Wikipedia

Hardware-based full disk encryption: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
WikiCleanerBot (talk | contribs)
Bots
1,007,735 edits
m v2.04b - Bot T20 CW#61 - WP:WCW project (Reference before punctuation)
RobThinks (talk | contribs)
88 edits
m Fixed Research and Markets + Viasat links
Line 49:
==={{anchor|Crypto erase}}Disk sanitisation===
[[Crypto-shredding]] is the practice of 'deleting' data by (only) deleting or overwriting the encryption keys.
When a cryptographic disk erasure (or crypto erase) command is given (with proper authentication credentials), the drive self-generates a new media encryption key and goes into a 'new drive' state.<ref>{{cite web |title=10 Reasons to Buy Self-Encrypting Drives |author=Trusted Computing Group |url=https://www.trustedcomputinggroup.org/wp-content/uploads/10-Reasons-to-Buy-SEDs_Sept.2010.pdf |year=2010 |publisher=Trusted Computing Group |accessdate=2018-06-06}}</ref> Without the old key, the old data becomes irretrievable and therefore an efficient means of providing [[Data erasure|disk sanitisation]] which can be a lengthy (and costly) process. For example, an unencrypted and unclassified computer hard drive that requires sanitising to conform with [[United States Department of Defense|Department of Defense]] Standards must be overwritten 3+ times;<ref>http://www-03.ibm.com/systems/resources/IBM_Certified_Secure_Data_Overwrite_Service_SB.pdf</ref> a one Terabyte Enterprise SATA3 disk would take many hours to complete this process. Although the use of faster [[solid-state drive]]s (SSD) technologies improves this situation, the take up by enterprise has so far been slow.<ref>http{{cite web |title=Slow on the Uptake |url=https://wwwdocplayer.researchandmarkets.comnet/reports/683004/ssd_story_slow_on_the_uptake30164112-Ssd-story-slow-on-the-uptake.pdfhtml |access-date=18 February 2021}}</ref> The problem will worsen as disk sizes increase every year. With encrypted drives a complete and secure data erasure action takes just a few milliseconds with a simple key change, so a drive can be safely repurposed very quickly. This sanitisation activity is protected in SEDs by the drive's own key management system built into the firmware in order to prevent accidental data erasure with confirmation passwords and secure authentications related to the original key required.
 
When [[Cryptographic key|keys]] are self generated randomly, generally there is no method to store a copy to allow [[data recovery]]. In this case protecting this data from accidental loss or theft is achieved through a consistent and comprehensive data backup policy. The other method is for user-defined keys, for some Enclosed hard disk drive FDE,<ref>{{cite web |title=Eclypt Core Encrypted Internal Hard Drive |url=https://www.viasat.com/products/encryptioncybersecurity/data-eclyptat-corerest-encryption/ |website=Viasat.com |publisher=Viasat |accessdate=20202021-0502-2217 |date=2020}}</ref> to be generated externally and then loaded into the FDE.
 
===Protection from alternative boot methods===
Retrieved from "https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption"