On Mon, Mar 21, 2022 at 12:17 PM Laurence Perkins <lperk...@openeye.net> wrote: > > There was the ORWL project a few years ago. Self-encrypting SSD drive with a > TPM that would unlock it only in the presence of an encrypted RFID tag plus > tapping in a code on the keypad, with all the sensitive bits wrapped in an > active mesh system that would destroy the data if it detected any tampering.
While I can see this being useful if for some reason you don't have support for encryption on the software side, something like this seems like it wouldn't actually solve the unattended boot problem, since you have to enter a PIN. If you don't require the PIN and leave the RFID tag sitting next to the drive all the time, then anybody can walk in and take the drive and the tag and then read the data off the drive bypassing the OS. So it offers at best the same protection as a LUKS passphrase entered at boot, and at worst no protection at all. It would have the advantage that you wouldn't be able to attack the passphrase itself as no doubt the PIN only offers limited attempts and would be very difficult to bypass. The advantage of the TPM in the computer is that you can do unattended verified boot, so the disk can only be decrypted if the OS boots normally without tampering. Obviously you're still open to OS vulnerabilities, but the drive itself cannot be accessed except via the OS. The TPM chip can actually supervise the boot process. Still an interesting product though. I could see it being useful if you had to run some specific OS that doesn't support disk encryption natively. -- Rich
