Last month, I wrote about a disk encryption vulnerability in "Keep Your Encrypted Data Encrypted." This month, more disk encryption news—of a more positive sort. Seagate Technology will soon announce what it calls a self-encrypting full-disk encryption (FDE) hard drive for the data center. Seagate says its self-encrypting disks are not vulnerable to the cold-boot vulnerability because the encryption key isn't stored in memory—it's stored on the disk itself.
Seagate has made a string of announcements about its line of self-encrypting disks over the last year. In July 2007, Seagate said that the National Institute of Standards and Technology (NIST) had certified the Advanced Encryption Standard (AES) encryption chip built into Seagate’s Momentus 5400 FDE.2 disc drive, which Seagate described as "the world’s first laptop hard drive with native encryption." In January 2008, the company announced Maxtor BlackArmor, a 160GB USB 2.0–attached portable storage device that uses the same built-in encryption. In October 2007, Seagate, with partners LSI and IBM, announced that it would extend its hardware-based FDE technology to its enterprise-class hard drives, with "plans to deliver ... to customers in 2008."
Gianna DaGiau, a Seagate product marketing manager, recently explained why encrypting data stored on disks in the data center is important. For one thing, federal and state legislation requires protecting sensitive customer data. If data is somehow lost, you must notify customers, which can be a costly endeavor. However, if the lost data is protected by encryption, the notification isn't necessary. You might think that the data at rest in your data center is protected by lots of layers of security and thus doesn't need encryption, but eventually, all disks leave the data center when they're decommissioned. The decommissioning process, which relies on people handling disks and destroying them or their data, exposes unencrypted data to theft and accidental loss. Fully encrypted disks with the encryption key stored on the disk can be safely and easily decommissioned by deleting the encryption key.
DaGiau also said that Seagate's self-encrypting disks overcome some of encryption's highest hurdles. Key management is simplified because the encryption key never leaves the drive. However, DaGiau and Bret Weber, chief architect and fellow in LSI's Engenio Storage Group, did explain that the administrator would set the authentication key in the storage management system and would of course need to establish a backup for authentication key management. Performance can be another issue with encryption, but DaGiau said that in Seagate's self-encrypting drives, the encryption engine speed matches the disk performance, so encryption won't slow data processing down.
Recent data breaches in the news make it seem inevitable that we're headed for encryption everywhere: across communication lines and on our notebooks, desktops, external personal storage devices, and network storage systems. It's good to hear about a technology like self-encrypting disks that appears to make encryption easier to use.
