Encrypt disks using SED and store keys in TPM?

Question

I'm buying servers lately and all of them have disks that support TCG Opal full-disk encryption (aka SED). What I'd like to do is:

• Store data encrypted-at-rest on the disks (NVMe & SAS).
• Not be required to enter a password/passphrase at server boot.
• Have encryption keys be stored in the server's TPM 2.0 module.

To simplify, the goal is to "lock" the data to the server, ensuring that if a disk is removed and inserted in another machine the data is inaccessible. I've seen sedutil but haven't yet played with it as it looks like it requires entering a passphrase at every boot. I have hundreds of servers I'd like to enable this on, so having to enter a passphrase (is it per-disk?) at reboot is not an option. TPM seems like a natural place to store this kind of thing, so I'm wondering if anyone's done anything like this. The only reference I can find to anything like this is in this Micron white paper. The servers are all running Ubuntu 16.04 (Xenial). There's more than one disk per server, if that matters.

Answer 1

A few years too late, but depending on your server configuration, a Broadcom RAID controller with SafeStore, such as 9540-8i or 9560-8i, should be a solution for you. Instead of storing the keys in the TPM, it provides its own security module. But your requirements of password-less startup and unreadable disk if a disk is removed should be satisfied.

Note: if the attacker also removes the controller card, it may be possible to access the data. I have not verified this.