455:(SSD) technologies improves this situation, the take up by enterprise has so far been slow. The problem will worsen as disk sizes increase every year. With encrypted drives a complete and secure data erasure action takes just a few milliseconds with a simple key change, so a drive can be safely repurposed very quickly. This sanitisation activity is protected in SEDs by the drive's own key management system built into the firmware in order to prevent accidental data erasure with confirmation passwords and secure authentications related to the original key required.
155:, and disk encryption hardware can be made more transparent to software than encryption done in software. As soon as the key has been initialised, the hardware should in principle be completely transparent to the OS and thus work with any OS. If the disk encryption hardware is integrated with the media itself the media may be designed for better integration. One example of such design would be through the use of physical sectors slightly larger than the logical sectors.
25:
550:
In addition, implementing system wide hardware-based full disk encryption is prohibitive for many companies due to the high cost of replacing existing hardware. This makes migrating to hardware encryption technologies more difficult and would generally require a clear migration and central management
442:
is the practice of 'deleting' data by (only) deleting or overwriting the encryption keys. When a cryptographic disk erasure (or crypto erase) command is given (with proper authentication credentials), the drive self-generates a new media encryption key and goes into a 'new drive' state. Without the
542:
Hardware solutions have also been criticised for being poorly documented. Many aspects of how the encryption is done are not published by the vendor. This leaves the user with little possibility to judge the security of the product and potential attack methods. It also increases the risk of a
533:
The firmware of the drive may be compromised and so any data that is sent to it may be at risk. Even if the data is encrypted on the physical medium of the drive, the fact that the firmware is controlled by a malicious third-party means that it can be decrypted by that third-party. If data is
403:
Hardware-based encryption when built into the drive or within the drive enclosure is notably transparent to the user. The drive, except for bootup authentication, operates just like any drive, with no degradation in performance. There is no complication or performance overhead, unlike
530:, the drive is powered down, but the encryption password is retained in memory so that the drive can be quickly resumed without requesting the password. An attacker can take advantage of this to gain easier physical access to the drive, for instance, by inserting extension cables.
466:. In this case protecting this data from accidental loss or theft is achieved through a consistent and comprehensive data backup policy. The other method is for user-defined keys, for some Enclosed hard disk drive FDE, to be generated externally and then loaded into the FDE.
522:
have demonstrated a number of attacks based on moving the drive to another computer without cutting power. Additionally, it may be possible to reboot the computer into an attacker-controlled operating system without cutting power to the drive.
426:
For Data at Rest protection a computer or laptop is simply powered off. The disk now self-protects all the data on it. The data is safe because all of it, even the OS, is now encrypted, with a secure mode of
250:
drives. HDDs have become a commodity so SED allow drive manufacturers to maintain revenue. Older technologies include the proprietary
Seagate DriveTrust, and the older, and less secure,
835:
451:
Standards must be overwritten 3+ times; a one
Terabyte Enterprise SATA3 disk would take many hours to complete this process. Although the use of faster
447:
which can be a lengthy (and costly) process. For example, an unencrypted and unclassified computer hard drive that requires sanitising to conform with
130:
Hardware-FDE has two major components: the hardware encryptor and the data store. There are currently four varieties of hardware-FDE in common use:
534:
encrypted by the operating system, and it is sent in a scrambled form to the drive, then it would not matter if the firmware is malicious or not.
389:
The encryptor bridge and chipset (BC) is placed between the computer and the standard hard disk drive, encrypting every sector written to it.
482:(MBR) system whereby the MBR for the operating system and data files is all encrypted along with a special MBR which is required to boot the
319:
Tampering is not an issue for SEDs as they cannot be read without the decryption key, regardless of access to the internal electronics .
431:, and locked from reading and writing. The drive requires an authentication code which can be as strong as 32 bytes (2^256) to unlock.
614:
665:
812:
555:
solutions. however
Enclosed hard disk drive FDE and Removable Hard Drive FDE are often installed on a single drive basis.
712:
448:
309:
63:
519:
127:, thus allowing the complete data store to be encrypted and removing computer memory as a potential attack vector.
993:
344:
34:
328:
957:
428:
192:
939:
868:
686:
640:
579:
510:
for the encryption management system. This means no other boot methods will allow access to the drive.
