Comments on: Self-encrypting drive standard gains momentum

Within two to three years, blogger Jon Oltsik predicts, every device that ships with a hard drive or solid-state disk will offer self-encrypting drives.

[umbrae]

Wouldn't this mean that as encryption is broken you would need to buy new equipment, or that the govt could force (or companies sneak in) back doors to decrypt data.

I think I prefer to control the encryption. I guess if you are encryption-challenged this is better than nothing.

[rcrusoe]

I agree. I'll stick with GPG/PGP. As long as the code is open source you can know for sure that there are no backdoors.

And as long as we continue to read stories about this court or country trying to get users to give up their passwords we know that it is working.

[Marcus Westrup]

Umbrae has a point: Can you ever be sure that a back door / key escrow has not been inserted into the hardware?
Or if a flaw is found in the security method, are the systems suddenly obsolete?

[Renegade Knight]

Always possible. True security would also include other methods so even if they decrypt the drive, perhaps evrething on it is still encrypted via another more trustworthy method.

[texaslabrat]

Nothing stopping you from running your own encryption on top of the built-in hardware encryption if you're that worried about it.

[A_Wave]

I think the technology provides an easy to use "peace of mind" solution for the average user. Let's face it, most people will never go to the trouble of installing and learning to use PGP/GPG or TrueCrypt and if they do they will probably use them incorrectly. Typical users don't have much need for ubergeek levels of encryption and file elimination anyway. If it adds little or nothing to the cost of the hardware, I think it will be a no-brainer for most people to opt for a bit of easy-to-use crypto.

[surf&work]

What happens if the OS fails and I need to recover the data? If there is a security flaw in the HDs then all HDs shipped will be compromised.

[solu1978]

Lot of questions but sure it looks promising.

[skswave]

Let me answer a few of these questions.

1. There are no backdoors. These drives have been designed so that the development team can not compromise a drive.

2. Trusted drives have firmware that is loaded on the drive that can be modified if there is an error that is discovered some drives can only be modified by the manufacturer and some have a secure update capability.

3. What makes these solutions much stronger is that the drive firmware can not be altered by a virus, user, bad application software. The result is that the drives are executing know verified code every time.

4. The drive is independent of the OS. If the drive managment software is implemented correctly a drive can be removed from PC#1 and put in PC#2 and it will boot asking the user for the preboot password. This is possible because the preboot code is on a special protected segment of the dirve that is read only and protected by the drive controller. This is actually more robust then the software solutions.

If the hard drive has a mechanical failure you can not recover the data by sending the drive to a clean room.

5. For really sensitive file a user should consider both FDE and file encryption. FDE only protects a machine at rest.

6. Hard drive encryption never releases the KEYS used to encrypt the data. This is important since all software products store the encryption keys in memory when data is being used.

7. Because the encryption is at the hardware level the machine can be imaged before or after encryption is on and there are no application incompatibilities.

Every Company Small and Large needs to pucharse hard drive encryption as part of purchasing the laptop. The factory installed solution comes ready to go out of the box and is integrated with the other hardware features of a laptop or desktop PC. The enterprise tools exist to manage these deployed PCs from a single console making it an easy to Buy and Easy to manage solution.

Steven Sprague
CEO
Wave Systems Corp
ssprague@wavesys.com

Written on a Dell Latitude E6400 with a Seagate FDE 7200 RPM encrypted drive

[TSander]

Steven Sprague why do you spam so much?

[r_kissel]

Yes, hardware encryption, properly designed, is good stuff.
OK, I have a system with hardware-encrypted hard disk. I bring up the system and, in a moment of raw stupidity, execute a piece of malware that securely-erases the hard drive. Besides losing my data, what other damage is done to the drive (if any)?
Thanks!
Rich

[bruceslog]

I'm sure Mr Spraque and company will benefit much if "Every Company Small and Large needs to pucharse hard drive encryption as part of purchasing the laptop. "

He spams for the same reason every spammer spams. He gets money for it.

I myself don't trust it, despite Mr Spraques 'assurances'.

A) Mr Spraque writes that "There are no backdoors. These drives have been designed so that the development team can not compromise a drive.

2. Trusted drives have firmware that is loaded on the drive that can be modified if there is an error that is discovered some drives can only be modified by the manufacturer and some have a secure update capability."
/quote

No backdoor, but the firmware can be modified, some drives can only be modified by the manufacturer. Who may say, Sure, We have the keys, how much is your data worth to you ?

And some drives have a 'secure update capability'. I betcha that won't stay 'secure' for long.

Both of these comments contradict the no backdoor statement. If there is a way in, there is a probable security issue.
The firmware can be flashed by malware. Recently malware was shown to be able to flash firmware on popular home routers. I doubt the firmware on a hard drive is any safer from a decent blackhatter.

But Please, put the stuff on the market.
I'd like to see how long it can stay secure.

I'd love it if this works as you advertise. That self encrypting hard drives becomes the end all of securing files.

But we've heard that song before, with many products.

I truly wish this adventure the best.

[skswave]

I am sorry if you feel it is Spamming. I am always clear who I am and wave is a vendor in the space but there is a tremendous amount of misinformation or guessing and I hope that the basic capabilities of these products is clearly articulated. There is always room for human error and bad actors but the fundemental engineering design of these products is very sound. Drives can only be updated if you have the ability to unlock the drive and have access to unique administration passwords per drive and the ability to create signed code. Protections are in place. The backdoor in all of these products is the enterprise managment so that the company has a recovery key in case the user forgets their password. However, this recovery capability is controlled by the owner of the machine not goverment or manufacturers. A single user can chose to put a recovery key on a USB token or write it down on a sticky note.

Steven Sprague
ssprague@wavesys.com

The real opportunity is that these products are easy to use and very secure. It is a to secure your PC when the machine is off.

[FJStorage]

I agree that simplicity of disk encryption is a good solution for laptops, desktops and consumer/business users but are skeptical about their security level for use in today?s enterprise class storage systems. With access control managed by the drive not only is there a potential (albeit slim) of back door intrusion but the front door can be a problem as well.
Storage systems (such as Fujitsu?s ETERNUS) delivers encryption from the storage controller for enterprise level security of data at rest. The key is protected within the storage system using redundancy that ensures the key?s availability while keeping it separate from the data thereby maximizing the safe keeping of the data as well as the key.
Jim DeCaires
Storage Marketing, Fujitsu
JDeCaires@us.Fujitsu.com