backtop


Print 37 comment(s) - last by Jack Ripoff.. on Feb 6 at 9:35 AM

And so they forged the encryption of power, one encryption to rule them all

With reports of sensitive and, at times, top-secret information being lost on the hard drives of notebook computers, keeping data safe is one of the most important things for business and consumers today. One problem is that hard drive makers often used their own encryption format, which made things confusing for the consumer.

ComputerWorld reports that hard drive makers have now agreed to use the same encryption method for full-disk encryption (FDE) that can be used across all brands of hard drives and SSDs. When FDE is enabled, the computer requires a password before it will boot and all data on the drive is encrypted.

The final specifications for the encryption standard were published this week by the Trusted Computing Group (TCG) and cover specs for FDE in notebooks, desktop and server applications. Robert Thibadeau from Seagate said, "This represents interoperability commitments from every disk drive maker on the planet. We're protecting data at rest. When a USB drive is unplugged, or when a laptop is powered down, or when an administrator pulls a drive from a server, it can't be brought back up and read without first giving a cryptographically-strong password. If you don't have that, it's a brick. You can't even sell it on eBay."

Settling on one single encryption standard will allow all drive makers to build security into all products, which will lower the cost of production and make it easier for user to secure the data on their computers.

This is big news for enterprise environments where a standard encryption protocol means less configuration and less hassle during installation along with less management down the road. The specifications allow encryption to be set by administrators and can’t be turned off by end-users.

One very important factor is that modern FDE has come a long way and now only marginally effects read-write speeds of hard drives. Writing data to an encrypted drive is almost as fast as writing data to a non-encrypted drive. The companies that are members of the TCG include Fujitsu, Hitachi GST, Seagate Technology, Samsung, Toshiba, Western Digital, Wave Systems, LSI Corp., ULink Technology, and IBM.

Analyst Jon Oltsik from Enterprise Strategy Group said, "In five years time, you can imagine any drive coming off the production line will be encrypted, and there will be virtually no cost for it."

The three specifications for FDE includes the Opal spec for outlining minimum requirements for a storage device in a PC or laptop. The Enterprise Security Subsystem Class Specification is aimed at drives in data centers where minimum security configuration is needed during install. The final spec is the Storage Interface Interactions Specification, which details how the specifications interact with other standards for storage interface.

The specification supports PATA and SATA, SCSI SAS, Fibre Channel, and ATAPI. The three larger members of the group -- Seagate, Fujitsu, and Hitachi -- are already producing drives that support the standard. The specifications call for vendors to choose to use either AES 128-bit or AES 256-bit keys depending on the level of security wanted. The group points out that neither of these standards has been broken.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: speeds
By Oregonian2 on 1/29/2009 10:42:29 AM , Rating: 2
Why should hardware based real-time encryption in the drives slow down drive performance at all (which certainly is what they are doing, else the hard drive makers themselves would not have to be involved).

It's just adding a "streaming" encryption/decryption unit to the controller IC with means of programming in the key. The hardware involved isn't all that difficult or even all that much circuitry in modern terms. The only thing that needs to be standardized (what they've done) is the means to control the mechanism (putting in the key, for instance) -- how it is done internally doesn't otherwise matter.


RE: speeds
By ninus3d on 1/29/2009 10:50:33 AM , Rating: 2
If that is the case, isnt a little circuitry changes all that would be needed to work around the security?
Or, if you meant that this would "randomize" the data on the drive and would need to decrypt it with the actual circuit intact then this would atleast require some calculation and this would cause further strain on the maximum performance a HDD otherwise could give.


RE: speeds
By TomZ on 1/29/2009 10:58:35 AM , Rating: 2
Huh? Think of it this way. Unecrypted data comes into the microcontroller/chip via SATA. The chip encrypts the data (on-chip), then writes encrypted data to the platters.

The point really is that the microcontroller performs the encryption/description via hardware (fast) instead of by software (slow).


RE: speeds
By Oregonian2 on 1/29/2009 11:51:56 AM , Rating: 3
It just means that the (probably) same key needs to be programmed in for the reading (at boot time) that was there when the disk was writing that data. Once the password derived key is programmed into the drive, the drive will act like normal unencrypted ones -- but until that time, it'd be useless.

Encryption hardware would not have to "stop data and calculate", it's a pile of flops in a pipelined pile of circuitry (I'm a hardware engineer of over thirty years experience -- I've designed FPGA/ASIC stuff using synthesis languages (like Verilog or VHDL) where 100% of everything is real time because it's hardware, not software).

Think of having a black box that takes data in and out at the same "full speed" rate, but with only a latency delay that's utterly insignificant compared to other delays in the system.


RE: speeds
By PrinceGaz on 1/29/2009 11:56:56 PM , Rating: 2
Exactly. I expect these drives, together with suitably aware BIOS or EFI, will prompt the user for the HD password on bootup so that it can read it (there might be the option for the password to be stored by the mobo for future bootups, though that obviously compromises security but for most users would be preferable).

In terms of speed, drives with this encryption would be as fast as non-encrypted drives. The overhead imposed by hardware encryption is negligible compared with the access times of magnetic hard-drives.

So long as the extra hardware involved isn't too expensive (it should be fairly trivial) and the encryption is optional, it's hard to find a downside except perhaps that should data need to be recovered from a drive which has failed, it could be more difficult.


"You can bet that Sony built a long-term business plan about being successful in Japan and that business plan is crumbling." -- Peter Moore, 24 hours before his Microsoft resignation

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki