You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
So apparently it's 2019 and @Lenovodc *still* insists on having a broken in-warranty enterprise HDD returned (even though that would be a massive data protection violation) or else they charge for the replacement.
I am not amused.
Maybe it makes sense to FDE *all* servers now, purely as a warranty bullshit countermeasure. I wonder if you can stick the decryption key in a random UEFI variable (for systems without a TPM). It just has to not be on the drives.
Of course you can't rely on SED drives, because drive manufacturers don't know squat about security and you cannot trust the firmware; several implementations have already been proven hopelessly insecure.
yeap, that's what i do for my WD Red drives because it's a one-to-one exchange for in-warranty drives. i just use plain dm-crypt on the drives and send it in without wiping. for the root drive i have a dracut module that derives a LUKS key from dmidecode 
I keep my decryption key on several USB pendrives - should one of them fail, it's easy to destroy, and they're cheap enough to not matter.
My dad has a cure for that. An old central heating pump. It has a glorious rotating magnetic field that would frighten the living daylights out of an audio cassette at 12 METRIC INCHES!
If the keys are burned into UEFI vars and the board dies, you're kinda stuck in the same situation. Text file on a USB stick. Don't overthink it.
If the board dies you change the keys when the new board arrives (presuming you have a backup of the key in a safe place) so that the HDDs can still be safely replaced if needed.
Are TPM modules not common on DC equipment or just prohibitively difficult to use/administer?
They're just an added cost option. TPMs are basically useless for unattended boot because if you *really* want the key you just hook up a logic analyzer and sniff it out. I've done that with BitLocker.
I have used a small (~4 MB) partition on a flash drive as the file containing the key to automatically decrypt the system partition. If said key is missing or corrupt, the system prompts for the LUKS pass{word,phrase}. It worked really well.
The flash drive was connected to the dock at my office. So (while docked) inside of a secure building, the notebook would boot to login prompt. Outside it would pause for my pass{word,phrase}.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
