The self-encrypting hard drive

Have you ever had your laptop stolen? There is more a sense of violation, of personal intrusion, than when someone breaks into your home or lifts your wallet. I have been robbed several times over the years, but losing the laptop hurt the most.

It happened about seven years ago, I was on a business trip to Seattle and had some time to kill after an appointment, so I went to the mall and bought my wife some presents. I didn’t want to cart them around so I dropped them off in my rental car and then headed back to one of the mall’s restaurants for dinner. When I got back to the car, I just had this feeling, and sure enough when I checked the trunk it was cleaned out. My wife still jokingly insists that I made up this story but it is sadly true.

Luckily, I didn’t lose that much data, and I was using Lotus Notes so it was easy enough to replicate once I got a replacement from my employer. And while you might know about encryption programs that secure parts or all of your hard drive, you may not have heard about the latest in security technology called self-encrypting hard drives that have come to market lately.

Using disk encryption software has never caught on. People I guess don’t trust it that it will always work, so you have this conundrum of wanting to use protection software on something that is too valuable to lose but too valuable to just leave out in the open, such as your financial information or your website passwords.

What self-encrypting drives offer is an ability to make the encryption effortless. The drives have a special processing chip that automatically encrypts and decrypts your data, and if you were to look at one of these drives you couldn’t tell anything was different, which is the idea.. All you have to do is enter a start-up password and you are good to go. For corporations, there are fleet management tools that can lock or unlock your entire collection of desktop drives. One such program is Wave System’s Embassy Remote Administration Server. I spent some time reviewing this product as part of a series of sponsored video screencasts and you can watch what it does here.

What is nice about this and equivalent software tools is that you can still gain access to the data if someone forgets their password or is terminated. You can also make sure that the drive gets wiped clean when it is stolen: we all have heard about data breaches where sensitive data was left on the laptop and posted online.

SEDs are available from most of the major drive makers, and on many laptops available today. Will they get used more often than ordinary disk drive encryption software? Hard to say. But if you have ever had your laptop stolen, it might be a good idea to enable this protection, especially if you regularly leave it in your car.

12 thoughts on “The self-encrypting hard drive

  1. David, I have a few questions: (1) How can I tell if my hard drive on my laptop is capable of self-encryption? (2) How can I tell if it is turned on? (3) If it is not turned on, will I lose all my existing data — including the O/S — if I turn it on now? (4) Is there a performance hit? Thanks

    • You can always look in Windows Device Manager to see what drive model you have but systems with SEDs fitted will typically ship with client software such as Dell Data Protection | Access or Wave Embassy Security Center. This client software will tell you if you have an SED and whether security is enabled. It is important to realized that SEDs are always encrypting so enabling security will not delete existing data or impact performance at all. It will require you to use a password every time you boot the machine.

  2. *facepalm*

    People don’t use FDE because it’s not enabled by default, and FUD articles like this confuse them into thinking there’s hard choices to be made. On drive encryption is impossible to audit, so there’s no guarantee that encryption is being done properly. Key escrow in fact means that it most certainly *isn’t* done properly. Key escrow means they’re relying on a trusted computing module, which is extremely hard to create/secure/audit. Stick with the default full-disk encryption for your OS and make backups.

    Cryptographers don’t let friends use shoddy ‘encryption’, like the kind provided “on disk”.

    • The drive encryption on Opal compliant SED drives is very strong. The specifications for opal are public and can be reviewed if you wish at trustedcomputing.org. Keys are not excrowed as it is an access control model for the drive controller chip the Keys never leave the device. If managed by a central managment service from Wave or the other vendors in the space, a recovery system is in place that enables unlocking of the drive if the user forgets their credentials in the case of Wave this is delivered by a secure one time use protocol so the recovery password can only be used once. Once the server is asked to manage a drive only the server has the administrative credentials to turn off authentication. This provides a very strong proof that the specific drive is encrypted when lost and is completely resistant to imaging of the OS. SED drives also do not rely on the OS for any part of the trust model and makes them significantly more secure and simpler to set up. While the drives can be bound to the TPM chip to prevent use on a different motherboard, this is an option and not a requirment the SED drives are self contained, Fast, and quick to configure.

    • You are correct that Key Escrow is still a major challenge when it comes to FDE. That is one of the reasons why SEDs are becoming more prevalent. With an SED the encryption keys never leave the drive so those challenges are eliminated. As for auditing, if you use the Embassy Remote Administration Server, that I referred to above, all operations are recorded and local administrators are incapable of disabling encryption. So, there is a very strong audit trail. A number of drive manufacturers have SEDs that have passed the US Government’s FIPS140-2 level 2 validation so the encryption can’t really be called shoddy.

  3. I been dragging my heels cuz it’s a pain in the butt, but I think I’m gonna go get a usb stick today to enable bitlocker on my laptops, cuz that story freaks me out!

  4. I see this thread is a bit old but can anybody tell me if simply changing the disk encryption key is compliant with DOD hard drive wipe standards since the 256 bit AES encryption is said to be impossible to crack? If not, can you simply run a third party live disk wipe utility to overwrite the drive to DOD standard? Can the disk be initialized and written to despite the encryption since it’s not being booted from? Thanks in advance.

  5. Hello David. I purchased some dell laptops and they came with 256 ssd opal encryption. My plan was to just push an image to them and then install software encryption from Sophos because it is managed through our management center. I am having trouble trying to work around the opal encrypted drives and don’t know how to bypass them. I never received any password for them and don’t know how to access one or where. I would like to ignore the opal encryption and put my own but am at a loss. Any help would be appreciated and thanks in advance.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s