[Discuss] NAS: encryption

[warlord at MIT.EDU (Derek Atkins)]

"Edward Ned Harvey (blu)" <blu at nedharvey.com> writes:

>> From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
>> Behalf Of Tom Metro
>> 
>> I imagine it would be challenging to pull off encryption well with
>> appliance hardware. The first problem is getting the software to do it.
>> (Plus all the automation you've previously discussed to set up the keys
>> on boot.) The second challenge is having the horsepower to perform the
>> encryption. Not impossible if they chose their embedded CPU well, but
>> unlikely to be optimized for that.
>
> You seem to think there's an obstacle which isn't really real -
> Encryption is very cheap computationally, so cheap indeed it can be
> done by the disks themselves. Yes, it's absolutely possible for
> appliances to utilize disk encryption, either by using its own CPU, or
> by offloading to the disks. I cannot speak to the specifics of any
> particular appliance actually doing it though, as I don't use any of
> them.

I don't trust my disks to do the encryption, mostly because there's
really no way to verify that it's doing it correctly, and the key
management gets a lot harder.  I'd rather use dm-crypt (or the
equivalent).  In either case you still need to figure out how your keys
are going to get provided when the system boots.

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord at MIT.EDU                        PGP key available