4

I have a server running Debian stable with two 100GB Intel DC S 3700 drives in a Linux MD RAID 1. According to Intel, these drives support 256-bit AES encryption and I would like to encrypt the data written to these drives in order to tick a new box on the company data protection policy.

I know I can re-install Debian with Linux's own encryption but I would prefer to offload the encryption to the drives if they support it. Is this possible and how do I do it?

Thanks in advance,

Matt.

StaringSkyward
  • 115
  • 2
  • 4
  • 3
    If you ever find out, please let us know. I've done plenty of research into self-encrypting drives, and the one thing I have never been able to find is the technical documentation on how to actually use the functionality! – Michael Hampton Jan 06 '14 at 18:43

1 Answers1

1

Agree lack of documentation on these crucial security features is rather frustrating.

My understanding (not verified in parctice) is that in order to enable encryption on SED drives, you need to set a password at the BIOS level. This post suggests that setting an ATA passwd using hdparm on an S3700 should do it. But I have yet to test it...

What would be interesting is to understand how this works in practice in non-interactive scenarios (ie: a server sitting in a DC rather than a laptop with interactive passwd entry at boot). It looks like some RAID controllers support storing the passwd inside the controller itself. I suppose this wouldn't prevent a physical attack where the controller is stolen at the same time as the disk...

Edit: Q2/2017: wow two years have passed and whilst no de-facto solution has surfaced, there have been a few noteworthy developments:

sxc731
  • 307
  • 2
  • 16
  • It looks like an answer to me. It may not be a _good_ answer, but given the subject matter I'm not sure if such a thing is yet possible. – Michael Hampton Feb 15 '15 at 13:56