I run a large (inhouse consolidated infrastructure) storage array which uses several hundred of the cheapest consumer 3TB disks. SMART gives an indication for about 50% of disk failures (we run it automated every 5 minutes for each disk).
Things to look for particularly are suddenly growing Reallocated_Sector_Ct, Current_Pending_Sector and Offline_Uncorrectable. All these indicate a dying platter surface.
Non-SMART indicated failures are usually problems with the controller electronics. (These are normally sudden deaths).
I think it was an electronic issue, it's still ok - I did extensive surface testing and it's part of a mirrored pair so I can take a failure if and when it happens.
I'd probably replace with 3Tb and size up the array size. Which is another great thing about the RAID implementation in these boxes.
Anyone have any experience with the Synology DS713+ series? Was thinking about getting one of these bad boys (WD red drives, of course) and using a NUC (Or equivalent) as a frontend for a MMPC at the homestead...
Not to totally derail the topic, but have you considered using a SED (Self-Encrypting Drive)? I've been kicking the idea around and we've been chatting about using them at work; pretty interesting concept and (Supposedly) much faster than using the OS to do all the heavy lifting. It won't help much if you backup your files as the files will be unencrypted, but it will help if someone pinches your PC.
What OS are you using for it and what's the performance hit?
We've looked at hardware encrypted-disks but right now they don't work with the endpoint encryption product we're using.
If I consider the chipsets we're using and that SSDs are really now the norm, performance hit is extremely low in my opinion.....so what is left?
Wiping capabilities - a no-brainer if you consider that you should NEVER lay data on an unencrypted SSD. So destruction/wipe/e-discovery should not be a problem.....
Boot protection.....no benefits over our PBA.
In addition, the hardware encryption suffers the same issue insofar that the keys are in RAM when power is on (and password or whatever entered). Looking at our PCs, everyone who uses our machines (all laptops) puts the machine in standby....so an attacker who steals the laptop, keeps power to it and exploits DMA "features" *could* gain access to data (that is not further encrypted on the machine).
So full disk encryption is essential but how it's done in modern computing terms means little to performance if you plan right.
Colour me strange, but I though it didn't matter what EP you were using; it's all on-chip on the disk, no? At worst, you'd be re-encrypting it twice -- not optimal, but I thought that they would still get along. Unless you're talking about the actual TPM/boot disk shiv, itself?
Good point, that, on SSD vs platters; I just didn't know if you had any solid numbers around benchmarks of EP encryption vs. on-chip.
One can of compressed air -- check! I'll have to dig up the material, but I do recall talking to a vendor that had a workaround for this; I'll see if I can find it. Let me know if you're interested and, if it's true, I'll forward you the details.
Firstly, an endpoint encryption solution must be managed centrally. So we need management capabilities....and that must be leveraged into an existing endpoint security solution.
For home use, just do it. Why not?
And the DMA hack is far simpler than freezing the chips, it is about exploiting functionality available in most operating systems - Direct Memory Access.
Yup, the vendor I was speaking with had centralised management; they leveraged PBA with it. Tough, though, because the PBA bit doesn't have a stack, so no network-based auth.. booooo... the disk shipped with a static password and then, after boot, there was an agent that would run, slurp down the credentials, hash it and store it on the PBA, so the user could use their AD password on next boot for auth. Now, whether I think it's smart to do that is another issue, but not sure for workarounds as the stack isn't active.
Agreed.
I'll have to read up on that, but thought that bit was hard due to needing to actually get back into the computer which, if it was locked, would be a non-trivial task, standby or not, hence freezing the RAM.
Anyways, sorry, OP. Hope you found a good solution. Everyone else, sorry for hijacking the thread!
DMA attacks just need the PC to be on and running. Try plugging a USB device into a locked Windows or OSX machine - it'll mount. The machine is alive.
Just a point with regards to encryption. Make sure you have your method of accessing your data carefully and safely stored. Because you loose the key you're using and you could be locked out.....not something to rush into.
I looked at it, but most SEDs are not documented and so it is hard to tell whether they are really secure and effective. I very much doubt that the manufacturers managed to do a secure implementation - even before you consider the possibilities of a back door.
I would replace your "secure" with "resilient". Yes, secure can mean available but I think normal people would better understand that RAID means that you can lose one disk (or more, depending on the configuration) and not lose any data.
For anyone who has simple RAID on these things, if a disk is reported as lost, I would get a new disk immediately and consider turning off the system until it's installed. And still be backing up...! And be very careful about identifying and replacing the faulty drive
If people want a simple, non-technical solution where it just works, consider Cloud Storage. It will not fit every use case, however.