Self Encrypting Drives

For protecting data at rest on hard drives, hardware encryption has long been forecast to surpass software based encryption.  At first the problem was having enterprise manageability and single sign on with a Windows account.   There are now several different management platforms for self-encrypting drives (SED).   Then the issue was compatibility.   The Opal standard should rectify that.  A self-encrypting SSD drive in a Dell laptop was recently priced at $30 more than the equivalent regular drive.   Perhaps costs are now low enough to begin looking at SED in earnest.

Not so fast.

A quick review of the compatibility list for Symantec Endpoint Encryption finds a dearth of drives supported.

Dell doesn’t tell me which SED they would send.   And there is no guarantee that they would continue to send that drive.  Their just in time, cheapest part, approach could change the drive on me.   Even if I got Symantec to add support for today’s drive, what about tomorrow?

Is it so naïve to think that the Opal standard should allow drive management companies to support all drives under the Opal standard?

McAfee is only slightly better than Symantec in terms of number of drives supported.

 

Questions about supportability and cost remain.  No one wants to go backwards to using a separate bios password to log into the hard drive, prior to logging into the Operating System.

Software based Full Disk Encryption (FDE) with support for AES NI is reportedly speeding things up.  Why hassle with hardware encryption, if what you’re doing can be fast enough.   Good luck if your FDE vender doesn’t support AES – NI.  Symantec has this for PGP ( now Symantec Drive Encryption) but not GuardianEdge (now Symantec Endpoint Encryption.

Another concern is the security of the Self Encrypting Drive.   How do you validate the security of the SED?   If you’re government or a contractor, you may have to buy FIPS 140-2 validated hard drives.   This may be scarce and expensive.   It may not be available through your normal computer leasing channels.

For now, self encrypting drives remains bleeding edge.   It is time to question if it will never become mainstream.

 

4 Comments

  1. I have a few comments:
    1- There are other vendors besides Symantec and McAfee. You mentioned Dell. When you purchase a Dell computer with a self-encrypting drive (SED) you get Dell DDPA for free. This software allows you to take local ownership of a SED. DDPA supports any SED that ships in a Dell computer.
    2- RE: No one wants to go backwards to using a separate bios password to log into the hard drive, prior to logging into the Operating System.
    I don’t think I agree with that statement. The Federal government and military are really comfortable with preboot authentication. Also, every single hardware encryption and software encryption vendor offers single sign on. So you enter your password (or smartcard) at preboot and do not have to login to Windows.
    3-“Fast enough” with less delay because of AES NI versus no performance overheard because the Crypto-processor built into the drive. I’d still take no overhead.
    4- FIPS drives do not cost any more money in my experience. It’s simply a SED by Seagate or whoever that was validated by NIST. You can simply select a SED that is labeled FIPS when ordering from Dell.

    • Is Dell DDPA an enterprise solution? That’s what we’re talking about here.

      Does bitlocker have single signon? Not to my knowledge. I dont think its ridiculous to mention features that I’d want. Your response to that point indicates misunderstanding of what I am saying. If everyone (besides bitlocker) can do that, then I wont have an issue.

      When the encryption isn’t the bottleneck why spend money to make the encryption faster?
      This is particularly true if I have to change managment platforms.
      We do removable storage encryption with the current software FDE provider. Which is another concern about switching management platforms.

      I was certainly hoping to hear from people with some experience on the subject. But, I getting the feeling you think I kicked your dog or something.

  2. Hi,
    I need a help.
    If we forgot our dell self encryption disk password is there any possibility to reset it? Or to get the data back?

Comments are closed.