0

I am setting up a server in an industrial environment that will have a service that injects security assets into a PCB. I want the server to store these assets on a self encrypting disk where one encrypted partition can only be accessed by the injection service. I want the SED keys to be sealed to the service by a TPM. Any suggestions on how to set this up or where to look for answers?

hkc94501
  • 31
  • 4

1 Answers1

0

Encryption provides physical data protection. Out-of-the-box your options here are either BitLocker Drive Encryption or Encrypting File System (EFS). In your case, BitLocker might be an easier and more secure option to implement.

Logical data access protection can only be achieved using NTFS permissions. You must run a service under a dedicated user account and only allow this account access to the files you want to protect from other users or processes. Further security hardening can be done to the service account to protect it

J-M
  • 1,492
  • 1
  • 9
  • 16
  • Jevgenij, Thanks for your answer. I think its half way there. My customer requires a FIPS 140 level 2 solution so Bitlocker is out. That is why I specified the self-encrypting-disk. This would be an Opal FIPS 140-2 level 2 certified device. The device can have encrypted and unencrypted partitions. What I really want to know is how Windows manages the disk authentication keys. Can I bind a disk authentication key to a specific service account? – hkc94501 Sep 15 '21 at 08:55
  • Sorry, it wasn't obvious to me you are speaking about a third-party product. Sadly I lack experience with mentioned self-encrypting drive. Certificate management might depend on the vendor. So the best source of truth would be vendor's support site or customer service. In theory, each service has Personal store in certificate storage. So you could place the certificate there and it wouldn't be accessible by other users/services. Private key could be protected by TPM if the cert is issued locally. But I am not sure how that's implemented in practice. I'd recommend contacting vendor's support – J-M Sep 15 '21 at 14:30
  • Thanks. Device operations are pretty clearly spelled out in the Opal standard. I think it is more an issue of how the operating system manages the device. Windows will recognize the device automatically and configure Bitlocker to manage it but that doesn't answer my specific question about the management of authorization keys. Bitlocker may manage the whole disk under a single authentication band and then depend on NTFS to manage access to whatever volumes you define on the disk. That wouldn't quite meet my requirements. – hkc94501 Sep 16 '21 at 03:01