Disk Encryption

FMADIO Systems support SED (Self Encrypting Disk) using the under full FIPS 140-3 certification by our SSD vendors.

Verified using FW: 10687 (2025/3/2) on FMADIO100Gp3 (FMADIO-5403)

The process for securing storage using a traditional manual password approach is as follows

Assumptions are

• all capture drives are partitioned

• the parity disk are partitioned

• all scratch disk  are partitioned

In disk.lua that translates to

• CacheDisk having a “:1” after the serial number (partition 1)

• ParDisk haing a “:1” after the serial number (partition 1)

• ScratchDisk having a “:2” after the serial number (partition 2)

  • Ensure that the scratch disks has 10 entries (including the PAR disk serial number)

  Reference disk.lua file is shown below

Remove default password

Ensure the default disk password file is not present in

/opt/fmadio/etc/disk-password

Rename the file or delete the file. Usually this contains the factory set / the default password.

A copy of it is also made on system boot to the system ramdisk at the location below. Also delete this file or reboot the system.

/tmp/disk-password

If the file exists it will cause problems with lock and unlock procedures. As fmadiocli uses this file for the password, instead of requesting input on the console.

Configuration

The following steps are used to fully reset a new set of disks / reset a used set of disks.

1) Power on the system

At most this will take about 3-4 minutes.

2) Confirm the disk status

Once the system has booted run the disk utility to confirm SED disk encryption is enabled

fmadiocli "show disk status"

Example output looks as follows. Confirm only the OS disk does not have SED enabled.  

Confirm SED, PSID and SED Enable is Yes on all capture (ssd*), scratch disks (scr*) and parity (par0) per the above screen shot.

3) Run sanitize to reset the password to default

NOTE: this will delete all contents of the captures (OS disk will remain intact)

This uses the PSID of the drive, no knowledge of the previous disk password is required.

fmadiocli "config disk sanitize"

The output looks similar to below

This will take 1-3 minutes only.

When completed it prompts back to the shell

After completion running

fmadiocli "show disk status"

Example output looks like below. Note SED Lock is set to N, while SED, PSID, SED Enb are Y

4) Format the scratch disks

As Step3) deleted all data on the disk (including the partition tables) the scratch disk needs to be re-created

Run

sudo format_scratch.lua --partition

The process is quick example output shown below.

Initially it will stop with a Y/N question, the expected disk count and names are shown below.

NOTE: nvme1n1 → nvme10n1

Select Y (upper case)

After completion run

lsblk

The expected output is shown below

5) Quick format the disk

As the disks have been sanitized / all data removed. A quick format is required to setup the capture arrays metadata / fmadio custom file system.

This is different to Step 3) Sanitize. The Sanitize step will delete all data on the drives thru a secure erase (e.g. encryption keys deleted permanently), the “config disk format” configures the FMADIO custom filesystem.

fmadiocli "config disk format"

The system will reboot twice as its goes through the formatting process. Process takes about 5 minutes

6) Wait for system to complete the quick format

Its possible to ssh into the system while the quick format operation is happening. In such cases fmadiocli function does not operate. Pls wait for the system to finish its reboot cycles before proceeding.

Output shown below indicates the system is in “safe mode” and currently formatting the array. It will reboot itself after a few minutes.

Once reboot completed check the filesystem has been formatted correctly using

stream_dump

Correct output looks like below

7) Set a password

Set a new password using

fmadiocli "config disk password"

Use the ENTER key when prompting for the current password (the first prompt). The above step 3) resets it to the default password. Contact support@fmad.io if you require the default password.

Type in on the console / shell a new password.

Full output shown below

8) Enable disk locking

This step enables disk locking. e.g. When the disks loose power, all contents of the disk are un-readable, unless a password has been entered to unlock the disks.

NOTE: the disks will self lock after 5 invalid password attempts. If this happens power cycle the system to clear the error.

Run the command

fmadiocli "config disk lock"

It will prompt for the password above from step 7)

Output looks similar to this

9) Confirm locking is enabled

Run the command

fmadiocli "show disk status"

It shows SED Lock on all drives except the OS disk

10) Power cycle the system

Disconnect power to the system, manually or via KVM or using ipmitool. The purpose of this is to simulate a power cycle and confirm the unlock process is good.

Easiest approach is to use

sudo ipmitool power cycle

This will power cycle it from the prompt as shown below

11) Wait for the system to boot

At most takes 5 minutes, usually less.

12) Confirm all disks are locked

As a new password was set, the system is unable to unlock the disks automatically (using a default password)

Confirm disks are locked with

fmadiocli "show disk status"

All disks should be locked

13) Unlock the disks

Unlock the disk using

fmadiocli "config disk unlock"

Entering the password from step 7)

After running the unlock confirm the disks are unlocked

fmadiocli "show disk status"

14) Warm reboot the

Do a warm reboot of the system. Warm reboots do not clear the lock setting of the disks. e.g. the disks remain unlocked during a warm reboot.

Reboot command

sudo reboot

15) On reboot

Confirm the disks are all still unlocked

fmadiocli "show disk status"

16) Finished

And the system is ready for capture.

Operating

After disks are initially setup, only steps 11) to 16) are required to unlock the disks and start capturing.