Hardware-based Full Disk Encryption is available by all of the hard disk drive (HDD) vendors including Seagate Technology, Hitachi, Ltd., Samsung and Toshiba and also by Solid State Drive vendors such as Samsung. Encryption and the symmetric encryption key is maintained independently from the CPU, thus removing computer memory as a potential attack vector.
There are current two varieties of hardware-FDE being discussed:
- Hard Disk Drive FDE
- Chipset FDE
Hard Disk Drive FDE
HDD FDE is available from all HDD vendors using the OPAL and Enterprise standards via the Trusted Computing Group.[1] Key management takes place within the HDD and encryption keys are encrypted using the a cryptologically strong passcode of up to 32 bytes (256 bits). Authentication on power up of the drive must still take place within the CPU via either a software Pre-Boot Authentication Environment or with a BIOS password.
Hitachi, Seagate, Samsung, Toshiba, Western Digital are the disk drive manufacturers offering TCG OPAL SATA drives as well as the older, and less secure, ATA Security command standard. All drive makers have suggested the appropriate term for this new class of device and new type of functionality be "self-encrypting drives."
An example of speciality drives modifying commercial drives for self-encryption is Stonewood with their Flagstone drives.[2]
Currently there is an effort by Microsoft, that has a software FDE product called "Bitlocker" to block TCG commands through their Windows Operating System. This effort is in the IEEE 1667 group that was founded by Microsoft and some Flash drive vendors and was originally represented to only concern USB, but has now been extended to all external storage.
Chipset FDE
Intel announced the release of the Danbury chipset[3] but has since abandoned this approach.