SEDs
Self-encrypting drives perform the encryption in hardware automatically. Each drive has its own encryption key that is
used to encrypt the data. This key is called a data encryption key (DEK). The DEK is not accessible. There are ways to change the DEK, but not get the DEK. A SCSI write is sent to the drive (obviously with data). The drive encrypts that data and
stores it. When data is read via a SCSI read, the DEK decrypts the data, and plaintext leaves the drive.
If you leave the drive in this as-is, your
data is not protected. You can take the drive out of the system and plug it in somewhere
else. While it's true
that your data is encrypted, anyone can power up the drive and access the data.
So ... what do these drives really do?
While the DEK cannot be accessed, there's another "key" that lives outside drive called an Authentication Key (AK). The AK is used to protect the DEK. It can vary between drive manufacturers, but fundamentally think of it as the AK encrypting the DEK.
When the AK is set for a drive, on power up, that drive will not allow any SCSI reads or write without being given AK.
With the AK set, your data is protected.
I used quotation marks around "key" because the AK can be just a passphrase.
Here are the remaining highlights:
- The AK can set without affecting the data already written on the drive.
- The AK should be stored in a key manager. (You're going to need it on boot up).
- You can change the DEK on a drive, but you will delete all the data on that drive.
Comments
Post a Comment