Self Encrypting Drives

Technical white paper
Self Encrypting Drives
Overview
Table of contents
What is a Self Encrypting Drive (SED)? .................................................................................................................................. 2 Provisioning and Locking an SED ........................................................................................................................................... 2 ATA Drive Lock (HP BIOS) .................................................................................................................................................... 2 SED Management Software................................................................................................................................................ 2 AHCI and RAID Technology ...................................................................................................................................................... 3 AHCI (Advanced Host Controller Interface) ...................................................................................................................... 3 RAID (Redundant Array of Independent Disks) ................................................................................................................ 3 RAID + AHCI ............................................................................................................................................................................ 3 SATA SED and Software Limitations...................................................................................................................................... 4 Implications of switching SATA Modes .................................................................................................................................. 4 AHCI Driver ............................................................................................................................................................................. 4 RAID Arrays ............................................................................................................................................................................ 4 Supported Configurations of SED in HP Workstations ....................................................................................................... 5 Frequently Asked Questions ................................................................................................................................................... 6 Technical white paper | Self Encrypting Drives
Overview of Self Encrypting Drives
What is a Self Encrypting Drive (SED)?
A Self Encrypting drive is a hard disk or a solid state drive that provides hardware-based data encryption. All data that is
committed to the media is encrypted with either a 128-bit or 256-bit key. Because all encryption is handled in hardware,
there is a great performance benefit to using SED over software based encryption. When using software based encryption,
all of the data written and read from the drive must be encrypted and decrypted by the system processor. This extra
processing work can lead to noticeable performance degradation. With hardware encryption using an SED, there is not a
noticeable change in performance.
All SED devices have the ability to create a Data Encryption Key (DEK). The DEK is used to encrypt all of the data on the drive
when written, and to decrypt the data when read. The DEK is generated by the drive, and is stored in an encrypted format in
multiple locations on the drive itself. By default the SED device is unlocked, and the DEK is used to encrypt and decrypt
writes and reads to the media. It is not until the drive is provisioned and locked that the data is fully secured. Provisioning a
drive entails creating an Authentication Key (AK) that is used in conjunction with the DEK to read and write data to the SED.
Another benefit of using SED is the device can be securely erased in a matter of seconds, as opposed to several hours using
traditional drive wipe methods. The SED can be instructed to change the DEK, rendering all data on the drive destroyed. The
data remains in an inaccessible encrypted format that can no longer be accessed.
All SED devices sold by HP comply with the OPAL specification. The Trusted Computing Group created the OPAL
specification. More information on the OPAL specification can be found on the Trusted Company Group website:
trustedcomputinggroup.org
Provisioning and Locking an SED
As stated above, in order to fully secure the data on an SED, the drive must be at a minimum locked, and should be properly
provisioned. Provisioning an SED requires SED management software. The management software guides the user through
creating an Authentication Key (AK). The AK is used at power on to decrypt the DEK. If the correct AK is not provided, the
drive remains in a locked state. Only after decrypting the DEK can data be written to or read from the SED. This provides
what is called “data at rest” security. The information on the media is always encrypted.
ATA Drive Lock (HP BIOS)
Drive Lock is a part of the ATA standard, and restricts access to the SED unless the correct password is entered during POST
to unlock the drive. Using ATA Drive Lock doesn’t require any additional software. In addition, when using ATA Drive Lock, an
AK is not created on the SED. This means that the DEK is not encrypted, and is considered less secure. If possible, the drive
should be properly provisioned as described in the next section.
The specific procedure to enable ATA Drive Lock can be found in the Workstations Maintenance and Service Guide. This guide
can be found for all platforms at the HP Workstations Business Support Center website: hp.com/go/workstationsupport
SED Management Software
SED Management software helps with the administration of SED in your specific environment. These tools offer features like
security compliance, data protection policies, reporting, data recovery, and an interface which simplifies management. HP
offers an SED management software solution as a part of HP ProtectTools.
There are also many third party software packages available for SED management. Available management features vary by
manufacturer. A list of TCG OPAL approved vendors can be found on the Trusted Computing Group website:
trustedcomputinggroup.org
2
Technical white paper | Self Encrypting Drives
AHCI and RAID Technology
AHCI (Advanced Host Controller Interface)
AHCI is a technical standard developed by Intel for the hardware mechanism that allows software to communicate with
SATA (Serial ATA) devices. It is enumerated as a PCI device and transfers data between system memory and SATA devices.
