I'm buying servers lately and all of them have disks that support TCG Opal full-disk encryption (aka SED). What I'd like to do is:
- Store data encrypted-at-rest on the disks (NVMe & SAS).
- Not be required to enter a password/passphrase at server boot.
- Have encryption keys be stored in the server's TPM 2.0 module.
To simplify, the goal is to "lock" the data to the server, ensuring that if a disk is removed and inserted in another machine the data is inaccessible. I've seen sedutil but haven't yet played with it as it looks like it requires entering a passphrase at every boot. I have hundreds of servers I'd like to enable this on, so having to enter a passphrase (is it per-disk?) at reboot is not an option. TPM seems like a natural place to store this kind of thing, so I'm wondering if anyone's done anything like this. The only reference I can find to anything like this is in this Micron white paper. The servers are all running Ubuntu 16.04 (Xenial). There's more than one disk per server, if that matters.
0 Answers