Hardware-based full disk encryption

Hardware-based Full Disk Encryption is being pursued by a number of vendors including Intel, Seagate, and Hitachi with the rest of the hard drive industry following. Encryption and the symetric encryption key is maintained independantly from the CPU, thus removing computer memory as a potential attack vector. There are current two varieties of hardware-FDE being discussed:

1) Hard Disk Drive FDE 2) Chip Set FDE

Hard Disk Drive FDE

HDD FDE is being pushed by HDD vendors and a standard is being pursued for greater adoption via the Trusted Computing Group^[1]. Key management takes place within the HDD and encryption keys are protected by the drive firmware. However, some level of authentication must still take place within the CPU via either a software Pre-Boot Authentication^[2] Environment or with a BIOS password.

Currently there are only two software solutions for Pre-Boot Authentication available from Secude^[3] andWave Systems.

Ship Set FDE

Intel has announced the release of the Danbury chip^[4] set series which promises Full Disk Encryption and a TPM in the south bridge. However, as the chip set is not yet release and will not be broadly available until 2009, extensive research is not yet available.

[1] ttps://www.trustedcomputinggroup.org/

[2] ttp://secude.com/htm/707/en/Pre-Boot_Authentication.htm

[3] ttp://secude.com/

[4] ttp://www.theregister.co.uk/2007/09/21/intel_vpro_danbury/

[1]

[2]

[3]

[4]