I'm afraid you're going to find my answers pretty useless. To wit - >However, I am wondering if the FIPS validated cryptographic module is a inline on-drive chip OR is it >external to the drive (i.e. built in to the drive enclosure)? > >If it is inline then it makes it almost impossible to release newer drives in a timely fashion - Stonewood >would have to go through the lengthy re-certification process each time they release newer drive hardware.
I wouldn't know. I've never taken one apart. They come in enclosures obviously and well designed to disourage tampering. I will, however, observe that the available drives have always been of far smaller capacity than I'd expect and their new drive introductions seem to come quite slowly. >If the cryptographic module is external to the drive, then cold-boot attacks and other attacks are possible. >From what I've read of cold-boot attacks, they are not practical on these drives. You couldn't get to the components quickly enough or without damage. >Also, can you please provides details on centralized management of these drive in a large institution? How >are the password/keys managed? Sorry, no, I can't. My experience was initially with a stand-alone application (a prototype system for transporting evidence) for which any sort of centralized management (or even a network connection, for that matter) would not be allowed. Stonewood did provide a download (I can no longer find it on their site) with various management scenarios when passwords were forgotten. They centered around bringing the drive back to the security function who would type in a recovery password. The notion of "centralized management" to me conjures up scenes of forgetful users calling a help desk and getting a drive unlocked; that's not the way these things work if I understand them correctly. Keep in mind that my experience has been with just a handful of drives, all intended for use in a disconnected environment where "management issues" are of no concern at all. >What about password recovery? It's relatively straightforward, even if the docs that come with the drives are not written as clearly and consistently as I'd like to see. Two passwords are set in the beginning. If the user forgets, the drive can be unlocked by the admin who types in their password. Very basic, very hands-on, and exactly what I needed when I bought my first one. BTW - The prototype that I put together with the first of these drives was shot down by my management. An all-software solution was adopted. Since then, I've purchased from Stonewood only for home use. Thus, I'm probably not the best person to ask about the product in a large, centrally-managed environment since I have no experience with that. However, I hope I've provided you some useful info. One last thing - While I assume and sincerely hope that the situation has changed for the better, some years ago when I first made a purchase I found the North American resellers to be a dismal lot, essentially unable to find their own backsides with both hands. Stonewood obviously encouraged me to deal with them but I eventually had had enough with unanswered emails, emails that spouted marketing nonsense in response to technical questions, and phone calls from salesmen reading from scripts who seemed to have absolutely no knowledge what they were selling. I complained directly to Stonewood that I couldn't do business with them and Stonewood then dealt directly with me. That surprised me; I had originally found Stonewood by poking around in the .mil domain for RFPs for encryption so I assumed they were accustomed to dealing exclusively with big orders from military and government types. I need not have worried. Despite the fact that I was merely buying a single drive here and there, they were willing to treat me like a valued customer. I found every person at Stonewood with whom I had contact to be highly professional, competent, courteous, and helpful. Dealing with them was an unalloyed joy. Bernard Owens USTreas/CompSpec _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
