Self Encrypting Drives

Self Encrypting Drives

A key element of those recommendations was the pervasive encryption of stored data, initially on the laptops carried by executives, sales, and engineering. The software encryption solution previously examined still had cost, complexity and usability issues, but the IT manager became aware of a novel approach to stored-data encryption – putting the encryption engine into hardware directly inside the storage system, called self-encrypting drives (SEDs). From the outside, an SED functions as an ordinary drive, processing reads and writes. But deep inside the drive electronics, just before the data bits are written to the physical media, an encryption engine applies real-time encryption to the data stream, so the bits on the media are encrypted and therefore unreadable to an unauthorized adversary. Conversely, bits read from the media are decrypted before leaving the drive, completely transparent to the end user.

The IT manager found several comparisons of hardware-based SEDs to software and indirect encryption solutions. The research and testing by Trusted Laboratories was especially revealing of the stark differences in performance by SEDs versus software full-disk encryption (FDE).5 Three leading FDE software products were pitted against an SED, using a series of intensive read/write tests. In a typical test, the SED was respectively 79%, 132% and 144% faster than the software-based products.

Literature prepared by the Trusted Computing Group on SEDs provides a number of comparison points between SEDs and software FDE6, as follows.

Transparency: SEDs come from the factory with the encryption key already generated on-board and the drive already encrypting (always encrypting); software-based keys are provisioned by the user.

Ease of management: No encrypting key to manage externally. How does software-based encryption protect the encryption key? In software?

Life-cycle costs: The cost of an SED is pro-rated into the initial drive cost. Software has continuing life-cycle costs.

Disposal or re-purposing cost: With an SED, erasing the on-board encryption key rapidly renders the encrypted data unreadable so that the "clean" drive can be re-used, disposed of, or shipped out for warranty repair. Software-based encryption often relies on lengthy data-overwriting procedures or even destruction of the drive itself.

Re-encryption: With an SED, there is no need to ever re-encrypt the data. Software-based encryption-key changes require whole drive re-encryption, which can take hours.

Performance: No degradation in hardware-based SED performance. Software-based FDE has a significant performance impact.

Standardization: The whole drive industry is building to the TCG/SED Specifications, whereas, software is proprietary.

No interference with processes like compression, de-duplication, or DLP (data loss prevention). Software encryption is necessarily upstream from storage and can interfere with such processes.

The one negative issue with SEDs is the cost of migrating out the non-encrypting drives and replacing them with SEDs. But the IT manager soon learns that the normal laptop replacement cycle (nominally, three years) could be leveraged, with priority given to employees and executives who necessarily carry sensitive personal data on their laptops. The IT manager made the recommendation to the CEO to adopt SEDs. But is the SED technology widely available and standardized?

As luck would have it, the three dimensions - business requirements, industry standardization, and availability from all the major drive vendors - have come together, culminating in 2009.