Manualshelf

User Manual

ManualsBrandsSeagate Technology ManualsSeagate Technology Hard Drives & Storage2TB ENT CAP 2.5 HDD SATA 7200 RPM 128MB 2.5IN
11121314151617181920
Enterprise Self-Encrypting Drive User’s Guide, Rev. B 15
2.6 BandMaster
This password is part of the Locking SP and controls access to the user data on the media. On a non-encrypting drive,
the media contains one contiguous LBA space which starts at LBA 0 and ends at LBA max. On SEDs, the LBA space is
divided into two or more data bands, each of which has its own password. That’s why, in Figure 7, we call this pass-
word BandMasterX where X is the band number and takes the value 0, 1, 2, 3, and so on depending on how many
bands are available on the particular disk. A disk with 16 data bands would have 16 BandMaster passwords numbered
BandMaster0 through BandMaster15. All BandMaster passwords default to the value of MSID on new drives. We’ll dig
deeper into the subject of data bands in due course.
2.7 EraseMaster
The host needs to use EraseMaster in order to perform a cryptographic erase on a data band. Although there may be
multiple data bands, the same EraseMaster password is used for each of them, but they must be erased one at a time
by specifying the band number with the erasure request. Cryptographic erasure of a band causes the following
actions to take place:
1. A new data encryption key is created for the band in question (cryptographic erase)
2. The band is unlocked for reading and writing. After a cryptographic erase, any data read from the media would be
decrypted with the new key. This means that a Read to an LBA which has not been written with the new key will
result in gibberish being returned to the host.
3. The BandMaster password reverts to the value of MSID
In order to discourage a brute force attack on a BandMaster password, a Try Limit and Persistence setting may be
specified by using the EraseMaster credential.
The drive has a counter which keeps track of the number of unsuccessful authentication attempts. The Try Limit sets
an upper bound to this counter. This becomes the number of times the drive will accept a false password before shut-
ting the drive down against further attacks. A Try Limit of 0 means there is no limit. The default value is 1024.
The Persistence setting determines whether the count persists through a power cycle. What does “shutting the drive
down” mean? Well, that depends on the Persistence setting which has been selected. When the drive shuts down it
essentially becomes unresponsive to any further authentication attempts. If the count does not persist through a
power cycle, it will be reset to zero and another round of authentication attempts can be made until the Try Limit is
once again reached. If the count persists through a power cycle it is not reset to zero and once the Try Limit is reached,
the drive will lock out all further authentication attempts whether the drive is power cycled or not.
Regardless of the Persistence setting, if a successful authentication is made at any time before the Try Limit is reached,
the counter is reset to zero.