244:
177:
899:"Hardware-based Full Disk Encryption (In)Security | IT-Sicherheitsinfrastrukturen (Informatik 1)"
552:
988:
847:
569:
564:
405:
211:
152:
618:
518:
Typically FDE, once unlocked, will remain unlocked as long as power is provided. Researchers at
413:
241:
207:
200:
181:
124:
120:
788:
38:
589:
443:
old key, the old data becomes irretrievable and therefore an efficient means of providing
45:
8:
499:
479:
229:
100:
920:
274:
store and a smaller form factor, commercially available, hard disk drive is enclosed.
503:
459:
452:
374:
313:
298:
294:
290:
271:
225:
151:
Hardware designed for a particular purpose can often achieve better performance than
96:
88:
395:
announced the release of the
Danbury chipset but has since abandoned this approach.
574:
507:
495:
483:
462:
are self-generated randomly, generally there is no method to store a copy to allow
439:
409:
305:
258:. Enterprise SAS versions of the TCG standard are called "TCG Enterprise" drives.
762:
380:
Generally they are not securely locked so the drive's interface is open to attack.
267:
737:
594:
370:
355:
347:
340:
255:
116:
84:
544:
279:
196:
188:
takes place within the hard disk controller and encryption keys are 128 or 256
185:
316:
can be re-loaded into the
Enclosed hard disk drive FDE, to retrieve this data.
982:
463:
444:
420:
251:
490:, that does not allow decryption to take place unless the system has been
283:
327:
with their FlagStone, Eclypt and DARC-ssd drives or GuardDisk with an
527:
247:
961:
502:
of the encrypted part of the drive. This works by having a separate
487:
359:
204:
921:"How the NSA's Firmware Hacking Works and Why It's So Unsettling"
584:
491:
475:
312:
being used without destroying the encrypted data. Later the same
237:
233:
221:
144:
108:
104:
92:
254:
Security command standard shipped by all drive makers including
324:
112:
898:
392:
158:
469:
363:
215:
940:"Your hard drives were riddled with NSA spyware for years"
199:
on power up of the drive must still take place within the
789:"Next-gen Intel vPro platform to get hardware encryption"
526:
When a computer with a self-encrypting drive is put into
189:
478:
from other devices and allowing access by using a dual
486:. In SEDs, all data requests are intercepted by their
282:, so when inspected the user can be assured that the
350:to be inserted into it. The concept can be seen on
713:"Hardware Disk Encryption for the Masses, Finally!"
506:, hidden from view, which contains the proprietary
214:component - hybrid full disk encryption) or with a
134:Hard disk drive (HDD) FDE (self-encrypting drive)
980:
123:is maintained independently from the computer's
551:solution for both hardware- and software-based
408:, since all the encryption is invisible to the
261:
893:
891:
889:
615:"Trusted Computing Group Data Protection page"
423:protection, and Cryptographic Disk Erasure.
369:This design can be used to encrypt multiple
176:). HDD FDE is made by HDD vendors using the
960:. Secude. February 21, 2008. Archived from
886:
869:"Eclypt Core Encrypted Internal Hard Drive"
617:. Trustedcomputinggroup.org. Archived from
334:
278:The enclosed hard disk drive's case can be
37:of the style of writing in this article is
813:"10 Reasons to Buy Self-Encrypting Drives"
325:Viasat UK (formerly Stonewood Electronics)
240:are the disk drive manufacturers offering
180:and Enterprise standards developed by the
687:"Data At Rest (DAR) encryption solutions"
638:
289:The encryptors electronics including the
159:Hardware-based full disk encryption types
64:Learn how and when to remove this message
658:
470:Protection from alternative boot methods
293:store and integral hard drive (if it is
44:Please do not remove this message until
981:
918:
163:
95:, Integral Memory, iStorage Limited,
937:
786:
434:
354:This is an improvement on removing
18:
666:"Softpedia on Eclypt Drive AES-256"
474:Recent hardware models circumvents
212:software-based full disk encryption
77:Hardware-based full disk encryption
13:
513:
398:
14:
1005:
308:, allowing a user to prevent his
668:. News.softpedia.com. 2008-04-30
23:
950:
931:
912:
861:
840:
829:
818:. Trusted Computing Group. 2010
805:
780:
755:
730:
705:
679:
639:Skamarock, Anne (2020-02-21).
632:
607:
384:
1:
600:
520:Universität Erlangen-Nürnberg
284:data has not been compromised
140:Removable hard disk drive FDE
938:Pauli, Darren (2015-02-17).
