and run, but If i replace the drive with a non-encrypting one and its RAID 1... I'm going to get an encrypted drive. Its time consuming, but possible.