top of page

TCG OPAL Security Ready - Secure NVMe Storage Investments with HighPoint SafeStorage

Updated: Aug 1, 2023

NVMe storage and connectivity solutions are frequently deployed to satisfy the stringent performance and reliability requirements of industrial, media and AI applications designed to process large volumes of sensitive data. Securing this data from prying eyes, while protecting the privacy of end users and corporate customers alike is of critical importance. As such, disk encryption technology is quickly become an essential component of storage solutions designed to address these workflows.


HighPoint’s SafeStorage solution was developed to work in conjunction with the state-of-the-art SED technology employed by all classes (Client, Datacenter and Enterprise) of modern NVMe media, and is based on the OPAL SSC TCG specifications. It is designed to protect data assets when physical drives are misplaced or stolen by preventing unauthorized access to stored data.


First introduced with our PCIe Gen4 SSD7580C 8-Channel U.2/U.3 NVMe RAID HBA, SafeStorage can be applied to both single-disk and RAID configurations, and is activated via a service known as Disk Security, which can be administered via our software management and monitoring suites.


Designed for RAID or Independent Drive Configurations

Unlike many competing solutions, HighPoint SafeStorage was developed to accommodate storage configurations comprised of both large-scale RAID arrays and individually configured drives. Disk Security for RAID volumes is enabled at the time of creation, and will automatically activate each disk member’s self-encryption capabilities.


Securely Lockdown Crucial Data from Unauthorized Access

When Disk Security is enabled, your data is automatically locked down whenever the disk media is removed from the HighPoint storage or connectivity device.

HighPoint SafeStorage assigns unique identifiers, known as “Keys”, in the form of Passwords, to the HighPoint device and each hosted disk. The Keys are automatically created when the Disk Security feature is activated and can be configured/modified by the administrator as required. This system ensures your data cannot be accessed unless the keys match.

Keys/Passwords are securely stored by the HighPoint device and can be managed using the WebGUI and CLI management suites (and in the near future, our UEFI RAID utility). Unless an Administrator changes a Key, disks/arrays can be accessed normally. However, Lockdown mode is enabled as soon as the disk is removed.

Stolen disks cannot be simply moved to a separate HighPoint/Non-HighPoint Adapter or Enclosure for access. The “thief” would need to link the disk/array to the new HighPoint device, and would need to enter the original Keys to do so.


Cryptographic Erasure

Changing or deleting encryption keys for SED capable disks will render all encrypted data indecipherable and thus, unrecoverable. SafeStorage allows administrators to delete and regenerate Keys (aka Passwords) as needed to ensure your encrypted data is always under lock and key. A few simple commands enable authorized administrators to immediately prep storage for resale, retirement or reuse.

The Cryptographic Erase command replaces the encryption Key inside each drive; this makes it impossible to ever decrypt data stored on these devices. When executed, data is rendered inaccessible and considered cryptographically erased. The drives can then be reset to an unowned state and reused once a new encryption key is generated.

In addition, upon disabling the Disk Security feature, SafeStorage will automatically initiate the cryptographic erase command. The process is automated and takes only seconds to complete. Disk Security can be easily disabled at any time, using HighPoint’s WebGUI and CLI utilities.


Server Integration / Hot-Swap & Hot-Plug Workflows: SSD7580C

The SSD7580C is HighPoint’s 3rd generation Hot-Plug/Hot-Swap capable PCIe 4.0 U.2/U.3 NVMe RAID AIC. It can host up to eight 2.5” form factor NVMe SSDs of capacity and performance level, via a range of cabling options for industry standard rackmount and mobile rack chassis.

The integrated Hot-Swap/Hot-Plug technology is ideal for field service and upgrade workflows, and enables administrators to add or remove individual NVMe SSDs, or even an entire RAID array, on the fly, without having to power down the host platform or reboot the operating system.

SafeStorage is ideal for workflows that depend on Hot-Swap capability. Customers can rest assured that their data assets will be automatically locked down anytime a drive is physically removed from the host platform, for whatever reason.


Server Intergrated & Compact Form Factor: SSD7749E/M HighPoint’s revolutionary SSD7749 series of Dual-Width PCIe 4.0 x16 8-Channel NVMe controllers were designed for demanding Industrial and AI applications that require a high-density NVMe storage solution with blazing fast PCIe Gen4 x16 performance and Datacenter class reliability.

SSD7749 series AICs are ideal for compact platforms that do not have space for internal drive bays. The AICs directly host the NVMe media within a fully enclosed aluminum casing, which incorporates a tool-less SSD loading system and powerful NVMe cooling system capable of accommodating E1.S or M.2 SSDs of any form factor and thickness, including high-density dual-sided models equipped with heatsinks or heat spreaders.


This rugged, all-in-one design makes moving NVMe storage a snap. Though the double-width form fact makes them a bit larger than standard NVMe controller cards, SSD7749 series AICs are roughly the same size and shape as a high-end GPU, and can be just as readily moved from system to system – just unplug the card from one platform and install it into another. No additional cooling or cabling apparatus is needed.

SafeStorage is an ideal match for this type of solution. Your data will remain under lock and key, even if the card is misplaced or stolen. Unless you have the required Security Keys, the data can never be accessed.


Learn More:

SSD7580C 8-port U.2/U.3 Gen4 NVMe RAID Controller (Coming Soon)

209 views2 comments

2 Comments


Alright, gotta hand it to you, SafeStorage sounds pretty solid for locking down NVMe storage, especially with all the hot-swap features. But here’s a thought—sometimes you just need that standalone security without diving into a full RAID setup. Ever considered something like the iStorage diskAshur³ at https://www.datawaysecurity.com/encrypted-ssds-hdds/134-istorage-diskashur3.html ? It’s encrypted straight out the gate, with PIN protection. Perfect for quick, secure storage without all the extra layers. Simplicity can be just as powerful, you know?

Like

Our business had a big shipment coming in, and I needed help getting it from the port to our warehouse. I came across container drayage at PNW Warehousing, and it was exactly what we needed. They handled the whole process seamlessly, taking care of pick-up and delivery without any extra hassle. What’s great is they also offer flexible scheduling and real-time updates.

Like
bottom of page