537:
297:) can be protected by other
262:Enclosed hard disk drive FDE
193:Advanced Encryption Standard
137:Enclosed hard disk drive FDE
7:
558:
419:The two main use cases are
46:conditions to do so are met
10:
1010:
919:Zetter, Kim (2015-02-22).
787:Smith, Tony (2007-09-21).
580:Opal Storage Specification
245:Opal Storage Specification
210:environment (i.e., with a
763:"Sapphire Cipher Snap-In"
310:authentication parameters
270:case the encryptor (BC),
83:) is available from many
958:"Closing the Legacy Gap"
641:"Is Storage a commodity"
570:Disk encryption software
565:Disk encryption hardware
406:disk encryption software
335:Removable hard drive FDE
153:disk encryption software
121:symmetric encryption key
242:Trusted Computing Group
208:pre-boot authentication
182:Trusted Computing Group
168:Usually referred to as
994:Cryptographic hardware
719:. Turbotas. 2003-05-30
362:and storing them in a
343:FDE allows a standard
268:hard drive form factor
91:) vendors, including:
16:Cryptographic hardware
498:which then loads the
494:from the special SED
449:Department of Defense
170:self-encrypting drive
964:on September 9, 2012
848:"Slow on the Uptake"
693:. Viasat, Inc. ©2023
590:Full disk encryption
553:full disk encryption
414:computer's processor
164:Hard disk drive FDE
738:"Removable Drives"
480:Master Boot Record
453:solid-state drives
266:Within a standard
101:Seagate Technology
445:disk sanitisation
435:Disk sanitisation
299:tamper respondent
74:
73:
66:
1001:
973:
972:
970:
969:
954:
948:
947:
935:
929:
928:
916:
910:
909:
907:
906:
895:
884:
883:
881:
880:
865:
859:
858:
856:
854:
844:
838:
833:
827:
826:
824:
823:
817:
809:
803:
802:
800:
799:
784:
778:
777:
775:
774:
759:
753:
752:
750:
749:
734:
728:
727:
725:
724:
709:
703:
702:
700:
698:
683:
677:
676:
674:
673:
662:
656:
655:
653:
652:
636:
630:
629:
627:
626:
611:
575:Crypto-shredding
508:operating system
496:operating system
484:operating system
440:Crypto-shredding
410:operating system
366:when not in use.
69:
62:
58:
55:
49:
27:
26:
19:
1009:
1008:
1004:
1003:
1002:
1000:
999:
998:
989:Disk encryption
979:
978:
977:
976:
967:
965:
956:
955:
951:
936:
932:
917:
913:
904:
902:
897:
896:
887:
878:
876:
867:
866:
862:
852:
850:
846:
845:
841:
834:
830:
821:
819:
815:
811:
810:
806:
797:
795:
785:
781:
772:
770:
761:
760:
756:
747:
745:
742:www.Cru-inc.com
736:
735:
731:
722:
720:
711:
710:
706:
696:
694:
685:
684:
680:
671:
669:
664:
663:
659:
650:
648:
647:. Network World
637:
633:
624:
622:
613:
612:
608:
603:
595:IBM Secure Blue
561:
540:
516:
514:Vulnerabilities
472:
437:
401:
399:Characteristics
387:
373:using the same
348:hard disk drive
337:
304:The key can be
264:
256:Western Digital
166:
161:
117:Western Digital
85:hard disk drive
70:
59:
53:
50:
43:
28:
24:
17:
12:
11:
5:
1007:
997:
996:
991:
975:
974:
949:
930:
911:
885:
875:. Viasat. 2020
860:
839:
836:www-03.ibm.com
828:
804:
779:
754:
729:
717:turbotas.co.uk
704:
691:www.Viasat.com
678:
657:
631:
605:
604:
602:
599:
598:
597:
592:
587:
582:
577:
572:
567:
560:
557:
545:vendor lock-in
539:
536:
515:
512:
471:
468:
436:
433:
400:
397:
386:
383:
382:
381:
378:
367:
336:
333:
321:
320:
317:
