Self Encrypting Drives - Everything You Need to Know
There’s alot of misleading information about Self Encrypting drives.
Hopefully this post can clarify that without all the fazzle. Looking at from a purely functional point of view, there are 3 types of drives out there
Type 1 - no encryption, no locking
Type 2 - encryption, no locking
Type 3 - encryption with locking
To expand on what the above means in a bit more detail, lets clarify the terminology
No Encryption
Data written to the controller (from the server) is the exact same data that gets written to the storage medium, in this case the raw unencrypted data its what gets written to NAND flash.
Encryption
Data written to the controller (from the server) gets encrypted by the controller typically AES 256bit, and that encrypted data is what gets written to the NAND flash.
No Locking
If someone has physical access to the disk, they can access your data regardless of weather it supports encryption or not
Locking
Even with physical access no one can access the data without the secret key. It requires a key/password to be able to “unlock” and read the contents of the disk.
Now that the terminology is clear, lets expand on the 3 different types of drives that are out there.
Type 1 - No Encryption + No Locking
No Encryption, no Locking
This is the typical old style disk. In the past disk controllers were fairly weak and not capable performance wise to encrypt data at high speed. Typically they could schedule data transfers and do wear leaving algorithms, but lacked the performance to run operations at line rate on the incoming data stream. Thus what got sent to the disk controller is what gets written to the storage media e.g magnetic platter or NAND.
Type 2 - Encryption + No Locking
As you can not lock prying eyes from seeing your data, you might ask whats the point of 2)? The point is a fast and effective "deletion of data”. e.g a kill switch that runs quickly and efficiently, to delete all data.
In the past before controllers started encrypting data. to safely delete/wipe data off the disk you had to write (typically multiple times) across all of the storage media. This effectively overwrites with random bits everything on the actual storage media. To do this on a large HDD or SSD can take a long time, HDD in particular this can be double digit hours. In addition there’s no guarantee all of the storage media will be overwritten, think of SSD overprovisioning / wear leveling algorithms. You have no visibility or control on where your writing to on each NAND chip.
Because its so haphazard, government and business created standards, that require an effective way to destroy data. using disk encryption, with no locking, all that’s required to destroy the data is…. deleting the encryption keys. As the data on the storage medium is un-readable without being decrypted.
These disks are typically called “SED AES Encrypted Secure Erase”. e.g the media is encrypted, and you can delete the keys. But thats all.
If your bitcoins are on this type of drive, anyone with physical access can steal them.
Type 3 - Encryption + Locking
Finally there is encryption with locking. In the modern NVMe era these are classed as Trusted Computing Group (TCG) OPAL 2.0. the full specification in link below:
https://trustedcomputinggroup.org/wp-content/uploads/TCG_Storage-Opal_SSC_v2.01_rev1.00.pdf#page=12
In the by gone SATA era this was known as “ATA Security Erase/Lock/Frozen” feature set.
What TCG OPAL 2.0 means is the drive has a security interface that accessible from the host. FMADIO Packet Capture appliances we use the opensource utility sedutil that uses the “nvme security-send” and “nvme securtity-recv” NVMe protocol functions to interface with the security module on the drive.
Sadly there are many flavors of TCG OPAL 2.0, many marketing terms used to convince you the drive supports TCG OPAL. Many claim “AES 256bit encryption”, or “OPAL Lite” as a security feature but lack function to lock/unlock using TCG OAPL2 - choose your drives carefully!
What are the critical features? most importantly its the ability to lock the entire drive, e.g. the controller requires a key without a password to unlock the AES Encryption Key. This is what most people think of as a “SED” Self Encrypting Drive e.g. without a password to unlock the disk, then all those bitcoins on the disk are just gibberish… and your bitcoins are secure.
This type of drive what you want in the corporate and government world, TCG OPAL 2.0 disks with AES 256b Encryption and Locking. And what FMADIO devices fully support. If a malicious actor physically removes/steals/acquires the storage medium. Its useless as the data is garbage even if you de-solder, reverse engineer the controller and NAND, the bits are meaningless without the encryption key.
Summary
All FMADIO Packet Capture disks are carefully selected as Type 3) Encrypted and Locking ensuring your packet capture data is secure.
As “AES Encryption” on the packaging does not equal a secure SED disk, choose your drives carefully!
