Introduction about SED (Self Encryption Drives)
What is SED (Self-Encrypting Drives): SED Operation Guide 1.4
Encryption controller (ASIC) & Encryption Key are both embedded on hard drive itself. SED encryption is automatic and transparent without performance degradation. An encryption key is generated randomly from factory by each SED.
SED Advantage ( MaxSure - Date Care Feature )
- Reduced Cost via Standardized Technology
- Reduced control headaches and disposal costs
- Optimum Storage Efficiency
- Reduced Re-Encryption
- Superior Security
How SED works?
- SED automatically performs full disk encryption when a Write is performed by using the embedded encryption key before the data is written to the disk. When a Read is performed, the encrypted data is decrypted before leaving the drives.
- When the new SED is acquired, the embedded encryption key is in clear text form, until the user evokes the authentication key. The SED will still encrypt – decrypt all write or read data on the disk if the authentication key is not evoked, but anyone can also write and read the clear text data on the disk.
- There are two major functions for SED: “ Secure Erase” and “Auto Lock”.
Instant Secure Erase
- The owner just simply begins using SED in normal operation; eliminate the need to manage the authentication key. When owner decides to repurpose or dispose the drives, simply perform the“Instant Secure Erase”, which would implement a“key erase”to replace the existing encryption key with a new encryption key which generated randomly within the drives.
- All the data that had been written with the previous key are garbled when decrypted with the new encryption key. The drives would leave as the original factory default SED, ready for the owner to use it as a “Secure Erase only”mode or in “Auto Lock”mode as new ones.
Benefit of using “Instant Secure Erase”
- Eliminating the need to overwrite or destroy data.
- Securing warrant and expired lease return
- Enabling drives to be repurposed securely.
- However data are not secured while drives are stolen.
Authentication manage of SED in “auto-lock” mode
- Evoke authentication key by outer source (F/W or application)
- Decrypt (unlock) the encrypted encryption key, clear encryption key and encrypts or decrypt the dat
- When Authentication is completed during powered on, encryption is fully transparent to the storage system and performs its traditional functions normally.
- The drive’s data encryption key would be “auto-locked” whenever the drive is powered down or disconnected.
- When system is powered on again, the SED requires an authentication key before being able to unlock its encryption key and read any data on the drive.
- If the authentication is matched, the drive would be unlocked and use the authentication from storage system to decrypt a copy of the encryption key stored in the specific area of the disk.
- Once the authentication process is completed, the drive is unlocked until the next power down.
- The authentication process only required on first power on, would not repeat with each read and write.
- The clear-text encryption key is used to encrypt-decrypt the data write and read from the disk.
- Drives would work in standard fashion during data transfer, and the encryption and decryption would transparently work on the background.
When and How to use SED?
- SED is good for securing data resident in disks while drives leave the owner’s control, preventing data been accessed while drives are retired, stolen, return for warranty or repurposed.
- SED would not secure data in transit or preventing data been hacked by outer attack while systems are on, or unauthorized access if systems are stolen or return for repair. Enterprise would apply different encryption or security policy to protect data from above threatens.
- It would be highly recommended to use Arena RAID solutions incorporate with SED in following manners:
- To Use “Instant Erase” for newly acquired HDDs to replace the factory default encryption keys.
- Evoke “Auto Lock” function by using the “SED Key” management
- Conduct “Instant Erase” again if HDDs are retired, disposed, repurposed or returned for warranty, but before that be sure to backup the data which still need to be maintained.