Manualshelf

User Manual

ManualsBrandsSeagate Technology ManualsSeagate Technology Hard Drives & StorageSeagate 2TB EXOS 7E2000 ENT CAP 2.5 HDD - ST2000NX0273
31323334353637383940
Constellation.2 Serial ATA Product Manual, Rev. G 34
5.2.3 Default password
When the drive is shipped from the factory, all passwords are set to the value of MSID. This 32-byte random value can
only be read by the host electronically over the interface. After receipt of the drive, it is the responsibility of the owner
to use the default MSID password as the authority to change all other passwords to unique owner-specified values.
5.3 Random number generator (RNG)
The drive has a 32-byte hardware RNG that it is uses to derive encryption keys or, if requested to do so, to provide ran-
dom numbers to the host for system use, including using these numbers as Authentication Keys (passwords) for the
drives Admin and Locking SPs.
5.4 Drive locking
In addition to changing the passwords, as described in Section 5.2.3, the owner should also set the data access con-
trols for the individual bands. The variable "LockOnReset" should be set to "PowerCycle" to ensure that the data bands
will be locked if power is lost. In addition "ReadLockEnabled" and "WriteLockEnabled" must be set to true in the lock-
ing table in order for the bands "LockOnReset" setting of "PowerCycle" to actually lock access to the band when a
"PowerCycle" event occurs. This scenario occurs if the drive is removed from its cabinet. The drive will not honor any
data read or write requests until the bands have been unlocked. This prevents the user data from being accessed with-
out the appropriate credentials when the drive has been removed from its cabinet and installed in another system.
When the drive is shipped from the factory, the firmware download port is unlocked.
5.5 Data bands
When shipped from the factory, the drive is configured with a single data band called Band 0 (also known as the
Global Data Band) which comprises LBA 0 through LBA max. The host may allocate Band1 by specifying a start LBA
and an LBA range. The real estate for this band is taken from the Global Band. An additional 14 Data Bands may be
defined in a similar way (Band2 through Band15) but before these bands can be allocated LBA space, they must first
be individually enabled using the EraseMaster password.
Data bands cannot overlap but they can be sequential with one band ending at LBA (x) and the next beginning at LBA
(x+1).
Each data band has its own drive-generated encryption key and its own user-supplied password. The host may
change the Encryption Key (see Section 5.6) or the password when required. The bands should be aligned to 4K LBA
boundaries.
5.6 Cryptographic erase
A significant feature of SEDs is the ability to perform a cryptographic erase. This involves the host telling the drive to
change the data encryption key for a particular band. Once changed, the data is no longer recoverable since it was
written with one key and will be read using a different key. Since the drive overwrites the old key with the new one,
and keeps no history of key changes, the user data can never be recovered. This is tantamount to an instantaneous
data erase and is very useful if the drive is to be scrapped or redispositioned.
5.7 Authenticated firmware download
In addition to providing a locking mechanism to prevent unwanted firmware download attempts, the drive also only
accepts download files which have been cryptographically signed by the appropriate Seagate Design Center.
Three conditions must be met before the drive will allow the download operation:
1. The download must be an SED file. A standard (base) drive (non-SED) file will be rejected.
2. The download file must be signed and authenticated.