CRU has two different “secure” (encrypted data) types of RTX and RAX disk enclosures: one type uses DataPort 10 Secure removable drives and the other uses CRU Trayfree bays. All employ the same encryption engine and require the same physical Encryption Key dongle, which is physically plugged into the unit to encrypt data as it is written to the drive(s) or read encrypted data stored on the drive(s).

The two-bay RAX Secure and RTX Secure devices use CRU DP10 Secure removable drives to create the encrypted bays. The four-, six- and eight-drive RTX Secure products use TrayFree encrypted bays, similar to those used in non-secure RTX and RAX products. Images of representative RTX and RAX products are shown below.

Where to use the Encryption Key dongle

The Encryption Key dongle can be used in the front of both types of encrypted bays. For the products that have the DP10 Secure bays, a separate key is required for each bay. The key port can be seen under the “lock”, on the left-hand side of the DP10 frame itself. For the Secure TrayFree products, the key port is located at the lower left-hand side of the unit.

Although the physical Encryption Key uses a mini-USB connector for attaching to the device, the key does not use a USB communication protocol. In other words, the Encryption Key cannot be read via a USB interface.

Everything is Encrypted

In the CRU encryption architecture, everything on the disk drive is encrypted (i.e., full-disk encryption), hence the need for a physical key (there is no software-enabled password, along with its vulnerabilities).  For a single-drive application (no RAID) the File Allocation Table (FAT)—of whichever type of files system used—is encrypted. This could be a master boot record or just a basic FAT. For multiple-drive applications, any RAID data contained on an individual drive is encrypted.

The physical Encryption Key is only required during power-up. As the device is powered on, the encryption code is loaded into the encryption engine(s). The Encryption Key can then be removed (and put into a secure place). The unit will continue to operate until power is removed from the device. Once powered down, the physical Encryption Key will be required to power the device back on.

CRU Encryption Key Maps to Stored Data

In all CRU encrypted systems, the encryption code contained in the physical Encryption Key is tied to the data on the drive(s). If something happened to the RTX or RAX enclosure itself, the drive(s) can be removed and used in a different RTX or RAX enclosure, as long as the correct physical Encryption Key is used. In most other hardware-based encrypted devices on the market, the actual encryption code is programmed into the hardware controller. The user then uses some type of “authentication” device – key, PIN, password, thumbprint reader, etc. – to “release” the encryption code. In these situations, a damaged controller would likely mean that the data itself is lost – the user is not able to get the encryption code out of the damaged controller.

CRU’s Secure enclosures can be used to create and use secure data sets for different applications or groups. For example, assume you are using a RTX Secure 430-3QR and have two different physical Encryption Keys. You could place four drives in the device, power up with the first encryption key, format the device to whichever file system being used, and load data onto the RAID array. Those drives could then be removed and replaced with four different drives. This second set of drives could then be formatted with the second Encryption Key. Now the user could use either array (by swapping in/out) as long as the use the same Encryption Key as they used when they originally formatted the drives – Drive Set 1 could not be used with Encryption Key 2 or vice versa.

bypass and Encrypt Modes

For multi-drive RTX Secure products, users can select either of two operation states via two switches on the front of the RTX enclosure – the state must be set before the enclosure is powered on.

A user can bypass (disable) encryption altogether. Per our example above, a set of drives could be formatted with a specific Encryption Key. A new set of drives could be installed and the switch moved to “Bypass”. Once formatted, this new set of drives would not require an Encryption Key at all. Note that a set of drives that has been formatted with an Encryption Key will not be able to be read if the unit is in “Bypass” mode. Once a set of drives is formatted with an Encryption Key, that Key (same key code) is required to use the data.

Unique and Common Modes

The Encryption Key contains 2048 bits of data. One of our encryption engines requires 256 bits. The user can decide if they want each bay in the enclosure to use the same 256-bit key code (Common) or a different 256-bit key (Unique). In our example, if set to “Unique”, each bay will use a different 256-bit key code, and the key will store all of those key codes. In this situation, if the drives are removed and then placed back in the enclosure, they must be returned to the same bays from which they originated (so they see the proper encryption key code). The advantage of the Unique mode is that it requires more effort to attack each of the encrypted drives in a multiple drive enclosure than it would to attack the drives if they shared the same encryption key code.

In “Common” mode, the drives could be returned to any of the bays and be recognized. It is fun to note that if used in “Unique” mode, with the data RAIDed across the drives, you have effectively created a AES data set of 256-bit times the number of drive Bays – for a four-drive enclosure that is 1024-bit AES (10^308 key combinations) and for an eight-drive enclosure, a 2048-bit AES (10^616 key combinations).