Re: self-encrypting drives (SED)
On 2015-11-21 03:59, David Christensen wrote:
> On 11/20/2015 01:04 AM, Pascal Hambourg wrote:
>> Anyone with physical access can do whatever they want. You can set up
>> restrictions in the BIOS or set restrictions in the boot loader, but
>> they still can take the disk out and read or modify it with another
>> machine.
>>
>> To protect against this you can use encryption or set up a password
>> on the disk (ATA security functions). Note that encryption alone does
>> not protect against tampering, as the boot part cannot be encrypted.
>
> As I understand it, self-encrypting drives (SED) encrypt everything
> (including the boot partition). To use this feature, you need a
> computer with BIOS/ UEFI that supports it -- e.g. the BIOS will prompt
> you for the password during POST; if you don't enter the correct
> password, the drive remains locked and its contents are inaccessible;
> doing a secure erase will wipe the contents and then unlock the drive:
>
> https://en.wikipedia.org/wiki/Opal_Storage_Specification
>
>
> I recently bought a Samsung EVO 850 that I'd like to benchmark in
> various configurations -- raw/ ext4/ btrfs, with/ without SED, with/
> without LUKS, with/ without AES-NI, etc.. I've used "bonnie++" and
> "dbench" in the past. What other HDD/ SDD benchmarking tools should I
> consider?
Well, the last couple of months there have been multiple reports of
weaknesses in disks that apply encryption themselves. Western Digital
comes to mind, but there were more. In our company we have chosen to no
trust these "secure" features and do the encryption ourselves. Things
like LUKS etc seems to be trustworthy enough and are very easy to set
up. I'd think it might even be a cheaper solution too (if you don't have
to put in too much time for configuration and maintenance).
Just my $0.02
Grx HdV
Reply to: