FreeBSD and self encrypting drives

tcn · Mar 29, 2013

Hi,

I would like to know if it is possible to use a self encrypting drive with FreeBSD. I have done some research and the biggest issue is key management. I know Seagate and Toshiba have some but key management software seems to be done by third party software companies. Anyone has experience with those drives (I know they are fairly recent)?

Thanks,

tcn

ondra_knezour · Mar 29, 2013

Not really answer to your question, but you may be interested in these videos waiting for on topic response

wblock@ · Apr 5, 2013

I've been thinking about this as an alternative to geli(8). It should be faster, maybe with no noticeable speed decrease at all. As far as I understand, just setting the hard drive password in the BIOS should enable this. My expectation was that data already on the drive would become unreadable, not being encrypted. But when I tried this on a Samsung 840 in a Dell Inspiron E1505, after entering the password on boot, all the existing data is there.

It's possible that the drive only encrypts on write, and all the data would have to be written to get everything encrypted.

But for me, it doesn't really matter. I don't anticipate someone desoldering the flash chips from that drive to access the raw data. The password is on the drive, so moving it to another machine won't work. That's really all I need to make sure that someone stealing that notebook won't have access to my information.

I'm curious if anyone knows how to enable this on a desktop. Can't recall seeing hard drive passwords in any desktop BIOS.

HarryE · Apr 5, 2013

Password protected drives (at least Toshiba ATA drives) can be read using the same password on different computer. Not sure about SATA models. The problem is that different BIOSes translate differently the typed-in password into sent-to-drive password.
Once the drive is password protected, the data on the drive is not encrypted. The ATA controller just does not respond to regular read-write commands. The drive seems to be defective for a computer which is not aware of the protection.
There is a linux tool to lock/unlock ATA HDD using the proper ATA commands and password. It's being used for unlocking Xbox HDD.
Would be nice to have it ported to FreeBSD.
Self-encrypting drives are in another league.
HTH

wblock@ · Apr 5, 2013

There's not a lot of end-user information on it, but what I found suggested that SED was enabled by setting the drive password. The difference was that data on the drive itself was encrypted. More information is welcome.

tcn · Apr 6, 2013

The only way I found to enable SED is through expensive RAID adapters. These cards will manage the passwords and allow change or erasure of the key (which will destroy the data on the disk itself).

protocelt · Apr 6, 2013

While I haven't found any technical documents, I found this link. I'm not sure if this applies to other manufacturer models or not.

tcn · Apr 7, 2013

Looking around, I have found some companies that are making hardware encryptors. There are USB plugs, PCIe boards or SATA "man in the middle" boards. I also have seen laptop adaptations of encryptors but I fear they won't fit into all laptops. In mine, it wouldn't. They accept magnetic cards, USB keys; not sure about passwords. Downside is that they are not as fast as the SED option.