Wikipedia

Hardware-based full disk encryption: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
RobThinks (talk | contribs)
88 edits
Corrected iStorage (removed link to no existant iStorage Page.
RobThinks (talk | contribs)
88 edits
Added Section on Removable Hard Drive FDE - SED moved to the Hard disk drive FDE section, as it does not apply to other types (and removed associated comment)
Line 4:
}}
 
'''Hardware-based full disk encryption''' ('''FDE''') is available from many [[hard disk drive]] (HDD/[[Solid-state drive|SSD]]) vendors, including: [[Hitachi]], iStorage Limited, [[Seagate Technology]], [[Samsung]], [[Toshiba]], [[WesternViaSat|Viasat DigitalUK]], [[Viasat,Western Inc.Digital]], [[solid-stateMicron driveTechnology|Micron]] vendors such as, [[OCZ Storage Solutions|OCZ]], [[SanDisk]], [[Samsung]], [[Micron Technology|Micron]], [[Integral Memory]] and USB vendors such as [[Yubikey]] or iStorage Limited. The [[symmetric-key algorithm|symmetric encryption key]] is maintained independently from the computer's [[Central processing unit|CPU]], thus removingallowing computerthe memory as a potential attack vector.complete Indata relationstore to hardbe diskencrypted drives,and theremoving termcomputer '''self-encryptingmemory drive'''as ('''SED''')a ispotential inattack more common usagevector.
 
Hardware-FDE has two major components: the hardware encryptor and the data store.
There are currently threefour varieties of hardware-FDE in common use:
#Hard disk drive (HDD) FDE (usuallyself-encrypting referred to as SEDdrive)
#Enclosed hard disk drive FDE
#Removable Hard Drive FDE
#Bridge and [[Chipset]] (BC) FDE
 
Line 15 ⟶ 16:
 
==Hard disk drive FDE==
Usally referred to as '''self-encrypting drive''' ('''SED''').
HDD FDE is made by HDD vendors using the [[Opal Storage Specification|OPAL]] and Enterprise standards developed by the [[Trusted Computing Group]].<ref>{{cite web |url=http://www.trustedcomputinggroup.org/solutions/data_protection |title=Trusted Computing Group Data Protection page |publisher=Trustedcomputinggroup.org |date= |access-date=2013-08-06 |url-status=dead |archive-url=https://www.webcitation.org/65fUDqdql?url=http://www.trustedcomputinggroup.org/solutions/data_protection |archive-date=2012-02-23 |df= }}</ref> [[Key management]] takes place within the hard disk controller and encryption keys are 128 or 256 [[bit]] [[Advanced Encryption Standard]] (AES) keys. [[Authentication]] on power up of the drive must still take place within the [[Central processing unit|CPU]] via either a [[software]] [[pre-boot authentication]] environment (i.e., with a [[Disk encryption software|software-based full disk encryption]] component - hybrid full disk encryption) or with a [[BIOS]] password.
 
[[Hitachi]], [[Micron Technology|Micron]], [[Seagate Technology|Seagate]], [[Samsung]], and [[Toshiba]] are the disk drive manufacturers offering [[Trusted Computing Group|TCG]] [[Opal Storage Specification|OPAL]] [[Serial ATA|SATA]] drives. Older technologies include the proprietary Seagate DriveTrust, and the older, and less secure, [[Parallel ATA|PATA]] Security command standard shipped by all drive makers including [[Western Digital]]. Enterprise SAS versions of the TCG standard are called "TCG Enterprise" drives.
 
==Enclosed hard disk drive FDE==
Within a standard [[Harddrive#Form factors|hard drive form factor]] case both the encryptor (BC), [[Cryptographic key|key]] store and a smaller form factor, commercially available, hard disk drive is enclosed.
 
*The enclosed hard disk drive's case can be [[tamper-evident]], so when retrieved the user can be assured that the [[Data breach|data has not been compromised]].
*The encryptors electronics including the [[Cryptographic key|key]] store and integral hard drive, (if it is [[Solid-state drive|solid-state]],) can be protected by other [[Tamper resistance|tamper respondent]] measures.
*The key can be purged, allowing a user to prevent his [[Authentication factors#Authentication factors|authentication parameters]] being used without destroying the encrypted data. Later the same [[Cryptographic key|key]] can be re-loaded into the Enclosed hard disk drive FDE, to retrieve this data.
*Tampering is not an issue for SEDs as they cannot be read without the decryption key, regardless of access to the internal electronics {{Clarify|reason=see Talk page, decryption keys can be recovered from the internal electornics in several cases|date=July 2016}}.
 
For example, [[ViaSat]]|Viasat UK (formerly Stonewood Electronics)]] with their FlagStone and Eclypt<ref name="softpedia">{{cite web|url=http://news.softpedia.com/news/Stonewood-039-s-Eclypt-Drive-the-AES-256-Data-Fortress-84632.shtml |title=Softpedia on Eclypt Drive AES-256 |publisher=News.softpedia.com |date=2008-04-30 |accessdate=2013-08-06}}</ref> drives.
 
==Removable Hard Drive FDE==
The Inserted [[hard disk drive|Hard Drive]] FDE allows a standard [[List of disk drive form factors|form factor]] [[hard disk drive]] to be inserted into it. The concept can be seen on <ref>{{cite web |title=Removable Drives |url=https://www.cru-inc.com/industries/removables/ |website=www.Cru-inc.com |publisher=CRU |accessdate=2020-05-15}}</ref>
*This is an improvement on removing [unencrypted] [[hard disk drive|hard drives]] from a [[computer]] and storing them in a [[safe]] when not in use.
*This design can be used to encrypt multiple [[hard disk drive|drives]] using the same [[Cryptographic key|key]].
*Generally they are not securely locked<ref>{{cite web |title=Sapphire Cipher Snap-In |url=https://www.addonics.com/products/ssna256eu.php |website=Addonics.com |publisher=Addonics |accessdate=2020-05-15}}</ref> so the drive's interface is open to attack.
 
==Chipset FDE==
Line 71 ⟶ 80:
{{Reflist}}
 
<!-- Most of this page should really be reassigned to a new entry called "self encrypting drives" as that is what they are known as.. -->
 
[[Category:Disk encryption]]
Retrieved from "https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption"