Self-Encrypting Drives
For Data-at-Rest Security
In this paper we discuss what an Self-Encrypting Drive (SED) is and jump under the hood to demystify the inner workings of an SED. Additionally, we touch on why independent evaluations are needed and which ones are applicable to SEDs.
Data destruction - or media sanitization - is a key component of Data Security. Self-Encrypting Drives (SEDs) support Cryptographic Erase, a mechanism that allows for fast and secure data destruction. In this paper we discuss what Cryptographic Erase is, how it works with SEDs, and deployment implications.
There is a lot of buzz around Quantum Computers and how it may affect digital security. In this paper we discuss the standardization process of quantum resistant cryptography, better known as Post-Quantum Cryptography, and its implications for Self-Encrypting Drives.
In this two-page paper we explain how Self-Encrypting Drives (SEDs) are used in NSA's Commercial Solutions for Classified (CSfC). It discusses SEDs, the collaborative Protection Profile for Full Drive Encryption, and the dual-DAR requirements stemming from CSfC's Data-at-Rest Capabilities Package.
Relevant Information
A Self-Encrypting Drive (SED) is a storage device, such as a Solid-State Drive (SSD) or Hard Disk Drive (HDD), equipped with integrated security features. At its core, an SED comprises data storage media, a controller chip for device management, and a dedicated security subsystem.
High-level, a SED consists of:
-
Large amounts of non-volatile memory media;
-
A controller that runs a dedicated real-time operating system;
-
A Security subsystem consting of both hardware and firmware.
And, it offers two methods for maintaining user data confidentiality:
-
Instant Secure Erase for data destruction. Also known as Crypto erase, involves permanently deleting the cryptographic keys used to encrypt data stored on the media. Once the keys are erased, the original data (plaintext) becomes unrecoverable as the encrypted data (ciphertext) cannot be decrypted without the valid keys.
-
Authentication and authorization for data access. Access Control on an SED is enforced at the device level, requiring the user or system to authenticate. Successful authentication and authorization grant data access until the next device power cycle or a manual lock instruction is issued. Without proper authorization, the SED will block all read and write requests.
The security of a SED hinges on a correct implementation of an approved confidentiality algorithm and high-quality encryption keys. Most modern SEDs employ the NIST-approved Advanced Encryption Standard (AES) algorithm with a robust 256-bit key length and a NIST-approved confidentiality mode, such as XTS-AES. And high-entrophy encryption keys are paramount for both data encryption and the protection of other sensitive data and keys stored within the device.
All user data traversing the SED interface is automatically encrypted or decrypted by the FDE engine using a unique Data Encryption Key (DEK). DEKs are generated within the SED and never leave the device. To ensure the DEK remains confidential, it is encrypted using a Key Encryption Key (KEK) and an approved key wrapping algorithm. This prevents the exposure of the cleartext DEK within the device's memory until it's required by the FDE engine.
The FDE engine requires access to the KEK to decrypt the DEK and perform its encryption/decryption functions. While implementation methods vary, most architectures utilize a device-unique KEK, often referred to as the master key or root key, that is exclusively accessible by the FDE engine. This device-unique KEK safeguards the confidentiality of the DEK outside the FDE engine.
An additional security layer is provided by the Authentication Key (AK), an access control credential managed outside the device. The AK authenticates the user, controlling data access, initiating crypto erase, and managing access control policies. AKs, typically passphrases up to 32 bytes in length, are established during device provisioning and can be derived from multiple authentication factors. Crucially, the AK is never stored on the device, preventing offline attacks aimed at recovering it directly. Instead, the AK is used to derive an intermediate key, employed to protect the DEK. To read data from or write to the SED, internally to the device the key hierarchy is unwrapped to obtain the cleartext DEK.
In addition to encryption keys and AKs used to protect DEK, SEDs utilize various credentials to safeguard other critical device functionalities. The specific types and number of credentials vary across different SED manufacturers. Proper management of these credentials by all parties involved - the device, the manufacturer, and the end-user - is crucial for the secure and reliable deployment of SEDs.
Last critical aspect of SED data security concerns firmware integrity; malicious firmware can compromise stored keys and user data by circumventing the SED's security mechanisms. To mitigate this risk, SEDs implement firmware validation procedures. During device boot and firmware updates, the SED verifies the digital signature of the firmware, ensuring its authenticity. This important security mechanism requires the manufacturer to electronically sign the firmware, safeguarding the device from threats stemming from compromised firmware.
In summary: Self-Encrypting Drives (SEDs) automatically encrypt all data written to them and decrypt all data read from them. The encryption occurs seamlessly without user intervention. Additionally, SEDs incorporate a locking mechanism to control access to all data stored on the device.
A Self-Encrypting Drive (SED) is a storage device, such as a Solid-State Drive (SSD) or Hard Disk Drive (HDD), equipped with integrated security features. At its core, an SED comprises data storage media, a controller chip for device management, and a dedicated security subsystem.
High-level, a SED consists of:
-
Large amounts of non-volatile memory media;
-
A controller that runs a dedicated real-time operating system;
-
A Security subsystem consting of both hardware and firmware.
The security of a SED hinges on a correct implementation of an approved confidentiality algorithm and high-quality encryption keys. Most modern SEDs employ the NIST-approved Advanced Encryption Standard (AES) algorithm with a robust 256-bit key length and a NIST-approved confidentiality mode, such as XTS-AES.
All user data traversing the SED interface is automatically encrypted or decrypted by the FDE engine using a unique Data Encryption Key (DEK). DEKs are generated within the SED and never leave the device.
The FDE engine requires access to the KEK to decrypt the DEK and perform its encryption/decryption functions. While implementation methods vary, most architectures utilize a device-unique KEK, often referred to as the master key or root key, that is exclusively accessible by the FDE engine. This device-unique KEK safeguards the confidentiality of the DEK outside the FDE engine.
An additional security layer is provided by the Authentication Key (AK), an access control credential managed outside the device. The AK authenticates the user, controlling data access, initiating crypto erase, and managing access control policies. AKs, typically passphrases up to 32 bytes in length, are established during device provisioning and can be derived from multiple authentication factors.
Last critical aspect of SED data security concerns firmware integrity; malicious firmware can compromise stored keys and user data by circumventing the SED's security mechanisms. To mitigate this risk, SEDs implement firmware validation procedures. During device boot and firmware updates, the SED verifies the digital signature of the firmware, ensuring its authenticity. This important security mechanism requires the manufacturer to electronically sign the firmware, safeguarding the device from threats stemming from compromised firmware.
In summary: Self-Encrypting Drives (SEDs) automatically encrypt all data written to them and decrypt all data read from them. The encryption occurs seamlessly without user intervention. Additionally, SEDs incorporate a locking mechanism to control access to all data stored on the device.