How do self-encrypting drives fit into an open source storage server? Well, before we dive into the premise of this blog, for those of you not familiar with SED drives, here’s a quick overview:
Circuitry on each drive will encrypt data writing to the disk and decrypt it on its way back out; this is transparent to the operating system (OS). The OS and the computer processing unit (CPU) don’t have to worry about encryption because the drives do it themselves. This process is called encryption at rest.
First, if someone physically steals your hard drives, they wouldn’t be able to power them on and see what’s on the drive. Even if they can access the drive and read the bits—it’s encrypted (which means it is locked without a specific key), so they won’t know what any of it means. Finally, when drives die and you send them back for warranty or dispose of them, encryption ensures that any sensitive data cannot be recovered from the underlying platters.
Software-based encryption uses instructions sent from the system’s software to the drive to encrypt data. This type of encryption is handled by the computer instead of by the specific drives.
Like all software solutions, it offers flexibility. Software-defined solutions offer many general benefits in today’s age, where the processing overhead of tasks traditionally performed by specific hardware doesn’t significantly impact performance when instead performed by the CPU. This is also true for encryption.
In addition, you are not tied to a single manufacturer’s product. Self-encrypting drives (SED) drives are supposed to follow a specification. But not all manufacturer’s drives are guaranteed to operate the same.
Also, self-encrypting drives SED drives are often harder to acquire, as you usually have to order from the factory. However, with a software-defined solution, you can use standard commodity hard drives or solid-state drives, and the software layer will do the magic, whether disk encryption with dm-crypt or pool encryption with ZFS. Ceph does not have native encryption as of yet but does have official support for using software-encrypted drives via dm-crypt
At the end of the day, both hardware-defined encryption and software-defined encryption will protect your data in the case of theft. However, software-defined encryption will be cheaper and offer more flexibility for things like pool vs. drive-level encryption. However, if you require self-encrypting drives — don’t worry, you have options.
So, that’s your overview. Now let’s get into self-encrypting drives in an open source storage solution.
Here at 45Drives, we love all things open, and software is a part of that. This is because we love the flexibility and freedom of open source software. That’s why we lean towards the software side when people ask about hardware-defined encryption versus software-defined.
However, there are instances where self-encrypting drives (SED) drives are required, such as due to regulations placed on your organization.
So, does that mean you’re bound to legacy vendors, proprietary hardware, licensing fees and strict contracts? Unfortunately, that’s what many want you to think.
A quick Google search for information on SED drives might have you convinced there’s only one way—as proprietary vendors often push them as part of a whole system. That’s why many people are under the impression that you can’t use self-encrypting drives (SED) with an open source storage solution, which is not the case. You can use self-encrypting drives in an open source storage server.
We even have a little demo you can watch if you’re curious about how all this magic happens. So, if you’re more of a visual learner, check it out here.
In summary, self-encrypting drives are hardware-defined encryption. However, software-defined encryption has many benefits regarding the different aspects of your storage systems, which generally offer greater flexibility. In addition, both software and hardware encryption have the benefit of an extra layer of security. Also, with software encryption, you can use less expensive, regular drives and achieve the same protection.
But, when it comes to self-encryption drives (SED), they can be a requirement under different regulations. Although encryption can be handled on the software layer (recommended), it is still possible to use SED drives within open source storage servers.
When it comes to our customers and potential customers, every use case requires a different solution, and we’re here to give you a choice. So whether you require SED drives or opt for software-defined encryption like encrypted LVM—we’ll set you up with the solution you need to help you sleep better at night.
Reach out to us with any questions. Our team is always here to help!
Sign up to be the first to know about new blog posts and other technical resources