FUTURA Cyber is developing an encryption management client platform called the FUTURA Cyber – Crypto Management Platform (FC-CMP) to enable the management of encryption keys for storage devices as well as other types of devices within the Internet of Things (IoT). This technology will help fill the gap in the market and aid storage enclosure manufacturers in locking and managing Self-Encrypting Drives (SED) and Federal Information Processing Standard 140-2 certified SED drives. The need for this is self-evident as cyber security compliance requires that all stored information be protected (i.e. data at rest be encrypted).

Figure 1 FC-CMP Securing Enterprise storage

Almost all Hard Disk Drives (HDDs) and Solid-State Drives (SSDs) are built using the Trusted Computing Group’s (TCG) OPAL 2.0 technology. Part of this technology describes circuitry for encrypting all data stored on SSD or HDD devices. In fact, when data is stored on virtually any modern storage device including SATA, SAS, NVMe, M2 and other storage device formats it uses TCG OPAL encryption hardware to encrypt the media. While data is encrypted on the storage media, information is NOT actually protected unless the storage device is locked with a password.

The problem FUTURA Cyber’s FC-CMP addresses is enterprise storage in the cloud or data center environment (Figure 1). Few manufacturers of drive enclosures such as Just a Box of Disks (JBOD), Storage Area Networks (SAN) and/or Network Area Storage (NAS) have developed the software to provide bulk password generation and locking mechanisms for SED drives or their FIPS 140-2 certified variations.

Customers buy SED or in more security conscious situations FIPS certified SED drives to check a security or regulatory compliance box. However, the drives are rarely actually locked because the complexity of managing passwords to lock/unlock dozens, hundreds or thousands of drives in a data center setting. The appropriate way to utilize the encryption capabilities of TCG OPAL 2.0 drives in a data center setting is to place a 32-byte password on each drive and over time change those passwords on a regularized policy driven basis.

All variations of TCG OPAL 2.0 storage devices offer a set of steps that allow those devices to be locked using a password. To manage such devices in a higher volume setting such as a data center, the best way to lock and unlock the drives (i.e. via a password) is to use an encryption key management server to generate and retrieve an AES256 bit (32 byte) encryption key for each drive to be used as the password for that device. When the drive needs to be unlocked, software calls the key manager to provide the key (i.e. as the password) and unlock the device, typically when the device is initially activated.

FUTURA Cyber’s FC-CMP is an embedded cryptographic key management client platform which talks to ANY Key Management Interoperability Protocol (KMIP) Key Management Server, as well as any TCG OPAL 2.0 SED or FIPS 140-2 compliant drive, and/or drive controller, in order to retrieve keys and unlock the target drives. FC-CMP, currently under development, is designed as both a stand-alone tool as well as a toolkit which can be used to quickly implement client-side encryption key support for any JBOD, SAN or NAS enclosure.

Understanding encryption management via KMIP, mastering that software and understanding the complexities of talking to SED and FIPS OPAL TCG 2.0 drive variants requires knowledge and experience that most storage enclosure manufacturers rarely have on hand. Consequently, most manufacturers have been waiting to implement these capabilities until customer demand drives them to do so.

FC-CMP is built on a Python, C and C++ application infrastructure and can be embedded as command line scripts, accessed via a REST API or run as a stand-alone solution. It will interoperate with any OASIS KMIP 1.0-1.4 compliant Key Management solution and any TCG OPAL 2.0 storage device. FC-CMP supports RedHat 7, Centos 7, Suse Enterprise 12+, Ubuntu 16.04+ and Windows 10/Windows 2016 Server.

In an answer to growing demand for such drive management, FUTURA Cyber has developed a cost-effective product that OEMs and enclosure makers can buy as a Commercial-Off-the-Shelf (COTS) offering. FC-CMP is easy to implement, requires little to no specialized knowledge to implement and will be evolved and supported by FUTURA Cyber over time obviating the need for specialized skill sets. It enables locking of SED and FIPS compliant drives and raises the bar for delivering embedded cyber security solutions for Data at Rest (DAR) at a reasonable price.

What About Desktop/Laptop Storage?

For desktop, laptop and end-user local devices, Microsoft offers Bit Locker which will lock a drive using built in Basic Input Out System (BIOS) level capabilities or the capabilities of the Trusted Platform Module (TPM) for that desktop or laptop computing device.

Why Lock the Drive If Its Always Encrypted?

SED and FIPS 140-2 variations are encrypting drives and have a crypto processor built into the drive. As data is written to the drive, the crypto chip encrypts the information using the Data Encryption Key (DEK) as its written to each sector of the disk and decrypts it as it’s read from the drive. However, to secure a SED or FIPS drive you need to use a password to lock the device. Otherwise, when the data is read it is automatically decrypted. Placing a password on the device encrypts the DEK for the drive which means that data can’t be un-encrypted without the use of the password. The drive password is run through an algorithm and becomes the Key Encryption Key (KEK) for that drive. If the key for the drive is lost or destroyed, the drive is unreadable and has to be factory reset resulting in all lost data and a new DEK being created.

About FUTURA Cyber Inc

FUTURA Cyber was formed in 2019 to help organizations seeking an edge in cyber security. FUTURA Cyber provides intelligent, scalable cyber security solutions that reduce the cost of security and compliance management by helping organizations implement a cyber security strategy as initially envisioned, and more effectively realize the value of existing cyber investments.

FUTURA Cyber focuses on the cyber security needs of government and private sector clients who require enterprise-class, innovative, tightly integrated solutions for data-at-rest protection, encryption and key management, and cyber security architecture, policy and analytics.

Please contact FUTURA Cyber for your cyber security, complex encryption management and cyber automation integration needs.