Any Risk of SED not using encryption

Hi,
Looking for some advice. I was going to buy a bunch of Seagate SED drives for an old, updated Supermicro 4U for backup and cold storage. I have no real experience with these SED’s (self encrypting drives) and don’t want to bother setting up keys and enabling the encryption.

My question is, is there a risk of not keying them? I was thinking about a hack where a hacker could remote-in and hack my system by keying-up my drives “on me” and thus locking the drives up so I can’t access them, and thereby ransoming me?

Is this a legitimate worry or not based on how this works?

If it matters, 24 slots on a LSI controller onto a 24U SAS backplane.

1 Like

not sure of the cost of SED drives vs non, but to change the keys, any attacker would basically need enough permissions to format / clear the drives anyway, so backup would be more pressing, rather than deepening the encryption.

But, backup should be planned for anyway, so random ransomware should be less of a concern anyway…

Not saying Don’t FDE, just don’t rely on it to restrict the damage done by evil actor on a system.

FDE / SED can reduce the chances of a physical drive pull / swap to steal data

[EDIT] if you don’t use the encryption, or even if you do, a root level attacker can change / remove / install keys. but could also format non SED drives. One can do FDE on non SED drive too.

So, I’d say, Don’t worry, do make backups, and do enable the SED function…

2 Likes

So let me get this straight, the encryption process on a SED by setting an encryption key, will first erase all data before getting encrypted? Meaning they can’t encrypt my drives with data already on them, thus locking up my stored data on me, because it would erase all of it anyway in the process?

1 Like

I apologize; the drives are always encrypted, and changing, (or setting) a key, will destroy the old (blank by default) key, rendering all data… effectively random/gone.

I don;t think this aspect should hold you back, if you wanted to have encryption at rest. Please just back up the key you set.
the key can be changed, removing all access to the data, but at least they would not be able to get the data. the same way they can format the drives on a live system. just not as quick

In fact, in drives featuring full-disk encryption, data is always encrypted with the data encryption key when stored to disk, even if there is no password set (e.g. a new drive). Manufacturers do this to make it easier for users who do not wish to enable the security features of the self-encrypting drive. These self-encrypting drives can be thought of as having a zero-length password by default that always transparently encrypts the data (similar to how passwordless SSH keys can provide somewhat secure access without user intervention).

If a user wishes to “enable” encryption at a later stage, they are able to configure an authentication key (such as a passphrase) which encrypts the existing data encryption key. The user will then be prompted for their passphrase when decrypting the data encryption key in the future. Crucially, because the existing data encryption key is not regenerated, setting a passphrase allows for the drive to be locked while preserving existing encrypted data on the disk, avoiding the need for the drive to be re-encrypted.

(ref from Arch Wiki Self-encrypting drives - ArchWiki )

2 Likes

Thanks for the Info @Trooper_ish

I think I understand. :open_mouth:

They are cheap, used, 3tb drives Seagate drives, and must have been reset. I just don’t want to have to mess and deal with setting up encryption keys, and use them as is etc.

Thank you again for your insight! Be well.

1 Like

Whatever drives you have, if a hacker is on your system you could lose all your data.

Prepare appropriately

2 Likes

I’m prolly a particularly odd person, that I never touched 3TB drives, in the wake of the floods back in the day, seemingly causing a bunch of them to perish early…

Just 2 / 4 / 8 and soon, 16…

1 Like

lol, well if you want to push me in the right direction :grinning:

I rebuilt a Supermicro SM846, dual platinum 1200w power supplies, an Epyc Rome Chip on a Gigabyte MZ32-AR0 board. Unfortunately it still has a sas2 dual expander backplane in it which is currently on a LSI 9761-8i controller.

I do have 6 gen4 Nvme(s) in it for fast storage ~10tb, but I understand how old and ancient my cold backup storage is. Running a few different raid arrays with my primary backup volumes as raid6. I’m too cheap to buy nice sas ssd’s for the front and wouldn’t be able to take advantage of the drive speeds anyway with the current controller and backplane etc. Plus I’d rather spend the money on a new threadripper build. I do have a couple of unused U.2 ports on the board? It’s hard to replace all my 3tb’s that I can get for, let’s say $150 for a lot of 19.

Plus I keep hearing Wendell on Youtube saying raid is dead. I love this box though, it’s built like a tank with all the heavy aluminum. :slight_smile:

Maybe I should try and get a newer controller with JBOD capability, a sas3 dual backplane (if it would fit) and keep all the drives as individual drives, and do software raid and storage pools? Dunno.

Thoughts?

1 Like

If you have the storage, then use it. it’s fine.

And I would not worry about the sas2 for spinning rust drives.

You might* even be able to upgrade the backplane later, and controller card.

*not sure, but maybe

Personally, I use software raid, not hardware raid, so I can change my raid controllers any time, or even connect drives direct to motherboard / M.2 adapter. but it is more set-up needed, and less plug-and-play…

1 Like

Well it would be a bit pricey for me to get just from sas2 6gb/sec to sas3 12gb/sec. Yet to only have to deal with the backplane going forward. Also, not sure if it is an urban legend or not but I read (at least with my current controller and/or backplane) that there might be hardware issues with playing with large drives and/or all slots populated.

With regards to plug-and-play, God forbid anything should happen to me even with my hardware based virtual drives, because my wife and or kids would have absolutely no idea! Best I make copies on a few massive external drives, which is more stupid proof.

1 Like

Nothing wrong with that. just the price is all

and 6gb/s, is the max SATA could go anyway, and SATA can only do half duplex.

SAS2 can do 6gb/s both ways.

so you’re not really loosing much.

I don’t know that controller, but you might get a bunch of drives, running near max speed at the same time.

Or, there could be issues / bottlenecks with it.

The raid cards I have (in IT / HBA mode) are only PCIe2 so they are restricted in bandwith, if I plug them in x4 slots. but it;s still fine for SATA, and HDD’s. It probably holds SATA SSD’s back, but then again, I still get lower latency / seek times, so never worried about any max bandwidth.

Just my 2c.

the only thing, is if you wanna sink much money in older stuff.

I would probably get a couple older drives, but maybe higher capacity than 3TB.

2 Likes

There was some research done years ago that found essentially all self-encrypting drives had vulnerabilities that bypassed the encryption, had a master password, etc. (CVE-2018-12037 and CVE-2018-12038). That is why Bitlocker stopped trusting self-encrypting drives to implement encryption and instead began enforcing software-level encryption.

It’s hard to know if these were fixed without a replication study. If you are actually concerned about the encryption (not just checking off a corporate policy), it would be safer to stick with software-based encryption.