302:
287:
280:tamper-evident
263:
260:
197:Authentication
186:Key management
165:
162:
160:
157:
149:
148:
141:
138:
135:
72:
71:
31:
29:
22:
15:
9:
6:
4:
3:
2:
1006:
995:
992:
990:
987:
986:
984:
963:
959:
953:
945:
941:
934:
926:
922:
915:
900:
894:
892:
890:
874:
870:
864:
849:
843:
837:
832:
814:
808:
794:
790:
783:
768:
764:
758:
743:
739:
733:
718:
714:
708:
692:
688:
682:
667:
661:
646:
642:
635:
621:on 2012-09-15
620:
616:
610:
606:
596:
593:
591:
588:
586:
583:
581:
578:
576:
573:
571:
568:
566:
563:
562:
556:
554:
548:
546:
535:
531:
529:
524:
521:
511:
509:
505:
501:
497:
493:
489:
485:
481:
477:
467:
465:
464:data recovery
461:
456:
454:
450:
446:
441:
432:
430:
424:
422:
417:
415:
412:and the host
411:
407:
396:
394:
390:
379:
376:
372:
368:
365:
361:
357:
353:
352:
351:
349:
346:
342:
339:The inserted
332:
330:
326:
323:For example:
318:
315:
311:
307:
303:
300:
296:
292:
288:
285:
281:
277:
276:
275:
273:
269:
259:
257:
253:
249:
246:
243:
239:
235:
231:
227:
223:
219:
217:
213:
209:
206:
203:via either a
202:
198:
194:
191:
187:
183:
179:
175:
171:
156:
154:
146:
142:
139:
136:
133:
132:
131:
128:
126:
122:
118:
114:
110:
106:
102:
98:
94:
90:
86:
82:
78:
68:
65:
57:
47:
41:
40:
36:
30:
21:
20:
966:. Retrieved
962:the original
952:
944:The Register
943:
933:
924:
914:
903:. Retrieved
901:. .cs.fau.de
877:. Retrieved
872:
863:
851:. Retrieved
842:
831:
820:. Retrieved
807:
796:. Retrieved
793:The Register
792:
782:
771:. Retrieved
767:Addonics.com
766:
757:
746:. Retrieved
741:
732:
721:. Retrieved
716:
707:
695:. Retrieved
690:
681:
670:. Retrieved
660:
649:. Retrieved
644:
634:
623:. Retrieved
619:the original
609:
549:
541:
532:
525:
517:
473:
457:
438:
425:
421:Data at Rest
418:
402:
391:
388:
338:
322:
265:
220:
195:(AES) keys.
173:
169:
167:
150:
129:
80:
76:
75:
60:
51:
33:
853:18 February
645:ITWorld.com
385:Chipset FDE
356:hard drives
345:form factor
295:solid-state
143:Bridge and
983:Categories
968:2008-02-22
905:2013-08-06
879:2021-02-17
873:Viasat.com
822:2018-06-06
798:2013-08-06
773:2020-05-15
769:. Addonics
748:2020-05-15
723:2020-05-22
697:2 February
672:2013-08-06
651:2020-05-22
625:2013-08-06
601:References
528:sleep mode
341:hard drive
248:Serial ATA
218:password.
54:April 2013
35:neutrality
538:Criticism
504:partition
301:measures.
113:Viasat UK
559:See also
488:firmware
360:computer
205:software
147:(BC) FDE
39:disputed
585:Yubikey
476:booting
358:from a
331:token.
238:Toshiba
234:Samsung
230:Seagate
222:Hitachi
145:Chipset
109:Toshiba
105:Samsung
93:Hitachi
492:booted
371:drives
306:purged
236:, and
226:Micron
119:. The
97:Micron
925:Wired
816:(PDF)
744:. CRU
458:When
393:Intel
87:(HDD/
855:2021
699:2023
460:keys
364:safe
329:RFID
252:PATA
216:BIOS
178:OPAL
103:,
32:The
500:MBR
429:AES
375:key
314:key
291:key
272:key
201:CPU
190:bit
174:SED
125:CPU
89:SSD
81:FDE
985::
942:.
923:.
888:^
871:.
791:.
765:.
740:.
715:.
689:.
643:.
547:.
416:.
232:,
228:,
224:,
184:.
115:,
111:,
107:,
99:,
971:.
946:.
927:.
908:.
882:.
857:.
825:.
801:.
776:.
751:.
726:.
701:.
675:.
654:.
628:.
377:.
286:.
172:(
79:(
67:)
61:(
56:)
52:(
48:.
42:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.