Results 1 to 11 of 11
  1. #1
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts

    SED or Self-encrypting-drives.

    Here is a subject that could use a little more public technical information.
    I'v been looking for alternate ways to protect User data and systems.
    One item that has my attention is hardware drive encryption.
    SED or Self-encrypting-drives.
    How do you install setup and use a SED drive?
    Most new drives come with a chip that encrypts the data.
    All data written or read passes through this chip.
    These are known as drives with SED.
    In order for the system to take advantage of this feature the BIOS/UEFI must have support for it.
    The drive has a key it uses to encrypt the data and decrypt it.
    If you never set a key into the BIOS/UEFI the drive is normal and considered unencrypted,
    as you can it move it from system to system and still read the data.
    If you put a key code into the BIOS/UEFI the drive uses the BIOS code to modify its own key
    and you now have an encrypted drive.
    I think that if you put a new drive into a system and set the key code before installation, everything should work.
    I assume that an encrypted drive will be unreadable on another system unless you set the BIOS/UEFI key?
    I also assume that if you forget or lose your key, you’re SOL on getting your data back.
    Most information I'm finding on the internet just tells you what it is but nothing on actually using it.

    Here are some questions I'm having trouble getting answers to.
    1 What happens to a drive's data if you enable encrypting after the system or data is already on the drive?
    2 If you have more than one drive are both drives encrypted or can you control which drive?
    3 Will the Microsoft BitLocker support this feature in the future?
    4 Is there any software that can do the job of the BIOS/UEFI key for an external USB drive?
    5 Are there any known compatibility issues between different System and drive makers for using this feature?
    6 Are all HDD vendors using the OPAL and Enterprise standards developed by the Trusted Computing Group.

    Anyone know of any really good write ups on this subject, please post them.
    Last edited by RonB-TX; 2016-07-14 at 23:46.

  2. #2
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,168
    Thanks
    47
    Thanked 978 Times in 908 Posts
    1. Depends on the drive and software.
    2. Depends.... BitLocker supports individual drive encryption.
    3. BitLocker uses the internal disk encryption hardware if possible, otherwise encryption is done in Windows.
    4. BitLocker supports external drives. Not sure about Opal.
    5. Don't know.
    6. They should support Opal, but who knows.

    More info in the Lounge.
    http://windowssecrets.com/forums/sho...ata-in-Windows

    cheers, Paul

  3. #3
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts
    Paul T - Thanks for your reply, but I'm not sure we are on the same page.
    1 There is no software involved SED is a hardware feature. So the question is: If you have placed data (an OS or just files) on a drive with SED not in use.what happens when the BIOS key is set and SED goes into use, is the data toast or readable?
    2 I know Bitlocker supports TPM hardware encryption but I have not found anywhere that it supports the drives by using their SED feature.
    3 & 4 We know that BitLocker will support any drive that is attached to a system but as far as I know only with TPM or software not the SED BIOS/Drive feature.
    By the way TPM only stores encryption keys and is not a hardware encrypt/decryption device.
    Last edited by RonB-TX; 2016-07-15 at 21:27.

  4. #4
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,168
    Thanks
    47
    Thanked 978 Times in 908 Posts
    1. SED is hardware, enabling it is software / firmware. It's up to the drive manufacturer how they handle SED enable with existing data.
    2. https://helgeklein.com/blog/2015/01/...tion-with-ssd/
    3 & 4. Bitlocker can use USB to store the encryption keys, you don't need TPM.

    cheers, Paul

  5. #5
    Silver Lounger RolandJS's Avatar
    Join Date
    Dec 2009
    Location
    Austin metro area TX USA
    Posts
    1,722
    Thanks
    95
    Thanked 126 Times in 123 Posts
    "...One item that has my attention is hardware drive encryption.
    SED or Self-encrypting-drives.
    How do you install setup and use a SED drive?
    Most new drives come with a chip that encrypts the data.
    All data written or read passes through this chip.
    These are known as drives with SED. .."
    The above is the part I'm commenting upon.

