User Manual
Enterprise Self-Encrypting Drive User’s Guide, Rev. B 18
3.0 Storing the passwords and encryption keys
Since we encrypt the user data before storing it on the media, we obviously don’t want to drop the ball when it comes
to storing the drive’s keys by committing them to storage in plain text format. So what do we do to protect the integ-
rity of the owner’s passwords and the data encryption keys? Well, let’s find out by taking a close look at Figure 11.
Figure 11. Password and encryption key storage
1. The controller sends a BandMaster password to the drive as part of the authentication process. The password is in
clear text and is held in temporary volatile storage for a few milliseconds until the authentication process is com
-
plete.
2. The drive hashes the password and forms a SHA256 digest.
3. The drive retrieves the previously-stored password digest from the system band and compares it to the value
obtained in (2).
4. If the hashed values are not equal, the drive will inform the controller of an authentication error and will incre-
ment the false password counter.
5. If the hashed values are equal, the drive will retrieve the encrypted data encryption key from the system band and
decrypt it to clear text using the BandMaster password from the controller as the decryption key. Since authenti
-
cation has been successful, the drive will clear the false password counter.
6. The drive loads the clear text value of the encryption key into the encryption engine and clears the BandMaster
password from temporary storage.
7. With the password verified and the encryption key loaded, the drive can now respond to Read/Write commands
from the host.