Sign in with
Sign up | Sign in

How SEDs Operate

Why Drive-Based Encryption Is Safest and Best
By
Brought to you by What's this

Hardware-based solutions often store their encryption keys far below the application or OS stacks, burying them in dedicated hardware memory. On SEDs, this involves the creation of a small, hidden partition that remains invisible to the operating system. The hidden partition contains both an encrypted encryption key as well as a hashed authentication key—a sort of derived signature that represents the authentication key. Once authentication is obtained, the drive allows data to be decrypted, and the system interacts with media by way of two commands, “trusted send” and “trusted receive,” contained within the ATA interface protocols. Provided that the system chipset recognizes these commands—and nearly all modern chipsets now do—the process works with nearly perfect transparency.

When no password is implemented in the BIOS, a self-encrypting drive is always doing its job. It performs exactly like a regular drive, only with encryption and decryption happening on the drive’s circuit board. If you visualize on-drive encryption as a door between the outside world and the data on the drive’s media, with no other measures taken that door simply stands on its hinges, swinging freely any time data needs to pass from one side to the other. However, once a BIOS password is applied, a deep association is made between the drive and the motherboard that functions like a deadbolt lock placed on that door. The user must authenticate with a password during system boot-up or when emerging from hibernation in order to decrypt the drive’s encryption key and thus unlock the drive.

Specifically, the process of accessing an SED goes through the following steps:

1. The storage subsystem requests an authentication key from the key management service. The service then forwards the authentication key to the necessary drive.

2. The SED hashes this authentication key and compares it to the hashed authentication key already stored on the SED’s hidden partition. If the two hashed keys don’t match, the drive locks out any subsequent requests for data from other drive partitions, thus locking the drive.

3. If the two hashed keys match, the SED then takes the unhashed key fetched from the storage subsystem and uses it to decrypt the encryption key, which is also stored in the hidden partition. This unlocks the drive.

4. Requested data is decrypted as it streams off of the storage media and through the drive’s crypto controller. This cleartext data is then passed on to the system chipset for use.

5. When data is written to the drive, the crypto ASIC will use the encryption key to hash the data so that it is stored safely.

The SED will not relock until it is powered down.