    Youse guys are way above my paygrade on this subject; however, let me add this to the mix:
    I tried using a WD Passport Ultra ext usb HD for backup/restore purposes, not for simply copyNpaste of data folder/files. Even though WDPU HD has onboard/circuit board encryption that intercepts everything coming and going -- there is the matter of THE KEY, The Key being the software that must reside on the computer somewhere and which springs into action, whether or not there is a password [and if password set up - whether user-entered or auto-passed-through], whenever the WDPU is "sniffed" detected by the computer during boot/startup or later.
    If anything happens to THE KEY [no matter if "logical error," if software clash, if the Cods no longer swim with you], you are toast, you will not be able to "enter" the HD. I think WDPU calls what I call "The Key" Smartware or something like that.
    And, The Key better reside and function on any usb or dvd boot process if trying to access WDPU from any kind of external-to-Windows boot.
    I returned my WDPU hd to my local computer store after my failing attempts to bypass The Key and/or the auto-encryption.
    Last edited by RolandJS; 2016-07-16 at 22:17.
    "Take care of thy backups and thy restores shall take care of thee." Ben Franklin revisited.
    http://collegecafe.fr.yuku.com/forum...-Technologies/

  6. #6
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts
    To Paul T
    Thanks for setting me straight and the links.
    The links were helpful and answered some of my questions.
    The only thing I'm not clear about is:
    Can you turn on BitLocker on an existing system drive and not loose anything?

  7. #7
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,168
    Thanks
    47
    Thanked 978 Times in 908 Posts
    Samsung require an empty drive to turn on encryption - just checked on mine. Make an image, turn on encryption, restore - can you restore a backup to an encrypted disk after booting from USB?

    cheers, Paul

  8. #8
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,168
    Thanks
    47
    Thanked 978 Times in 908 Posts
    You can image / restore Bitlocker done in software. In hardware I suspect Windows wouldn't care about encryption as it's off-loaded, so a straight image / restore would work.

    cheers, Paul

  9. #9
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts
    Paul T, thanks for all you input. I learned a lot this weekend about encryption & hard drives.
    However it will not fix my customers has they are a little resistant to change.
    I believe that I will go a different direction.
    The # 1 problem I have is getting clients to remove their backup device after a backup and plug it in again for the next backup.
    One client lost all his files, documents, Quick Books, Turbo Tax and every backup he had made. The Virus was LOCKY ransom ware.
    The other problem is how to hide network storage devices. How to hide a WDMYCLOUD is my number one issue.
    One change I will start is not allowing mapped drives to be used.
    Rather then map a servers folder, it's just as easy to use the network path like \\server\share name.
    I do this with my home. I setup Word, Excel and other apps to use the network path as their default folders.
    This way my desktop, laptop and wife's systems all get & save their documents to/from the server.

    However if you have any good ideas feel free to share them.

    cheers RonB

  10. #10
    WS Lounge VIP
    Join Date
    Dec 2009
    Location
    Earth
    Posts
    8,168
    Thanks
    47
    Thanked 978 Times in 908 Posts
    The only solution I can see to the problem of ramsonware is a dedicated backup server. Users would not have access to the server. If a machine is compromised the recent backups would be worthless, but older backups would allow recovery.

    To make this work there are two methods. Both require a server that users do not have access to so can't be infected with malware.
    Linux is a good solution here as it's cheap and relatively safe from malware, so the whole lot would cost around $500 - cheap considering the cost of data loss.

    1. Install server backup software that uses agents to backup all workstations. Users would have no control over backup. This can be done with Zmanda open source backup.
    2. Create a write-only share, or per user shares, on the server. The malware cannot modify files it can't see. Backup software may have issues with this.
    2.a. Create a standard share for backups and have a server process (under Cron / Task Scheduler) move the backup to a non-shared directory. When malware accesses the share it will not see any files. This method has a small window where any backup can be compromised, so multiple backups are required.

    cheers, Paul
    Last edited by Paul T; 2016-07-18 at 03:06.

  11. #11
    2 Star Lounger
    Join Date
    Oct 2014
    Location
    Denison, TX
    Posts
    141
    Thanks
    0
    Thanked 4 Times in 4 Posts
    Thanks Paul
    In the case of servers, I have three and I have set them up so they never show on the network.
    My problem is the 4 clients that use a WDMYCLOUD to backup to.
    Your suggestion about having the server move the backups is good, I may set that up as added safety.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •