Manualshelf

User Manual

ManualsBrandsSeagate Technology ManualsSeagate Technology Hard Drives & Storage2TB ENT CAP 2.5 HDD SATA 7200 RPM 128MB 2.5IN
11121314151617181920
Enterprise Self-Encrypting Drive User’s Guide, Rev. B 11
The system band is shown in Figure 6 and comprises an area at the inner radius of the media which is used by the
drive to store the information needed to manage its security.
Also in Figure 6 we see that the SCSI (Small Computer Systems Interface) commands from the host controller can be
divided into three main categories:
a. Control commands. These cause the drive to perform particular functions (e.g. Drive Reset, Start Spindle), to query
or change drive parameters (e.g. Mode Sense, Mode Select), to read status or logging information (e.g. Inquiry,
SMART), to provide diagnostic functions, and so on.
b. Read and write commands. They allow access to the media and cause user data to be read or written.
c. Security commands. These are used to define and authenticate the users who may access or erase the stored data,
modify security parameters to suit a particular application or installation, or perform special operations such as
firmware downloads.
As far as (a) and (b) are concerned it’s pretty much business as usual whether we’re talking to an SED or not, but (c) is a
different matter all together.
How does the host controller communicate with the security block of the drive? Like the rest of the activity on the I/O,
the dialogue is handled by SCSI commands and responses.
Two new SCSI commands have been defined by the T10 INCITS (International Committee for Information Technology
Standards)
Technical Committee in conjunction with the Trusted Computing Group (TCG). These commands are
called “Protocol Out” and “Protocol In,” and between them they carry all the security information between the drive
and the Host. All security instructions and related information going to the drive are contained in the Protocol Out
command and all security information required from the drive must be invoked by the host in a Protocol In command.
Please note that these commands deal only with security related information. The normal command dialogue (includ-
ing Read and Write) is handled by the standard SCSI command set. We’ll take a closer look at the construction of these
Protocol commands in Part 2 of the Users’ Manual.
The security block handles the drive’s passwords and makes sure that only the owner has access to the stored data.
When the drive is powered up, it is in a locked state and all media access is disallowed until a password has been
received by the drive and has been validated against the owner’s password which is stored on the system band. Once
the validation is complete, the drive retrieves the encryption key from the system band and loads it into the encryp-
tion engine. The drive is now unlocked and normal read/write activity can take place.
As we will see shortly, there are additional passwords managed by the security block. These control things like firm-
ware downloads, access to diagnostic resources, and cryptographic erasure of the data. In general, the security block
only affects operations which are related to user data.
In the locked state, the drive will still accept commands which do not involve access to user data such as Inquiry,
Mode Page, Spindle Start/Stop and so on. These commands are grouped under “Control” in Figure 6 and are managed
by the block entitled “Drive Processor & Standard Electronics.”
Table 1 provides a list of all the commands which are monitored by the security block and shows how the drive reacts
to these commands when it is locked and when it is unlocked. Note that with the exception of Read Buffer, all of these
commands attempt to access the media and therefore (with no access controls in place) could constitute a direct
threat to the security of user data.