Self Encrypting Disks (SEDs)

By Greg Schulz, Server and StorageIO @storageio

The next true IT industry revolutionary product will be software, virtualization and cloud technology that does not require underlying physical hardware resources (servers, network and disk storage). While we wait for that revolutionary technology to appear outside of marketing or computer generated animations, there remains the need to protect cloud and virtual environments and their underling disk storage. Underlying disk storage includes among others solid state device (SSD) as well hard disk drive (HDD) and Removable Hard Disk Drive (RHDD) packaged in different types of solutions accessed via shared SAS, iSCSI, FC, FCoE or NAS.

Meet the SED

In the past, securing disk storage has been both a physical and logical process including authorization, authentication and encryption. These technologies along with other tools are implemented via host based application, operating system, third party utility or hypervisor in addition to networking and storage system solutions. There is another technology option that compliments the previous mentioned tools and technologies called self encrypting disk (SED). SEDs such as the Seagate Full Disk Encryption (FDE) drives automatically encrypt and decrypt data inside of the device itself similar to how some tape drives can secure data on the fly. Based the trusted computing group (TCG) DriveTrust and OPAL security models, SEDs off-load or compliment other encryption for security solutions to protect against theft or lost storage devices. There is another benefit however for SEDs which is simplifying the process of decommissioning a storage device safely and quickly.

How SEDs work

SEDs work by leveraging the built-in compute processing capability found inside disk drives to perform encrypt and decrypt operations on the fly without noticeable (or in marketing speak no) performance impact. Note that SEDs only protect the data when it is stored meaning that some other form of protection will be needed for data in-flight or being read or written to a storage system. The encryption keys for a SED are password protected never appearing in the clear or in any readable format on the device itself.

SEDs establish an affinity or relationship with a workstation, server, adapter card or storage system in what is referred to as drive paring. Drive pairing, part of the DriveTrust model enables a device to be locked to a specific server, workstation, adapter card or storage system hence creating an affinity. The result of the drive pairing is that should a SED be removed and installed in another system its data cannot be accessed.

Since data can only be accessed if the key for authentication is present, should the key be changed or removed the information on the SED is instantly rendered inaccessible. This capability for many environments provides a fast, safe and easy approach to digitally destroying the contents of disk drives when they are taken out of for repair server or retired from use. Of course for ultra sensitive and secure environments additional safeguards or steps may be required ranging from drilling holes through the device to other techniques.

How to use a SED

If a SED is attached to a laptop, workstation or server, some software needs to be added to the operating system or hypervisor environment providing access and management control such as those from CryptoMill, Secude, Wave Systems or WinMagic among others. Instead of relying on software to manage the SEDs (encryption is done in the drives), another option is to leverage PCIe RAID adapter cards that support TCG DriveTrust and/or OPAL capability such as those from LSI. Yet another option is to use a storage system such as those from IBM and LSI among others that also supports the TCG DriveTrust and/or OPAL SED management.

Plan for future secure storage decommissioning now

SEDs can be used for protecting data against loss or theft, however they also have the side benefit of reducing the time required to securely destroy data when it comes time to decommission a disk drive. 1TB, 2TB and larger disk drives becoming more common and even larger drives just over the horizon. Whether deployed as a standalone device, or in tens to hundreds of drives in a large storage system, now is the time to be thinking about how you will security destroy or digitally shred data in the future. As part of a total cost of ownership or TCO model, if you are not already doing so factor in the time required to ensure that data and disk drives are securely decommissioned including safely erased or digitally shredded.

Wrap-up

SEDs including early generation TCG DriveTrust and evolving broader OPAL standard should be in your future. For some, SEDs are a great compliment to data in-flight encryption and other data security solutions to guard against theft or when you forget or lose a device somewhere. Yet for others, SEDs may be the solution to an emerging problem of how to quickly as well as securely erase or digitally shred data when decommissioning TBytes or PBytes of storage capacity in an economical manner for cloud, virtual and physical environments.

Where to learn more:

4 replies on “Self Encrypting Disks (SEDs)”