Sign in with
Sign up | Sign in

The SED Difference

Self-Encrypting Drives: Security for Every System
By
Brought to you by What's this

While there are many kinds of encryption used in computing, the vast majority of files protected on hard drives and SSDs rely on the Advanced Encryption Standard (AES). Accepted by the National Institute of Standards and Technology in 2001 as the de facto data security standard for the U.S. government, AES can utilize 128-, 192-, or 256-bit key sizes. To date, the brute force computing needed to crack even a 128-bit AES key lies far beyond any computing horsepower now available in the world. With the key known, of course, far, far less computing power is needed to operate the AES algorithm, but it is still a relatively large amount of number crunching—enough to incur stiff double-digit consumption of CPU resources and potentially cripple other active applications.To break this bottleneck, Seagate introduced its aforementioned full-disk encryption (FDE) solution, which encrypted all information on the hard drive via the on-drive crypto ASIC and solved the persistent problem of encryption keys being stored in the operating system where hackers could reach them. (Over time, Seagate transitioned from calling the on-drive technology FDE in favor of the more widely accepted SED.) However, since FDE/SED adoption was slow, Intel introduced discrete logic blocks into some of its processors specifically designed to accelerate AES processing. This functionality is still called AES New Instructions, or AES-NI.

ES-NI provides a fair amount of help with AES-based encryption, but it’s not perfect. For one thing, not all modern CPUs support AES-NI. Second, users still see a performance hit when using AES-NI. The results are definitely better than when computing AES without assistance, but ideally users want to see zero impact from performing encryption. Data should flow to and from storage at the same speed as if there were no encryption present at all. AES-NI does not presently enable this. Also, even though AES-NI accelerates encrypted data throughput, the CPU still has to crunch the same numbers. It’s simply crunching them faster. The hottest component in the PC must perform the same mathematical work and consume a similar amount of energy to perform that work. In portable systems, this can create additional drain on battery runtimes.

In short, software-based encryption tools may be traditional and convenient. Some may even be free. But all carry their own sorts of costs.

With hardware-based encryption built into the storage drive, there is zero additional compute load placed on the CPU. Unlike AES-NI, these cryptographic ASICs are purpose-built for this compute task, so they perform it with optimal efficiency and the lowest possible power draw. In fact, crypto ASICs perform at better than line speed, meaning that they do their job so quickly that they often have to wait for new data to come in from the drive interface. The encryption process no longer presents a performance constraint.

SEDs encrypt all data written to the drive. This includes OS files and even the master boot record. In contrast, software-based encryption solutions leave unencrypted areas on the drive, which presents a security risk.

Also note that even though the SED encrypts all incoming bits, users are not forced to manage the encryption. Data is only protected when users apply a password to lock the encryption. Think of the encryption as a door leading to a room. Without a lock on the door (the password), people can enter and leave as they please. An SED will encrypt and decrypt every bit as it enters and leaves the drive. The decryption process won’t require authentication until a password gets implemented.

According to Microsoft, an SED (or “eDrive” as the company is now calling them) will improve encrypted data throughput by 15% to 35% under Windows 8. This improvement was seen when comparing SED-based encryption against CPU-driven encryption through Microsoft’s BitLocker Drive Encryption (BDE).


Ultimately, this is the chart that matters to most users. People want security, but they want it with few to no downsides. Today, that is finally possible with SEDs.