We live in an age where data must be secure. Even when the threat of malicious access to data is non-existent or minimal we must do our best to guarantee the security of data for compliance reasons.
One of the simplest ways to do this is by using self-encrypting drives, a hardware, on-disk form of encryption available from all the storage array makers.
Data lives on storage media, and for the largest part of its existence on spinning disk and flash.
Access to these has to be secured, in the datacentre, when removed from the array, and at the end of life when disposed of. In other words, when data is at rest.
Self-encrypting drives carry encryption hardware, which has a data encryption key built in during manufacturing. When drives ship, this key is set as unlocked by an authentication key and data can be read by any device.
Encryption on the drive is activated by the customer changing the factory authentication key to a private one, with that key held on a key management server.
Subsequently, this key is applied during boot-up and encrypts data on the drive all the time it is running. However, when drives are inactive they are fully protected and can’t be run on another machine (excepting the malicious circumstances described below).
More on compliance and storage
- GDPR puts tough requirements on organisations that store “personally identifiable data”. We look at what is needed to achieve compliance.
- The General Data Protection Regulation is upon us. Mathieu Gorge, CEO of Vigitrust, talks you through the key areas needed for compliance in storage of data subjects’ data and how to find it quickly on request.
There is no performance impact because drive unlocking occurs at start-up. The key encryption standard used is the Trusted Computing Group’s Enterprise standard (TCG-E), and for consumer hardware, such as laptops, the TCG’s Opal 2. TCG standards employ Advanced Encryption Standard (AES) 256-bit encryption.
TCG-E compatiblity is available in SAS and SATA drives, which can be spinning disk or flash, while it appears that NVMe flash drives are currently TCG Opal-only.
It should be noted that self-encrypting disks address a limited set of threats. They don’t protect the data while the server or array is running, only when it is down or removed. If there is a threat to self-encrypting drives it is from malicious insiders.
That said, self-encrypting drives do deal with basic compliance requirements. But, they are vulnerable to a number of types of attacks, according to this report at Blackhat.com.
These include various methods by which attackers either physically access the drive or force a restart and to give up its data to another OS on the attacker’s machine, or gain the authentication key.
But, as mentioned above, for any of these vulnerabilities to come about, an attacker needs physical access to the drives. Sometimes, use of self-encrypting drives is known as full disk encryption. If it simply refers to the use of self-encrypting disks then it is sometimes known as hardware full disk encryption.
There is also software full disk encryption that in which an encryption application protects data. This has to be authenticated by the user, and has a performance overhead. It is often used with laptops and can be managed from a central console in an enterprise scenario.