2

Windows Server using a IEEE-1667 drive allows hardware based encryption on the fly.

What are our options when using two disks with a RAID controller, in order to achieve redundancy and parity (T10-DIF)? Is it possible, the booting RAID controller to support IEEE-1667 so that along with UEFI's Secure Boot and TPM, be able to enable hardware encryption? If not, can the RAID controller make a UEFI boot along with TPM handshake to ensure that everything is normal before decrypting the SED disks and loading the OS?

I found about eNova's X-Wall which is a transparent IEEE-1667 device between the HDD and the OS, but I haven't seen anything on RAID level.

Nikos Papandreou
  • 21
  • 1

1 Answers1

0

Please have a look at the article Windows 10’s BitLocker Encryption No Longer Trusts Your SSD. While you can still make Windows to trust the drive hardware encryption, it may be preferable security-wise to do that at the software side. That would remove your need of a RAID controller supporting IEEE-1667, and would as well increase your recovery chances if the disk failed.

Ángel
  • 17,578
  • 3
  • 25
  • 60
  • Thank you Angel for this heads up. I was aware for specific drives that were bypassed, but didn't know this specific policy. However, on server systems (where RAID is mostly used) is there a way we can secure with TPM the unlock of SED drives by the controller? In case someone steals an edge server on a branch, to make it impossible to access the data by dual booting the machine. – Nikos Papandreou Oct 30 '19 at 05:48