Join Log in
Score:0
hkc94501 avatar Server

On Windows how to restrict access to a Self-Encrypting-Disk partitiion to a specific service

cy flag
hkc94501

I am setting up a server in an industrial environment that will have a service that injects security assets into a PCB. I want the server to store these assets on a self encrypting disk where one encrypted partition can only be accessed by the injection service. I want the SED keys to be sealed to the service by a TPM. Any suggestions on how to set this up or where to look for answers?

33
0 + 0
tpm
Score:0
Jevgenij Martynenko avatar Server
us flag
Jevgenij Martynenko

Encryption provides physical data protection. Out-of-the-box your options here are either BitLocker Drive Encryption or Encrypting File System (EFS). In your case, BitLocker might be an easier and more secure option to implement.

Logical data access protection can only be achieved using NTFS permissions. You must run a service under a dedicated user account and only allow this account access to the files you want to protect from other users or processes. Further security hardening can be done to the service account to protect it

0 + 0
hkc94501 avatar
cy flag
hkc94501
Jevgenij, Thanks for your answer. I think its half way there. My customer requires a FIPS 140 level 2 solution so Bitlocker is out. That is why I specified the self-encrypting-disk. This would be an Opal FIPS 140-2 level 2 certified device. The device can have encrypted and unencrypted partitions. What I really want to know is how Windows manages the disk authentication keys. Can I bind a disk authentication key to a specific service account?
0
Reply
Jevgenij Martynenko avatar
us flag
Jevgenij Martynenko
Sorry, it wasn't obvious to me you are speaking about a third-party product. Sadly I lack experience with mentioned self-encrypting drive. Certificate management might depend on the vendor. So the best source of truth would be vendor's support site or customer service. In theory, each service has Personal store in certificate storage. So you could place the certificate there and it wouldn't be accessible by other users/services. Private key could be protected by TPM if the cert is issued locally. But I am not sure how that's implemented in practice. I'd recommend contacting vendor's support
0
Reply
hkc94501 avatar
cy flag
hkc94501
Thanks. Device operations are pretty clearly spelled out in the Opal standard. I think it is more an issue of how the operating system manages the device. Windows will recognize the device automatically and configure Bitlocker to manage it but that doesn't answer my specific question about the management of authorization keys. Bitlocker may manage the whole disk under a single authentication band and then depend on NTFS to manage access to whatever volumes you define on the disk. That wouldn't quite meet my requirements.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.