Jump to content

Hardware-based full disk encryption

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Rhtcmu (talk | contribs) at 17:57, 5 May 2010 (Feature - Benefits). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Hardware-based Full Disk Encryption is available from all of the hard disk drive (HDD) vendors, including Seagate Technology, Hitachi, Ltd., Samsung and Toshiba and also by solid state drive vendors such as Samsung. The symmetric encryption key is maintained independently from the CPU, thus removing computer memory as a potential attack vector.

There are current two varieties of hardware-FDE being discussed:

  1. Hard Disk Drive (HDD) FDE
  2. Bridge and Chipset (BC) FDE

Hard Disk Drive FDE

HDD FDE is available from all HDD vendors using the OPAL and Enterprise standards via the Trusted Computing Group.[1] Key management takes place within the hard disk controller and encryption keys are 256 bit Advanced Encryption Standard keys. Authentication on power up of the drive must still take place within the CPU via either a software Pre-Boot Authentication Environment or with a BIOS password.

Hitachi, Seagate, Samsung, Toshiba, Western Digital are the disk drive manufacturers offering TCG OPAL SATA drives as well as the older, and less secure, PATA Security command standard. All drive makers have suggested the appropriate term for this new class of device and new type of functionality be "self-encrypting drives."

Chipset FDE

An example of speciality drives modifying commercial drives with BC for self-encryption is Stonewood with their Flagstone drives.[2]

Intel announced the release of the Danbury chipset[3] but has since abandoned this approach.

See also

Feature - Benefits

Hardware based encryption when it is built into the drive or within the drive enclosure is notably transparent to the user. The drive except for bootup authentication operates just like any drive with no degradation in performance. Unlike software FDE, there is no complication since all the encryption is invisible to the operating system.

The two main use cases are Data At Rest protection, and Cryptographic Disk Erasure.

In Data At Rest protection a laptop is simply closed which powers down the disk. The disk now self-protects all the data on it. Because all the data, even the OS, is now encrypted, with a secure mode of AES, and locked from reading and writing the data is safe. The drive requires an authentication code which can be as strong as 32 binary bytes (2^256) to unlock.

With Cryptographic Disk Erasure the drive is commanded, with proper authentication credentials, to self-generate a new media encryption key and go into a 'new drive' state. Unlike other forms of sanitization, this action takes a few milliseconds at most. So a drive can be safely repurposed very quickly.

References

  1. ^ Trusted Computing Group: Home
  2. ^ www.stonewood.co.uk/index.php/encryption/flagstone.html
  3. ^ www.theregister.co.uk/2007/09/21/intel_vpro_danbury/
Retrieved from "https://en.wikipedia.org/w/index.php?title=Hardware-based_full_disk_encryption&oldid=360333588"