AHCI provides many benefits over the legacy IDE (Integrated Drive Electronics) hard drive interface. Some of the benefits
include:
•
Elimination of master/slave handling.
•
Native Command Queuing (NCQ) that allows a SATA device to internally optimize the order of command execution
for increased performance.
•
Hot-plugging which provides the ability to insert a SATA device into a running system and have the operating
system recognize the device. This is necessary when using eSATA (external SATA) drives that can be plugged into
the host computer while the system is running.
•
TRIM support for SSDs which keeps track of files that have been deleted but not erased on the drive. This helps
extend the life of the SSD by preventing unnecessary writes.
RAID (Redundant Array of Independent Disks)
RAID provides a method of combining multiple disks into a single logical volume to increase performance or create data
redundancy. There are various levels of RAID configuration that can be implemented depending on the user’s need for
performance and redundancy.
Typical RAID configurations are:
RAID0 – Creates a single volume that has data striped across 2 or more drives. The size of the volume is based on the size of
the smallest capacity drive times the number of drives in the RAID0 configuration. RAID0 is typically used to improve
performance or create a larger volume from smaller drives. There is no data redundancy protection against a single drive
failure, but does not use parity, and does not improve performance.
RAID1 – Creates a single volume that is a mirror image of two physical drives. The size of the mirror is limited by the
smallest drive used in the RAID1 configuration. This configuration provides data redundancy or parity in a RAID0
configuration.
RAID5 – Creates a single volume of striped data across 3 or more drives and distributes parity information across all
member disks. This configuration is primarily used where low cost redundancy is desired.
RAID10 – Creates a single volume from 4 drives by first mirroring 2 drives for redundancy, then striping the mirrors for
performance. The size of the volume is approximately twice the size of the smallest disk drive in the array.
RAID + AHCI
RAID+AHCI provide all of the benefits of AHCI with the added flexibility of RAID for configurations needing performance or
data redundancy. Even if you don’t use RAID today, setting the SATA mode to RAID+AHCI makes your system RAID ready for
the future. RAID+AHCI is the preferred SATA emulation mode and default setting in HP Workstation BIOS.
3
Technical white paper | Self Encrypting Drives
SATA SED and Software Limitations
SEDs require AHCI mode. Most key management software does not work when controllers are in RAID mode as the SED
capability is obfuscated from these tools. Software applications may disable management of SEDs if the software detects
that the SED is attached to a RAID controller.
On HP systems, AHCI mode can be set in BIOS in the Storage Options -> SATA Mode. There are three modes available.
•
RAID+AHCI (Default with greatest flexibility for most users)
•
AHCI (Required when using SEDs)
•
IDE (Legacy mode not recommended for most users)
On the HP Z220 Workstation, the SED can be attached to any of the available AHCI controller ports.
On the HP Z420 and HP Z620 Workstations, the SED must be attached to the AHCI controller. The SCU controller is identified
as a RAID controller and cannot be used in conjunction with SEDs when the self-encrypting feature is desired. If a SED is
attached to the SCU, it will function as a standard SATA drive and will not utilize the self-encryption capability. Some SED
management software will gray out or not display options to enable Self Encryption when the SED is connected to a RAID
controller.
On HP Z820 Workstations, the SED must be attached to the AHCI controller. The SCU and SAS controllers are both identified
as a RAID controller and cannot be used in conjunction with SEDs when the self-encrypting feature is desired. If a SED is
attached to the SCU or SAS controllers, the drive will function as a standard SATA drive and will not utilize the selfencryption capability. Some SED management software will gray out or not display options to enable Self Encryption when
the SED is connected to a RAID controller.
Implications of switching SATA Modes
CAUTION: Changing modes after the OS is installed is not advised. Changing modes may cause RAID arrays to become
corrupt and unrecoverable. Be sure to back up your data before making any changes to the SATA mode.
AHCI Driver
An AHCI driver is required for AHCI support. If an AHCI driver is not installed, you may encounter a blue screen error when
booting the system after switching the SATA mode to AHCI. HP workstations configured at the factory will have AHCI drivers
preinstalled. If you are creating a new OS disk, download the latest storage driver SoftPaqs for your system from hp.com. If
you have an existing OS disk on the AHCI controller and are unsure if you have AHCI drivers, download the latest Intel
storage driver SoftPaqs from hp.com and use the executable install utility to install the drivers before switching modes.
