With reports of sensitive and, at times, top-secret information being lost on the hard drives of notebook computers, keeping data safe is one of the most important things for business and consumers today. One problem is that hard drive makers often used their own encryption format, which made things confusing for the consumer.
ComputerWorld reports that hard drive makers have now agreed to use the same encryption method for full-disk encryption (FDE) that can be used across all brands of hard drives and SSDs. When FDE is enabled, the computer requires a password before it will boot and all data on the drive is encrypted.
The final specifications for the encryption standard were published this week by the Trusted Computing Group (TCG) and cover specs for FDE in notebooks, desktop and server applications. Robert Thibadeau from Seagate said, "This represents interoperability commitments from every disk drive maker on the planet. We're protecting data at rest. When a USB drive is unplugged, or when a laptop is powered down, or when an administrator pulls a drive from a server, it can't be brought back up and read without first giving a cryptographically-strong password. If you don't have that, it's a brick. You can't even sell it on eBay."
Settling on one single encryption standard will allow all drive makers to build security into all products, which will lower the cost of production and make it easier for user to secure the data on their computers.
This is big news for enterprise environments where a standard encryption protocol means less configuration and less hassle during installation along with less management down the road. The specifications allow encryption to be set by administrators and can’t be turned off by end-users.
One very important factor is that modern FDE has come a long way and now only marginally effects read-write speeds of hard drives. Writing data to an encrypted drive is almost as fast as writing data to a non-encrypted drive. The companies that are members of the TCG include Fujitsu, Hitachi GST, Seagate Technology, Samsung, Toshiba, Western Digital, Wave Systems, LSI Corp., ULink Technology, and IBM.
Analyst Jon Oltsik from Enterprise Strategy Group said, "In five years time, you can imagine any drive coming off the production line will be encrypted, and there will be virtually no cost for it."
The three specifications for FDE includes the Opal spec for outlining minimum requirements for a storage device in a PC or laptop. The Enterprise Security Subsystem Class Specification is aimed at drives in data centers where minimum security configuration is needed during install. The final spec is the Storage Interface Interactions Specification, which details how the specifications interact with other standards for storage interface.
The specification supports PATA and SATA, SCSI SAS, Fibre Channel, and ATAPI. The three larger members of the group -- Seagate, Fujitsu, and Hitachi -- are already producing drives that support the standard. The specifications call for vendors to choose to use either AES 128-bit or AES 256-bit keys depending on the level of security wanted. The group points out that neither of these standards has been broken.
quote: One very important factor is that FDE doesn't affect the performance of the hard drive. Writing data to an encrypted drive is as fast as writing data to a non-encrypted drive.
quote: However, in this case, I think the benefits of encryption far outweigh performance drops. In general, write speeds do impact performance marginally, but compared to graphics cards and processors, HDDs are seldom the bottleneck in the system.
quote: PC HDDs are of course faster, as are ones in server setups so losses are smaller and less of a concern.
quote: n general, write speeds do impact performance marginally, but compared to graphics cards and processors, HDDs are seldom the bottleneck in the system.
quote: What? I have never seen anything shy of 32 or 64-bit real time encryption with speeds anywhere close as non-encryption... especially with 128 and 256-bit encryption schemes, there is ALWAYS some performance reduction, and many times the impact is over 30%.
quote: No real need for it to use a microcontroller, it'd probably be pure hardware.
quote: ...especially with 128 and 256-bit encryption schemes, there is ALWAYS some performance reduction, and many times the impact is over 30%.