Is there such thing as hardware encrypted raid disk?

raid disk-encryption
14,576

Solution 1

Yes. You can encrypt a RAID volume, using TrueCrypt or any other whole-disk encryption software. The contents of the volume will be unreadable without the encryption key, regardless of who powers up the machine.

The traditional "benefit" of hardware encryption is added performance, not added security. Because many of today's high-end processors include support for hardware-assisted AES encryption, you are likely to experience similar (or perhaps even better) performance using software encryption.

Solution 2

Don't do this.

I'm in the process of trying to recover data from an encrypted RAID array that failed, and it's already cost my employer more than the data's worth. If you must encrypt, either encrypt individual disks, or create an encrypted partition for the important stuff.

Solution 3

Already one great answer but I'll toss in my answer as well.

As with all security it always comes down to what is acceptable to you. How much security does your system actually need? Everything you are talking about could be fixed with better physical security, in example a much better door, a better lock, and a guard.

Once the system IS booted (I'm guessing it will actually be booted sometimes) the SYSTEM account on Windows and Root Account on Linux will generally have full access to the contents of the disk regardless of encryption, if someone actually hacks the system and gets one of these accounts they will have access to data. What you are really going to prevent is someone pulling a drive and physically taking it.

If after having as much security as you can possibly afford physically, your data requires (BY company policy, law, or contract) encryption then you again need to ask, how much?

  • Should I use Self Encrypted Hard drives? Password Protected?

  • Should I use a TPM to encrypt the data coming into the RAID controller?

  • Should I encrypt the whole disk using TrueCrypt or BitLocker?

  • Do I just need to encrypt a few files?

  • DO I need to turn off memory cache on the raid controller?

    If you encrypt both the logical disk (With TrueCrypt) and the RAID itself you prevent someone being able to just swap in a non-encrypted HDD & from being able to recover Keys from Windows/Linux repository on the software side. They would require both.

Share:
14,576

Related videos on Youtube

Dumitrescu Bogdan
Author by

Dumitrescu Bogdan

Updated on September 18, 2022

Comments

  • Dumitrescu Bogdan
    Dumitrescu Bogdan almost 2 years

    I have a server for which I want to protect the content. The server is located on a clients premises.

    Is there a way to encrypt the content of a RAID DISK (at hardware level) ? What I need is that the server will not be able to start as long as the required password is not provided (the encryption key)

    I will give the best answer to Miles, though the answer was not exactly to my question. But from all the comments, it seems that it cannot be done hardware or .. it cannot be done as I would like to.

    • gparent
      gparent over 11 years
      I don't understand what you mean. Hardware encryption also requires booting the machine if you ever want to see what's on the disk.
    • Hennes
      Hennes over 11 years
      to further clarify gparents point: You only have to choices. 1) manually enter a password, regardless of HW or SW. 2) Enter a password in a script on an unencrypted part (which would not be safe, just security by obscurity).
    • Dumitrescu Bogdan
      Dumitrescu Bogdan over 11 years
      Agreed. I do not know if it is possible what I want. But the idea is that if I do not key in the password, the bios should not recognize the disk. The raid should be able to form if and only if the encryption key is correct. (again I do not know if it even exists)
    • gparent
      gparent over 11 years
      You can't not have to enter a password and still have things secure by complete magic. Software or hardware will not change this.
    • Dan
      Dan over 11 years
      @DumitrescuBogdan That doesn't make sense. RAID is all about presentation - it doesn't (and shouldn't) care about the data.
    • Bonsi Scott
      Bonsi Scott over 11 years
      "What I need is that the server will not be able to start as long as the required password is not provided (the encryption key)" - For example: What about a power outage at your client... who will enter the password, if the system is restarted?
    • Dumitrescu Bogdan
      Dumitrescu Bogdan over 11 years
      We can start it, that is not a problem ..
    • Bonsi Scott
      Bonsi Scott over 11 years
      Ok. How's the password being input into the system?
  • Dumitrescu Bogdan
    Dumitrescu Bogdan over 11 years
    Yes, true. But this is not the point of the question. If the "intruder" somehow guesses a password of the OS, then all the settings on the machine are vulnerable to export. This is not a question on security, is more a hardware related question, as I did not find data on raids capable to do this
  • Dan
    Dan over 11 years
    @DumitrescuBogdan How is guessing the keyphrase of the encryption in softwar any different to guessing the keyphrase of the encryption in hardware? Also, the OS password is a different thing altogether
  • Dumitrescu Bogdan
    Dumitrescu Bogdan over 11 years
    One course in my university (a long time ago), stated that if you have physical access to data, then you can find any password. I do not know if that is still correct, but if it is so, if then an unprotected disk can reveal all the data that it contains. So an OS password can be bypassed. What I wanted is that the RAID cannot be formed as long as the correct encryption password was not present.
  • Hecter
    Hecter over 11 years
    The information that you received in your course is obsolete. Today you need physical access to data and access to unlimited computing resources in order to crack something like a 30-character passphrase. The current conventional wisdom is that a strong TrueCrypt passphrase cannot be cracked by even a determined attacker, unless that attacker has access to supercomputers.
  • gparent
    gparent over 11 years
    Well if everything can be bypassed, don't run a server at all. That can't be hacked. Obviously if you're using a password system, then the correct password will work, no matter how you acquired it.
  • Dan
    Dan over 11 years
    There is another dimension here, you're forgetting that the RAID controller is separate from the disks. What happens when I take my disk out and plug it into a normal controller?
  • Hecter
    Hecter over 11 years
    Encryption always complicates data recovery. However, if you are in the process of attempting to recover data from a failed RAID array, encrypted or not, your employer has bigger problems than the one immediately at hand. Why wasn't there a backup? Surely your employer knows that RAID is no substitute for backups.
  • HopelessN00b
    HopelessN00b over 11 years
    @MilesErickson Encryption on a RAID volume complicates things much more than on a normal disk, believe me. Not only do you have to worry about getting the data off without being able to read it while you're recovering it, you now have to worry about your stripe size and block size the encryption algorithm works on, disk order and whatever vendor-specific fun the RAID card's done as well. Without being able to read the data raw to see if you're on the right track. As to my employer, well... job security or something, sigh .
  • MadHatter
    MadHatter about 8 years
    At the moment, this answer reads like a snake-oil-encryption rant. If I were you, I would try to trim this down from two illegible pages to one or two informative paragraphs.
  • Nick Young
    Nick Young about 8 years
    In my opinion using hardware raid increases your attack surface not decreases it. You are saying that the person has physical access to your closet, at this point you have failed at a fundamental level, physical security. But lets say you are at this point, say you use encrypting HDD where the encryption is built into the HDD not the controller or other hardware. It prevents someone from taking that drive away because they could grab it and run, but If i replace the drive with a non-encrypting one and its RAID 1... I'm going to get an encrypted drive. Its time consuming, but possible.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Run smartctl on all disks of a server
Adding a new device to a btrfs volume, but the available size is hardly growing
How do I monitor the status of a RAID array on an Intel controller from a Windows application?
Why is RAID not recommended for Hadoop HDFS setups?
Remove drive from soft RAID
What should the total space be for 4 3TB Drives in RAID10 configuration?
/dev/disk/by-uuid/XXXXX does not exist dropping to a shell
Installing Ubuntu with Software RAID 10
How to mount a disk from destroyed raid system?
How to modify/fix incorrectly detected dmraid (FakeRaid) RAID 10 array