Self-Encrypting Drives: The Evolution of Encryption

Self-encrypting devices (SEDs) have garnered little attention from those outside the information security industry. Although SEDs solve many problems such as data loss and performance issues, many organizations do not use or understand the technology. What is a self-encrypted hard drive? The drive itself protects the data, with either 128-bit or 256-bit AES keys that are stored in the drive itself – the encryption keys are generated within the drive, so there are no keys to lose. The keys never leave the drive.

There’s the media encryption key that encrypts the data, and the authentication key that is used to unlock the drive and decrypt the media encryption key. Without the authentication key, there is no media encryption key in the drive at all. You create the password, then the only way to get back onto the drive–and to the data that’s on the drive–is with the password (or passwords) you set up.

The three main benefits of Self-encrypting devices are:

  1. They replace software-based encryption – can be expensive and negatively impacts device performance. Easily manage and control authorized users and authentication methods.
  2. Significantly reduce the time IT spends on configuration, maintenance, and encryption key management.
  3. There is no complication or performance overhead, unlike disk encryption software, since all the encryption is invisible to the operating system and the host computers processor.

Based on the Trusted Computing Group’s standard, hard drives and solid state drives (SSD), are offering self-encryption built-in. The key difference with these next-generation encrypted drives is that these units have the encryption integrated into a single chip on drive in the drive.

Securing data storage is especially important for small businesses, due to legal specifications that require companies to report breaches, and to maintain data for long periods of time for accountability purposes.

When it comes to Hardware Full Disk Encryption, there are two main use cases – Data At Rest protection, and Cryptographic Disk Erasure.   In Data At Rest protection a laptop is simply closed which powers down the disk. The disk now self-protects all the data on it. Because all the data, even the OS, is now encrypted, with a secure mode of AES, and locked from reading and writing the data is safe. The drive requires an authentication code which can be as strong as 32 bytes (2^256) to unlock.   When a Cryptographic Disk Erasure command is given (with proper authentication credentials), the drive self-generates a new media encryption key and goes into a ‘new drive’ state. The old data has become irretrievable. Unlike other forms of sanitization, this action takes a few milliseconds at most. So a drive can be safely repurposed very quickly.


Pure hardware-based FDE does not have any strong authentication component Lack of scalable management; no central management component   Hardware Full Disk Encryption is only safe when the computer is off or hibernated. If the computer is stolen while turned on or only suspended, a restart which boots from a USB stick or CD may reveal the data without need for the password because it may not be prompted to be entered. Some specific hardware configurations may have additional protection mechanisms to limit this exposure.



About SCB Enterprises
System Solutions and Integration

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: