Features of Drive-Based Encryption
Why Drive-Based Encryption Is Safest and Best
What's this
There are four key benefits to be had from a self-encrypting drive: 1) instant secure erase, 2) auto locking, 3) key management, and 4) FIPS certification.
Instant secure erase is a topic we’ll explore at greater length in a follow-up article. For now, suffice it to say that the measures some companies take to erase data from their drives is significant. As we detailed earlier, the consequences for not performing such erasure can be frightening. But rather than resort to various convoluted and costly means of data destruction, all a SED has to do is throw away the encryption key. It takes less than a second and leaves every file on the drive as a hopelessly and permanently scrambled mess.
Auto locking is the term for how encryption kicks in every time a self-encrypting drive powers down. If someone pulls a SED from an array and runs off with it, there is no way for the data on that drive to be accessible. The drive is and will stay locked up until password (or some similar) authentication is provided.
Key management involves the use of third-party software so that administrators can provision and manage all of the SEDs within their group or organization. One of the most prominent vendors in this space is LSI with its SafeStore application. SafeStore is a common bundle option that works with select LSI MegaRAID storage adapters. One of the great features in today’s encryption specifications is that should admins decide to change authentication keys, no subsequent re-encryption is necessary.

Finally, the Federal Information Processing Standard (FIPS) as its security standard 140-2 for certifying the quality and dependability of cryptographic devices. This standard, developed by the NIST and its Canadian equivalent, the Communications Security Establishment, defines four levels for FIPS 140-2. Seagate SEDs are currently the only hard drives on the market certified for Level 2, which requires the use of a tamper evidence label to detect if a drive has been subject to tampering.

As you can see in the above image, conventional SEDs satisfy the security and disposal needs for most businesses. However, for government agencies or vertical markets that demand the highest possible security levels, such as finance, health care, or legal, FIPS 140-2 drives represent the best data storage investment that can be made.
“The government certification process involves a lab doing witness testing of your security,” explains Seagate enterprise senior product marketing manager Teresa Worth. “They’re going to put you through a whole gauntlet of things to make sure that you implemented good security. The Opal standard, developed by the Trusted Computing Group for on-drive encryption, asks you to give the right response when you receive this or that command. Really, it’s the security behind all those commands that gets certified. But FIPS certification will make dead sure that you did AES correctly. Opal says, ‘Please implement locking and encryption on this particular portion or all of the device’ and takes you at your word when you say you did. The FIPS certification process has laboratory crypto experts holding your feet to the fire and making you demonstrate everything you claim.”