[CentOS] self-encrypting drives
Paul Heinlein
heinlein at madboa.com
Wed Sep 19 16:37:11 UTC 2012
On Tue, 18 Sep 2012, John R Pierce wrote:
> whats the state of support for self-encrypting drives in CentOS 6 ?
> these are becoming increasingly common on both laptops and for
> enterprise storage (particularlly nearline), with features like
> instant-erase via key destruction.
Management of Full Disk Encryption (FDE) drives is usually handled in
BIOS or via central Windows application.
I've never installed FDE drives in servers, but they work well in
laptops running Linux. We use BIOS-level passphrases (centrally
escrowed, just in case), but we're a small shop. Performance seems
within the realm of acceptable.
The encryption is always-on. That is, data is always encrypted when
written to disk. Whether that data is readily readable depends on
whether the drive's encryption key has been encrypted. Once the key is
encrypted, a passphase must be presented to unlock it.
Once the key has been encrypted, the drive cannot be accessed unless
connected directly to, say, the system's SATA bus. I haven't seen any
mechanisms by which the key can be unlocked via things like external
USB adapters.
--
Paul Heinlein
heinlein at madboa.com
45°38' N, 122°6' W
More information about the CentOS
mailing list