Share this page!

John Nicholson Profile picture
Twitter logo
May 11 9 tweets 2 min read
It's time for a 🧵on Boot devices. No we are not talking about SD cards, instead we are going to talk about encryption and security of boot devices!
One trend lately has been to use PCI-E attached RAID controllers for a pair of M.2 SATA/NVMe devices that boot the server. Example Dell BOSS (Great option!). One challenge is these controllers often lack encryption support.
So first off. Do you even need to worry about this? What is the attack surface of an ESXi device.
1. If you didn't use TPMs for caching vSAN encryption keys, in theory those would be there. (Spend $50 and buy a TPM, and this problem is solved).
2. Make sure someone didn't meddle with the binaries. Secure boot and host attestation require a TPM and cover this. There's noting proprietary unique here (Anyone running their own custom VIBs?) so this doesn't need to be encrypted just verified not tampered with.
3. There also is the host configuration files and the "archive" of the configuration that is used at boot. This is encrypted by default in 7U2. Using a TPM (Again buy a TPM!) this information is sealed in the TPM.
What if I want full drive encryption? Well there are some options. 1. You can use a dedicated full RAID controller that supports this.
2. Some platforms are supporting SEDs with intel VMD. In this case the CPU acts as the controller.

core.vmware.com/blog/using-int…
I've been dubious long term about attaching NVMe drives to a PCI-E attached raid controller (botteneck/complexity) and this from @IntelStorage is looking interesting. Note Intel is not providing encryption here, just key management with their VROC system.
So In summery:
1. you can secure/encrypt everything on the boot device without using full drive encryption.
2. Intel is making a RAID 1 controller native to the CPU and SED key management is becoming table steaks.
3. BUY a TPM. If you don't see a TPM on the quote slap the SE.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Nicholson

John Nicholson Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @Lost_Signal

John Nicholson Profile picture
Sep 19, 2019
@valb00 1. Scammers spoof random numbers. They don’t generally actually transmit a DID they own so ANI miscategorizes it.
@valb00 2. They commonly grab out of service numbers. I’m sure some poor sap drafts these but also sometimes they do use ones people own. @mpuckett259 had this happen.
@valb00 @mpuckett259 3. Unlike email where we can filter based on source network, or use SPF to validate legitimate sources or DKIM to prevent spoofing the SS7 protocol (circa 1975) is honestly more trusting than BGP or SMTP.
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(