Self-encrypting drives based on Trusted Computing Group specifications

Hard drive vendors have started shipping self-encrypting drives based on the Trusted Computing Group’s specifications. Final specifications for client drives, data center drives and interoperability of self-encrypting drives were published in late January of this year and are widely supported by PC, server, drive and applications providers.

Fujitsu has demonstrated drives based on TCG’s Opal self-encrypting drive specification, which is focused on drives for PCs, while Hitachi GST offers these drives now. Seagate is now working with early adopters IBM and LSI Corporation on data center storage devices supporting the TCG Enterprise self-encrypting drive specification.

Wave Systems Corporation provides solutions to set up and manage all available self-encrypting drives. WinMagic provides support and management applications for self-encrypting drives in an enterprise environment for both Windows and Mac platforms. CryptoMill Technologies also has noted its support for the TCG specifications. McAfee will look to support the TCG Opal specification to provide a choice of encryption models and implementation options to its customers.

The new specifications give vendors a blueprint for developing self-encrypting storage devices that lock-down data automatically in less than a second and can be immediately and completely erased in milliseconds. Self-encrypting drives can be easily deployed in the enterprise, because drives based on TCG specifications are easily managed, have reduced cost of deployment and management, and are interoperable across PC platform types.

Putting cryptographic operations in the drive has a number of benefits:

  • The ability to encrypt the entire drive contents immediately upon device manufacture
  • strong protection of the encryption keys combined with strict access control
  • no loss of system performance.

The contents of the self-encrypting drives are always encrypted and the encryption keys are themselves encrypted and protected in hardware that cannot be observed by other parts of the system. AES and other cryptographic algorithms are supported in the specifications, and vendors can add additional security features to their devices. Because encryption is handled in the drive, overall system performance is not affected and is not subject to attacks targeting other components of the system.

Compared to encryption outside of the drive, self-encrypting drives do not interfere with system maintenance, compression, de-duplication, and end-to-end integrity metrics. In addition, the encryption key never leaves the drive, greatly simplifying key management. The enterprise benefits from these security features are reliable compliance, ease of deployment, and ease of management. Additionally, the repurposing of drives at either redeployment or end-of-life has a significantly lower cost than other options.

In the data center, encryption typically has been costly and time-consuming. This is mainly due to the demands on bandwidth. Self-encrypting drives do encryption inside of each drive, where it is cheaper, safer, and more scalable to implement than encryption in the RAID controller.