Wikipedia

Hardware-based full disk encryption: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
No edit summary
Citation bot (talk | contribs)
Bots
5,863,278 edits
Alter: template type. Add: magazine. Removed parameters. Some additions/deletions were parameter name changes. | Use this bot. Report bugs. | Suggested by AManWithNoPlan | #UCB_CommandLine
Line 15:
=== Hard disk drive FDE ===
Usually referred to as '''self-encrypting drive''' ('''SED''').
HDD FDE is made by HDD vendors using the [[Opal Storage Specification|OPAL]] and Enterprise standards developed by the [[Trusted Computing Group]].<ref>{{cite web |url=http://www.trustedcomputinggroup.org/solutions/data_protection |title=Trusted Computing Group Data Protection page |publisher=Trustedcomputinggroup.org |date= |access-date=2013-08-06 |url-status=dead |archive-url=https://www.webcitation.org/65fUDqdql?url=http://www.trustedcomputinggroup.org/solutions/data_protection |archive-date=2012-02-23 |df= }}</ref> [[Key management]] takes place within the hard disk controller and encryption keys are 128 or 256 [[bit]] [[Advanced Encryption Standard]] (AES) keys. [[Authentication]] on power up of the drive must still take place within the [[Central processing unit|CPU]] via either a [[software]] [[pre-boot authentication]] environment (i.e., with a [[Disk encryption software|software-based full disk encryption]] component - hybrid full disk encryption) or with a [[BIOS]] password.
 
[[Hitachi]], [[Micron Technology|Micron]], [[Seagate Technology|Seagate]], [[Samsung]], and [[Toshiba]] are the disk drive manufacturers offering [[Trusted Computing Group|TCG]] [[Opal Storage Specification|OPAL]] [[Serial ATA|SATA]] drives. HDDs have become a commodity so SED allow drive manufacturers to maintain revenue.<ref>{{cite web |last1=Skamarock |first1=Anne |title=Is Storage a commodity |url=https://www.itworld.com/article/2799690/is-storage-a-commodity-.html |website=ITWorld.com |publisher=Network World |accessdate=2020-05-22 |date=2020-02-21}}</ref> Older technologies include the proprietary Seagate DriveTrust, and the older, and less secure, [[Parallel ATA|PATA]] Security command standard shipped by all drive makers including [[Western Digital]]. Enterprise SAS versions of the TCG standard are called "TCG Enterprise" drives.
Line 61:
When a computer with a self-encrypting drive is put into [[sleep mode]], the drive is powered down, but the encryption password is retained in memory so that the drive can be quickly resumed without requesting the password. An attacker can take advantage of this to gain easier physical access to the drive, for instance, by inserting extension cables.<ref name="sed-attacks" />
 
The firmware of the drive may be compromised<ref>{{cite webmagazine | url = https://www.wired.com/2015/02/nsa-firmware-hacking/ | title = How the NSA's Firmware Hacking Works and Why It's So Unsettling | first = Kim | last = Zetter | date = 2015-02-22 | workmagazine = Wired }}</ref><ref>{{cite web | url = https://www.theregister.co.uk/2015/02/17/kaspersky_labs_equation_group/ | title = Your hard drives were RIDDLED with NSA SPYWARE for YEARS | first = Darren | last = Pauli | date = 2015-02-17 | work = The Register }}</ref> and so any data that is sent to it may be at risk. Even if the data is encrypted on the physical medium of the drive, the fact that the firmware is controlled by a malicious third-party means that it can be decrypted by that third-party. If data is encrypted by the operating system, and it is sent in a scrambled form to the drive, then it would not matter if the firmware is malicious or not.
 
=== Criticism ===
Retrieved from "https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption"