Manualshelf

User Manual

ManualsBrandsSeagate Technology ManualsSeagate Technology Hard Drives & StorageSeagate 2TB EXOS 7E2000 ENT CAP 2.5 HDD - ST2000NX0273
12345678910
Enterprise Self-Encrypting Drive User’s Guide, Rev. B 9
The principal reason for employing encryption with locking is to provide security for the data that is recorded on the
disk surfaces. This is usually referred to as security of data at rest. Simply put, if the disk drive loses power, as would
be the case if it were removed from its owner’s system, its recorded data will be locked against unauthorized access as
soon as power is reapplied. With power reestablished, the host system will need to prove to the drive that it is the
owner by providing the drive with the appropriate ownership credentials. Credentials? It’s time we talked a little bit
more about keys and passwords.
1.4.1 Types of keys
There are two types of keys used in SEDs, the data encryption key and the authentication (locking) key.
1.4.1.1 The encryption key
We’ve already become quite familiar with the encryption key. This is a symmetric key that is used by the encryption
engine to generate the unique cipher text from the plain text and to subsequently recover the plain text from the
cipher text. It is generated by the drive as a 32-byte random number and is a secret known only to the drive.
The encryption key cannot be accessed by an external source but it can be changed by the drive’s owner. Changing
the encryption key is not something that should be done lightly because, when changed, all of the data previously
written to the drive will now be read and decrypted with a different key and therefore will become unrecoverable. On
the other hand, this is an effective technique for destroying data on the disk and is commonly referred to as a cryp-
tographic erasea useful tool if a drive has to be repurposed (used in a different application where the data is nei-
ther required nor wanted) or scrapped.
1.4.1.2 The authentication key
This key is used to lock and unlock a function or feature in the drive that requires the owner’s permission. It is an
owner’s credential though we would probably be much happier if we simply called it a password. Although there is
only one encryption key, there can be several passwords assigned to each drive. As well as needing a password to be
able to read and write data on the drive, we’ve just seen another good example of a drive feature that calls out for
password protection—the cryptographic erase. We’ll find and explain some other needs for passwords as we dig
deeper into encryption and security.
1.5 Summary
By way of introduction to Self-Encrypting Drives, we’ve taken a quick look at encryption and hashing, in particular the
government approved Advanced Encryption Standard (AES), SHA-1 and SHA256. We know that AES is used in Seagate
disk drives and that we employ a block encryption mode called Cipher Block Chaining. Finally, we’ve seen that there
are two types of keys used in Self-Encrypting Drives, encryption keys and authentication (or locking) keys, each of
which plays a part in providing security for the stored data. Encryption on its own does not provide protection against
unauthorized access to the data, for that we need a couple of gatekeepers in the drive. We call these gatekeepers the
“Locking SP” and the “Admin SP.”
In terms of storing data, I/O communication, drive format, and operational performance, an encrypting drive performs
in exactly the same fashion as a non-encrypting drive. In fact, if an SED is installed in an older (legacy) system, the sys-
tem will function normally and will be unaware of the hidden talents the newcomer has to offer.
Note. We’ll see later that this last paragraph is not totally accurate—there are a couple of commands that are
not allowed in SED drives but these commands are normally used only in a diagnostic environment.
Now let’s take a closer look at how the security features are integrated into an Enterprise SED.