4

I'm buying servers lately and all of them have disks that support TCG Opal full-disk encryption (aka SED). What I'd like to do is:

  • Store data encrypted-at-rest on the disks (NVMe & SAS).
  • Not be required to enter a password/passphrase at server boot.
  • Have encryption keys be stored in the server's TPM 2.0 module.

To simplify, the goal is to "lock" the data to the server, ensuring that if a disk is removed and inserted in another machine the data is inaccessible. I've seen sedutil but haven't yet played with it as it looks like it requires entering a passphrase at every boot. I have hundreds of servers I'd like to enable this on, so having to enter a passphrase (is it per-disk?) at reboot is not an option. TPM seems like a natural place to store this kind of thing, so I'm wondering if anyone's done anything like this. The only reference I can find to anything like this is in this Micron white paper. The servers are all running Ubuntu 16.04 (Xenial). There's more than one disk per server, if that matters.

ᄂ ᄀ
  • 173
  • 2
  • 12
Evan
  • 307
  • 1
  • 4
  • 12
  • Did you ever find a solution for this? I find myself in a similar situation now. – Dominic P Jan 11 '19 at 18:05
  • Unfortunately, no. Ended up using LUKS at the filesystem level and just eating the performance hit. – Evan Feb 28 '19 at 15:35
  • Thanks for the confirmation. I appreciate it. SED seems like such a great idea in theory, but the practical tools for interacting with it leave a lot to be desired in my opinion. – Dominic P Feb 28 '19 at 20:42

1 Answers1

0

A few years too late, but depending on your server configuration, a Broadcom RAID controller with SafeStore, such as 9540-8i or 9560-8i, should be a solution for you. Instead of storing the keys in the TPM, it provides its own security module. But your requirements of password-less startup and unreadable disk if a disk is removed should be satisfied.

Note: if the attacker also removes the controller card, it may be possible to access the data. I have not verified this.

Stev0
  • 1