On select models of FMADIO capture systems full disk encryption is available. When available it uses the SSD drivers controller firmware to provide AES256 encryption with the OPAL interface standard.
States of the system is as follows
Power Off:
All data is encrypted accessing requires a password
First Power On:
Drives are accessible but data remains encrypted
First Power On Unlock:
Each drive in the system is unlocked by a shared password. This allows the drives media to be written/read from
Warm Reboot:
After Unlock the drives remain unlocked
Power Off:
On power loss to the disks, all data becomes un-accessible and fully encrypted
Data is encrypted using AESS256 and a random key generated by the SSD Controller. The Password specified encrypts/decrypts this AES256 key allowing the controller to read/write from the media. This encryption key is only kept in volatile RAM, thus when power to the drive is removed, the encryption key is lost. Once the encryption key is gone all data on the storage media can not be read.
Drives can never be "bricked" as the drives can be reset by creating a new AES256 key. This reset however will remove all data previously written to the drive.
Disk state flow chart
Drive Encryption Status
fmadiocli "show disk status"
This Operation displays the drive encryption state, documentation found here
This sets a new encryption password on all the disks. It will also WIPE ALL DATA ON THE CURRENT DISK. Please ensure there is no critical data on the system before running this command. After the operation the disks are in an UNLOCKED state.
Drives always have a password set, either a default password or a custom password the following command sets the disk password used for unlocking
Locking Disk
By default disks are not a locked state. e.g. they do not require a password to be usable. This setting puts the disks into a locked state which when ever it loses power requires a password to unlock and make usable
Disable Locking
There are cases where disabling the Locking function without destoying the data is helpful, note this is different from unlocking the disks.
This function disables requring a password to access the disks persistently.
Unlockingly the disks allows disk access but is not persistant
The functions are similar but quite different, documentation on how to perform this is
Command will unlock and verify correct functionality of the disks. Starts by unlocking each disk using the supplied password, then reloading all storage components of the FMADIO system which reference the disks.
Reference documentation is
Automatic Unlock
Generally entering passwords manually is fairly cumbersome / time intensive. The system has the ability to unlock the disks on boot.
The general purpose boot setup file /opt/fmadio/etc/boot.lua can be used to fetch the password from a key server, e.g. via CURL or copy a password file from the local disk
Below is an example boot.lua file to automatically unlock the disks at boot time, using the saved password in /opt/fmadio/etc/disk-password
-- unlock the disks
print(os.date() .. " : unlocking sed disks")
io.stdout:flush()
-- fetch password local
os.execute('cp /mnt/store0/etc/disk-password /tmp/disk-password')
-- fetch password remote
--os.execute('curl -s https://192.168.1.1/disk-password > /tmp/disk-password')
-- unlock
os.execute('/opt/fmadio/bin/fmadiocli "config disk unlock"')
os.execute('/opt/fmadio/bin/fmadiocli "show disk status"')
io.stdout:flush()
print(os.date() .. " : unlocking sed disks... done")
io.stdout:flush()
