Pragmatic Full Disk Encryption with Controller Based Encryption adapter SmartRAID 3162-8i /e !?

[jx662607015]

Hi all,

after having seen the video "Self-encrypting deception weaknesses in the encryption of solid state drives (SSDs)" (Can't add the link, search for on google) I lost all trust in the current available Self Encrypting Devices. So I switched back to software based full disk encryption. But this was also not very satisfying. For example I don't want to handle encrypted ZFS boot with RAIDZ3, encrypted Ceph and all the other things. It just would be nicer or more pragmatic to keep this topic independent from my Proxmox VE installation.

In general I have the following requierements for Full Disk Encryption:

1. When I pull out a HDD/SDD from my server the data has to be immediately unreadabel for anyone else
2. Every HDD/SDD has to be full disk encrypted in my server cluster
3. The full disk encryption should be hardware based
4. The key management shoud be completely independent from the installed OS

After a lot of research an testing I think that Controller Based Encryption would be the best solution for a complete full disk encryption of my whole system.

So, does anyone have experience with the Controller Based Encryption adapter "Microsemi Adaptec SmartRAID 3162-8i /e"?

Here some links:

• Microsemi Adaptec SmartRAID 3162-8i /e (Can't add the link, search for it on google)
• Video Microsemi Adaptec SmartRAID 3162-8i /e with maxCrypto™(Can't add the link, search for it on youtube)

Thanks

 

[LnxBil]

Honestly, I would not have a higher trust in a hardware raid controller than in a self encrypting device.

 

[jx662607015]

It's a reasonable thought!

But at least we can check in detail if the controller has encrypted the data on the HDD/SDD. An self encrypting device, as seen in the mentioned video from the CCC, is a closed system and you don't realy know what is happening in depth.

On the other side a software based full disk encryption is more flexible and independent from any hardware.

I think I'm going to test the controller.

 

[LnxBil]

An self encrypting device, as seen in the mentioned video from the CCC, is a closed system and you don't realy know what is happening in depth.

A controller is open? No, it's also a closed system and you have no idea what happens inside. You also don't know what backdoor is in there etc. Therefore I had and still have my doubts about any hardware encrypted system.

If you use Linux's LUKS, it's OpenSource and you can just look what it is doing.

 

[jx662607015]

No i didn't said it's an open system, but at least the HDD/SDDs attached are independent. There should be a way to verfiy what the controller is writing to the disk. But I also don't trust 100% to the hardware encryption.

I'm using dm-crypt/LUKS since 5 years in productive systems and it's working fine.

Currently I'm preparing to use ZFS raidz2 as boot and ceph for the data and still struggling with the software based full disk encryption for the whole system.

 

[LnxBil]

Currently I'm preparing to use ZFS raidz2 as boot and ceph for the data and still struggling with the software based full disk encryption for the whole system.

What is your problem here? You need at least the bootloader unencrypted and have to provide the passphrase manually via console. You can do that with SSH, but you have to patch the initrd, because it does not include SSH by default.