RAID Arrays
4
•
RAID arrays on the SCU will be unaffected by switching SATA modes from RAID+AHCI to AHCI or from AHCI to
RAID+AHCI. (Applies to HP Z420, HP Z620 and HP Z820)
•
RAID arrays on the LSI SAS controller will be unaffected by switching SATA modes from RAID+AHCI to AHCI or from
AHCI to RAID+AHCI. (Applies to HP Z820 only)
•
The OS or Data from RAID arrays on the AHCI controller should migrated to another controller or a single non RAID
disk before changing SATA modes. (Applies to HP Z220, HP Z420, HP Z620 and HP Z820)
Technical white paper | Self Encrypting Drives
SED Setup and Boot Process
During the provision process of the SED, the following occurs:
•
Password (AK) is established.
•
Shadow Master Boot Record created on SED.
o
This allows the use of a pre-boot OS to allow the entering of the password (AK) to unlock the
drive, enabling access to the data stored on the device.
After completing the setup process for the SED, the boot flow of the Workstation is as follows:
•
System BIOS attempts to read Master Boot Record of the SED.
•
System BIOS is redirected and loads the pre-boot OS.
•
The user authenticates by entering the password defined during the setup process.
•
If authentication is successful, the pre-boot OS passes control to the original MBR and the OS on the SED loads.
•
If authentication is not successful, the machine is unable to boot.
Supported Configurations of SED in HP Workstations
SED devices can be configured as both boot and data devices within HP workstations. Multiple SED can be provisioned within
one HP workstation as standalone drives. As the DEK for each drive is unique, the DEK and AK hash will be unique for each
drive, despite using the same AK for multiple SED devices.
Configurations not supported in HP Workstations:
•
RAID configurations with SED devices are not allowed.
•
Flash Cache SSD modules used with the Intel® SRT software are not supported with the use of an SED HDD. The
Intel® SRT software requires that the cache module and the HDD be configured in a RAID array, thus it cannot
support an SED device.
5
Technical white paper | Self Encrypting Drives
Frequently Asked Questions
•
I just bought an After Market Option SED, how can I move my boot image over to the new drive?
- To move your boot image to the new drive, you can use one of many available 3rd party-imaging utilities. HP
does not recommend any utility over another. Another way to make the new SED your boot drive would be to
back-up all of your data, install an operating system on your SED, and then recover your backed-up data to the
SED.
•
What is the correct BIOS setting for my SED?
- There is one BIOS setting that is important to ensure proper recognition of your SED, You must charge the SATA
emulation mode to AHCI. Most of the 3rd party key management software packages will not correctly recognize
the SED if SATA emulation is set to RAID or RAID+AHCI.
•
How do I setup an SED as a data drive?
- After installing your SED, you would use the key management software to provision the SED, much like you
would if the SED was your boot drive.
•
Can I have more than one data drive as an SED?
- This depends on the key management software that is being used to provision the SED. Contact the
manufacturer of the key management software for further details.
•
Can I RAID my SEDs?
- You cannot use RAID on SEDs and still retain the ability to provision/lock the SEDs.
•
Can I use a boot SED and a data SED? Can they use the same key?
- This depends on the key management software that is being used to provision the SED. Contact the
manufacturer of the key management software for further details.
•
How do I update the firmware on my SED?
- Firmware updates on SED are similar to firmware updates on non-SED storage devices. As with all firmware
updates on storage devices, there is the possibility of data loss. Be sure to back-up data stored on the drive prior
to performing the firmware update.
•
I reset my BIOS to factory defaults and now I’m having problems. What can I do?
- For HP desktop workstations, the default SATA emulation mode is RAID+AHCI. This will have to be changed back
to AHCI mode to ensure proper recognition and management of the SED.
To learn more, visit
hp.com
Sign up for updates
hp.com/go/getupdated
Additional Resources
hp.com/go/whitepapers
Solutions Guide for Data-At-Rest in PDF
Found at Trusted Computing Group website
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for
HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as
constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Intel is a trademark or registered trademark of Intel Corporation or its subsidiaries in the U.S. and other countries.
4AA4-4992ENW, April 2013
Download PDF