Seagate to ship self-encrypting hard drives

[danrok]

See front page:
AOA - Seagate to ship self-encrypting hard drives

Comments?

[Áedán]

Err, they've been shipping full disk encryption (IE, self-encrypting) disks for a while now. They've been talking about their enterprise disks for quite some time, and I thought that some lines were already shipping?

[Daniel ~]

Can one back them up to other drives? Can one copy them for use in another machine? What are the draw backs...if any?

[Gizmo]

The benefits are two-fold:

• Data are stored on the platter encrypted
• The encryption is performed in hardware

This means that you have to have the encryption key in order to use the drive. Without the key, even if you take the drive to a data recovery outfit, it's just so much scrambled garbage as far as they are concerned. This means that even if the Bad Guys manage to steal the drive, they can't get anything useful off it. Before you can even access the drive, you need a password to decrypt the data.

Of course, you can do this now, using encrypting file systems and whole-disk software-encrypted bootloaders. Which brings us to the second benefit; this is all done in hardware. Since there's no software running on the client PC, getting around the encryption is much harder, plus you don't have the software slowing down your PC. And, since it's in hardware, it doesn't really matter what OS or file-system you are using, so long as the OS or BIOS has support for the drive: you could even use this drive with an encrypting file system if you so chose.

That brings us to the down-side: to the best of my knowledge, you need BIOS support to boot from one of these, or OS support if you aren't booting from it. As far as I know, BIOS support is non-existent. I would assume that OS support exists in at least Windows, and probably *nix (since most big-iron storage arrays are running on some kind of *nix OS).

@Áedán: They announced back in April I believe, that they were going to do this. To the best of my knowledge, though, these are the first products they've shipped.

[Áedán]

For standard PCs without RAID, no special BIOS support appears to be needed. With some software (Wave Embassy Suite) the disks support different views depending on if the password is entered or not. If the disk is not unlocked, then a special boot program is visible, which allows you to unlock the disk regardless of the BIOS. Additionally, this boot program can only be over-written once the drive has been unlocked. This helps to avoid the problem with pure software encryption, where it's possible to trojan the encryption software itself.

The drives support different visible areas, so some parts can be only be made visible with the correct password.

The laptop drives work pretty well too. (Can you tell I'm using one?) Works beautifully in whatever OS you fancy booting into.

For RAID arrays, you need a storage controller that can handle unlocking the drives. LSI have implemented this.

[Daniel ~]

How long before someone cracks it? You see Aedan I have been listening! ":O}

[Áedán]

The advantage of this form of crypto is that all the crypto happens on-board the drive, and the OS doesn't need to know anything about it.

The encryption is based around AES-128, which is pretty robust and well proven. It is unlikely that this will be the weakpoint - if it is, consider just about every SSL web site you visit broken!

The encryption engine needs a key however, to decrypt the data. This is stored on the drive, and doesn't leave the drive. Software (including malware) running on the PC doesn't have access to it. Additionally, a number of other attacks against software encryption (such as firewire and extracting RAM contents) are not possible. How it works is like this:

• The user enters a password before the machine boots.
• This password is then used as the secret material to unencrypt the real encryption key. If you put the wrong password in, the real encryption key isn't decrypted correctly, and the data can't be accessed.
• If the real key is decrypted properly (which can only be found out by attempting to decrypt something with it!), then the drive is unlocked.
• If the real key isn't decrypted properly, no access to the encrypted drive is possible

[dsio]

$100 says the password for Áedán's is swordfish.

[Áedán]

Is that AU$100 or US$100? Either way, I'm looking to collect it!

[Gizmo]

Quote:

Originally Posted by dsio

$100 says the password for Áedán's is swordfish.

That was a seriously cool movie....

[dsio]

When programming languages eventually get to the stage where you do in fact use a 9 monitor system and write it like you're playing with a rubik's cube, I'll put down my snootiness and become a code monkey.

[Daniel ~]

Why wait! unhand that snootiness now! ":O}