Operation Manual
Seagate Desktop HDD Product Manual, Rev. Y 29
www.seagate.com About (SED) Self-Encrypting Drives
4.0 About (SED) Self-Encrypting Drives
Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data, commonly known as "data at
rest". These drives are compliant with the Trusted Computing Group (TCG) Opal Storage Specifications as detailed in the following:
• TCG Storage Architecture Core Specification, Version 2.0 (see www.trustedcomputin
ggroup.org)
• TCG Storage Security Subsystem Class Opal Specification, Version 2.0 (see www.trustedcomputin
ggroup.org)
In case of conflict between this document and any referenced document, this document takes precedence.
The Trusted Computing Group (TCG) is a standards organization sponsored and operated by companies in the computer, storage
and digital communications industry. Seagate's SED models comply with the standards published by the TCG.
To use the security features in the drive, the host must be capable of constructing and issuing the following two SATA commands:
•Trusted Send
•Trusted Receive
These commands are used to convey the TCG protocol to and from the drive in their command payloads. Seagate Secure SEDs also support TCG
Single User Mode, which can be disabled.
4.1 Data Encryption
Encrypting drives use one inline encryption engine within each drive employing AES-256 algorithms in Cipher Block Chaining (CBC) mode to
encrypt all data prior to being written on the media and to decrypt all data as it is read from the media. The encryption engine is always in
operation and cannot be disabled. The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the
drive, and is inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when in volatile temporary storage
(DRAM), which is external to the encryption engine. A unique data encryption key is used for each of the drive's possible16 data bands (see
Section 4.5 Data Bands).
4.2 Controlled Access
The drive has two security providers (SPs) called the "Admin SP" and the "Locking SP." These act as gatekeepers to the drive security services.
Security-related commands will not be accepted unless the user provides the correct credentials to prove that they are authorized to perform the
command.
4.2.1 Admin SP
The Admin SP allows the drive's owner to enable or disable firmware download operations (see Section 4.4 Drive Locking). Access to the
Admin SP is available using the SID (Secure ID) password.
4.2.2 Locking SP
The Locking SP controls read/write access to the media and the cryptographic erase feature. Access to the Locking SP is available using the Admin
or User passwords.
4.2.3 Default password
When the drive is shipped from the factory, all passwords are set to the value of MSID. This 32-byte random value can only be read by the host
electronically over the interface. After receipt of the drive, it is the responsibility of the owner to use the default MSID password as the authority to
change all other passwords to unique owner-specified values.
4.2.4 ATA Enhanced Security
The drive can utilize the system's BIOS through the ATA Security API for cases that do not require password management and additional security
policies.
Furthermore, the drive's ATA Security Erase Unit command shall support both Normal and Enhanced Erase modes with the following
modifications/additions:
Normal Erase: Normal erase feature shall be performed by changing the Data Encryption Key (DEK) of the drive, followed by an overwrite
operation that repeatedly writes a single sector containing random data to the entire drive. This write operation bypasses the media encryption.
On reading back the overwritten sectors, the host will receive a decrypted version, using the new DEK of the random data sector (the returned
data will not match what was written).
Enhanced Erase: Enhanced erase shall be performed by changing the Data Encryption Key of the drive.
4.3 Random Number Generator (RNG)
The drive has a 32-byte hardware RNG that it is uses to derive encryption keys or, if requested to do so, to provide random numbers to the host for
system use, including using these numbers as Authentication Keys (passwords) for the drive's Admin and Locking SPs.