Partitioning with Software Full Disk Encryption
October 01, 2018 | BY: Paul DavisDownload PDF
Most modern unmanned vehicles, ISR aircraft and mobile ground vehicles are built around a network-centric architecture that enables connected storage (NAS) to communicate with multiple systems and:
- Provide mission maps
- Collect mission data during the mission
- Provide boot files to network clients (see whitepaper) upon startup using PXE protocol
- Collect or record Ethernet traffic using PCAP
- Act as an iSCSI target for iSCSI initiators on the network
This NAS data is often of a sensitive nature and requires AES-256 encryption while keeping the data and files separate with different access rights. This is achievable by setting up separate partitions for each function and then applying software full disk encryption (SWFDE) to each partition. Curtiss-Wright has developed a clever approach to ensuring the data on the DTS1 is protected with AES-256 encryption while maintaining the devices separate files and functionality, uniquely accessible by different personas.
DTS1: 1-slot Rugged Network Attached File Server
With a removable solid state drive (SSD) drive of up to 4 TB, the DTS1 provides enough storage for data intensive IRS applications. All data going to the SSD is encrypted with in-line FIPS certified encryption using AES-256, with additional support for software encryption using Linux operating system and the Linux Unified Keying System (LUKS) feature, provided. After logging in and authentication, the administrator can set up different partitions on the SSD. Then a LUKS container with a unique passphrase is applied to each unique partition. This enables the system architect to set up different partitions with their own SWFDE, thus controlling access.
An example of such a partition is show in Table 1
|2||Boot files for clients||‘boot_files_789’||PXE|
|4||Ethernet packet capture for Ethernet port 1||‘eth_port_1’||PCAP|
This approach enables the use of a single device for multiple functions but still providing access control:
- Network attached storage during the mission
- Clients can save data on DTS1 in files
- Large mission maps can be accessed when needed during the mission
- Netbooting of clients
- Upon startup, clients with local disks identify themselves and receive boot files
- Serving as an iSCSI target drive
- iSCSI initiators can control block data access of data on iSCSI partition
- Capture of all Ethernet traffic
- Troubleshoot problems
- Look for anomalies
This approach to protecting each partition with AES-256 encryption ensures each person has different passphrase and cannot access partitions they don’t have the passphrase for, providing a separation of responsibilities and additional security. The DTS1 provides this encryption partitioning as well as hardware encryption, ensuring sensitive data is secure and only accessible by the right people.
Read our white paper, “COTS Encryption for Data-at-Rest”, or read "Getting Up to Speed on NSA-approved Two-layer Commercial Encryption" to learn more about COTS data at rest encryption.