SED - Self Encrypted Drives and support

[LDGrinn]

Hello, my motherboard is TUF Z370-PRO GAMING.

I plan to add some storage space with one of the following 6 choices:

		Seagate Exos X20 20TB	Seagate IronWolf Pro 20TB	Western Digital WD Gold 20TB	Western Digital Ultrastar HC560
Model and SED functionality		ST20000NM007D ST20000NM000D (SED)	ST20000NE000	WD201KRYZ	WUH722020ALE6L1 (SED) WUH722020ALE6L4
Recording Technology		Conventional Magnetic Recording (CMR)		Conventional Magnetic Recording with Energy-Assist (CMR / EAMR)
RPM		7200 RPM		7200 RPM
DRAM Cache		256 MB		512 MB
Helium-Filling		Yes		Yes
Sequential Data Transfer Rate (MBps)		285 MB/s		269 MB/s
MTBF		2.5 M	1.2 M	2.5 M
Rated Annual Workload		550 TB	300 TB	550 TB
Acoustics	Idle	28 dB	28 dB	20 dB
	Seek	30 dB	32 dB	36 dB
Power Consumption	Random read/write	9.4 W / 8.9 W (100R/100W @ QD16)	9.4 W / 8.9 W (100R/100W @ QD16)	7 W (50R/50W @ QD1)
	Idle	5.5 W	5.4 W	6 W
Warranty		5 Years	5 Years (3 years DRS)	5 Years

The problem is the  SED functionality of the disks, according to some posts at ROG.ASUS forums, this mobo model TUF Z370-PRO GAMING has no support for SED.
But what about now, how can I check without testing if the motherboard supports SED functionality now?
Other  side questions:

Can you unlock a locked SED after several wrong passwords and how?
It is known fact that manufactures can unlock and decrypt the SED if you provide them with serial number of the disk and model number of motherboard (and some other similar information). Does that mean this exists as official backdoor for governments to raid your home / datacenter and read your personal or confidential data whenever they please?
Can a thief, who grabbed the whole rig from home use the same information to unlock and decrypt the disks?
Third party software such as VeraCrypt can't encrypt the SED as for now. It's not known if support will be added in future.
Did VeraCrypt patch the RAM exploit introduced by Elcomsoft Cracks?
Nobody uses Bitocker. Nobody would ever trust Microsoft with their data, ever! So why is Bitlocker the only third party software capable to manage SEDs? Is there other software?


yeah....tough choices.
Also, if somebody has those disks, share opinion about them, specially how noisy they are and what is recommended please.




 

[OhioYJ]

What is your end goal? Even Elomsoft admits they need physical access to the machine while the encrypted drive is mounted, as they need to dump the RAM to obtain the  encryption key to get what they need to crack the encryption. Which should not be a likely scenario. The key needs to be stored somewhere. I'm not sure how you mitigate that risk? 

 

Truecrypt did at least get audited. That is what Veracrypt is based on. Veracrypt is open source as well. That would be what I would trust. 

[Levent]

54 minutes ago, LDGrinn said:

Nobody uses Bitocker

Lol riiiiight. Bitlocker is one of the reasons why most companies why most companies buy Pro versions of Windows. It has been mandatory on every single Windows device for the every company I worked for so far. If your data is so sensitive that you cant trust anyone, what makes you think you can trust these SEDs?

[LDGrinn]

1 hour ago, OhioYJ said:

What is your end goal? Even Elomsoft admits they need physical access to the machine while the encrypted drive is mounted, as they need to dump the RAM to obtain the  encryption key to get what they need to crack the encryption. Which should not be a likely scenario. The key needs to be stored somewhere. I'm not sure how you mitigate that risk? 

 

Truecrypt did at least get audited. That is what Veracrypt is based on. Veracrypt is open source as well. That would be what I would trust. 

The goal is to obtain and make a database disk that I and only I can access. And nobody to be able to recover it in case the whole computer gets stolen.
 

 

48 minutes ago, Levent said:

Lol riiiiight. Bitlocker is one of the reasons why most companies why most companies buy Pro versions of Windows. It has been mandatory on every single Windows device for the every company I worked for so far. If your data is so sensitive that you cant trust anyone, what makes you think you can trust these SEDs?

I am sorry, but with Admin Control Panel I actually SEE the very keywords used to decrypt a device on the other end of the planet. And the laptop was not even in a domain, office 365 and sharepoint are the only services we administrated and obviously enough backdoor to show us the encryption key of BitLocker.

Companies have to buy pro because we can't even create a local account on windows 10 home, forget about Group Policies and Domain.


 

[OhioYJ]

20 minutes ago, LDGrinn said:

The goal is to obtain and make a database disk that I and only I can access. And nobody to be able to recover it in case the whole computer gets stolen.

I mean nothing is foolproof. Everything has vulnerabilities. I still think your best bet is Truecrypt / Veracrypt, using a hidden partition, and a keyfile.

 

As with most vulnerabilities physical access to the machine will be a problem. So leaving the drive mounted while unattended is a bad idea. 

 

This is cross platform too, so it works in Windows, Linux, and Mac. I know Bitlocker works in Linux, however I don't think there is any support for Mac users.

[LDGrinn]

10 hours ago, OhioYJ said:

I mean nothing is foolproof. Everything has vulnerabilities. I still think your best bet is Truecrypt / Veracrypt, using a hidden partition, and a keyfile.

 

As with most vulnerabilities physical access to the machine will be a problem. So leaving the drive mounted while unattended is a bad idea. 

 

This is cross platform too, so it works in Windows, Linux, and Mac. I know Bitlocker works in Linux, however I don't think there is any support for Mac users.

Ok, but if I chose to go with VeraCrypt, do I need an ordinary disk, or will SED work too?
That's really important to know before buying.