The Rise of Self-Encrypting Hard Disk Drives

By Mathew Schwartz

What’s the best way to secure sensitive or regulated personal information on PCs? Simple: encrypt the data. Except historically, neither of the leading approaches to encryption was simple. File/folder encryption required user participation (unreliable) and whole-disk encryption software often made Windows crawl (unpopular).

About two years ago, however, payroll software developer AdaptaSoft Inc., based in Francesville, Ind., began testing a new approach: self-encrypting hard disk drives. Today, the company has about 20 Seagate self-encrypting drives (SEDs) in Dell latitude laptops, managed with Embassy Trusted Drive Manager from Wave Systems, plus a custom-built server with SEDs, managed with LSI SafeStore Encryption Services.

Unlike software-based whole disk encryption, SEDs reduce latency to mere nanoseconds. Furthermore, users can’t route around them. But are SEDs easy and cost-effective enough for enterprise use?

Rating Self-Encrypting Drives

At Adaptasoft, “my experience has been very positive,” says David Virkler, development project manager for the IT team. He sees ‘”no performance hit, which is incredible.” Are the drives a worthwhile investment? “There is very little cost difference-both upfront and ongoing,” he notes.

For administering the drives, larger organizations will want to add a third-party management console from the likes of CryptoMill, GuardianEdge (also bundled with Symantec), McAfee, Wave or WinMagic. But “for the company running two or three computers, there is a [bundled] management solution on each computer as well,” he notes.

Hardware-Based Encryption

Here’s how the drives work: After booting, when the BIOS attempts to read the master boot record (MBR), the drive gets redirected to a shadow MBR – typically, a Linux or MS-DOS kerne – and the user or administrator must authenticate against an encrypted key hiding on the drive. If successful, the drive unlocks, boots the original MBR and passes information in clear text until powered down.

“One of the beauties of the SED is that once you authenticate, the encryption is transparent to the system,” as well as to the user, says Mike James, director of system-on-chip development for Toshiba America Information Systems in Irvine, Calif., and a member of the Trusted Computing Group’s Storage Work Group. Indeed, the latency for encryption and decryption is mere nanoseconds (billionths of a second).

As with any type of full-disk encryption, however, once the drive unlocks, anyone with physical access to the drive could potentially access what it stores. If that is a concern, experts recommend complementing an SED with file/folder encryption.

Early Adopter’s Assessment

Despite offering faster, automatic encryption for data at rest, how can SEDs improve? Going forward, Virkler would like a single management console that handles both laptops and servers: “I’m hoping that Wave and LSI can hook up so that I have one interface to manage all of my encrypted drives across the organization.”

He also wants more stable driver installation, deployment and management with Wave: “Things get really hairy in a hurry if any drivers get messed up on a laptop,” and he has logged many hours of related troubleshooting. Finally, he would like to see the drives work better with Windows hibernation and standby modes, which currently must be limited or disabled.

Opal Specification

Another potential hassle, at least until recently, is that different SEDs worked differently. Last year, however, the Trusted Computing Group released Opal, a specification for SEDs. Today, many drive manufacturers – including Seagate, Toshiba and Western Digital – either sell or are developing Opal-compliant hard drives (flash included), which should soon make it easier for IT managers to administer any make, model or quantity of drives, via a single console.

The Self-Encrypting Drive Question

So, are SEDs ready for widespread business use? According to Virkler, “I recommend encrypted drives to all my clients and pretty much anyone that I get in a security-related discussion with.” For any organization that stores sensitive information, then, perhaps the better question is: Can you afford to not use self-encrypting drives?

Mathew Schwartz is a business and technology writer from Pennsylvania