SED/FIPS Drives - Hardware Encryption

One of the best kept secrets in the storage world is the availability of self-encrypting storage devices (SATA, SAS, NVMe/M2 or NVMe/PCI formats). These devices enable data-at-rest (DAR) to be stored in an encrypted format at hardware speeds using Trusted Computing Group (TCG) Storage standards which have been adopted by every major storage manufacturer in the world including Seagate, Micron, and Western Digital to name a few. In fact, Self-Encrypting Drives (SEDs) and their FIPS 140-2 accredited variants have TCG OPAL 2.0 cryptographic firmware built into their hardware. Consequently the data on these SED devices is ALWAYS encrypted when stored. There are two principal versions of TCG Storage Core Specification implementations, OPAL 2.0 which is targeted for desktop, laptop, and boot drive devices and, Enterprise for enterprise scale data storage devices.

Encrypted doesn't mean protected or safe. A SED drive needs to have a 32 byte PASSWORD placed on it to protect the encrypted contents of the drive. The need to place a password or multiple passwords on each device is something of a barrier to entry for broad adoption of SED and FIPS SED in a server, data center or cloud setting. While Windows, Linux and MAC operating systems have the ability to allow the user to manually enter and manage a password for TCG OPAL drives, there isn't a widely adopted COTS approach to this and certainly limited automated enterprise level software to manage TCG Enterprise SED and FIPS devices requiring many unique passwords.

Administrators in data centers will never manually put passwords on the tens, hundreds or thousands of storage devices they use because they would need to maintain these passwords and use them everytime a system was rebooted. This process is too labor intensive and risk laden from an operational perspective to ever consider doing it in a manual fashion. Consequently, SED and/or FIPS drives are sold as part of a solution but often are not actually used in the SED or FIPS mode which means that your DAR is NOT actually protected.

FUTURA Cyber has developed a COTS software package called the Cryptographic Management Platform (FC-CMP) to integrate with servers, drive enclosures, just a box of disk drives (JBODS) and other storage targets (think containers, servers or anything to do with storage) . This software communicates with the drives and also with a Key Management Server (KMS) using the Key Management Interoperability Protocol (KMIP). Instead of manually creating passwords, the KMS generates an AES 256 (32 byte) encryption key for each drive and then FC-CMP uses that key as the password on the target drive. If multiple passwords are required for each authority in a drive then multiple keys are issued so that each PIN is unique. There is no limit to the number of drives that can be supported and drive unlocking at boot time is automated.

FC-CMP handles the creation of the keys, setting of the passwords, locking and unlocking of the drives at boot or run time and the management of those keys over time. We remove the barrier of using passwords by automating the entire process.  FC-CMP makes practical the use of the SED and FIPS capabilities of the drive and dramatically increases the security of data at rest. Plus its designed to be integrated with your existing software via C-API, Python API or command line interface and FC-CMP handles both OPAL 2.0 and Enterprise drives.