Sign in with
Sign up | Sign in

Enter the eDrive

Self-Encrypting Drives: Security for Every System
By
Brought to you by What's this

Since Microsoft is now aggressively promoting Windows 8 and the many benefits it offers, it might be advisable to dig into its eDrive term and examine how it differs from a conventional SED. At the November 2011 Windows Ecosystem Summit, Microsoft defined an encrypted drive as “a regular storage subsystem (Embedded MultiMediaCard, solid-state drive, hard disk drive) that comes with hardware offload to accelerate crypto processing.” To refine this further, an SED need only meet with the Trusted Computing Group’s standards, namely Opal and Opal 2 (see http://bit.ly/A6q7bq). The encrypted hard disk drive, called an eHDD or eDrive, must meet Opal 2 specs and additionally comply with the IEEE 1667 standard. Microsoft also requires eDrives to support the Opal option for a single user mode. This could allow an eDrive to have its partitions managed independent of others.  Partitions enable another feature on eDrive.  While TCG Opal supports multiple separate and secure sections or ranges, most hardware encryption offerings simply encrypt the entire drive as one object.  eDrive sets up multiple ranges to support open access to boot up a PC or support system recover and only locks the user ranges.

All of these spec advances dovetail with new code built into Windows 8. The operating system can recognize an eDrive as the system boot drive and provide the requisite special provisioning during configuration. In the Pro and Enterprise versions of the OS, Microsoft provides BitLocker to manage hardware encryption instead of using software to encrypt data.  A user can then choose to manage the drives’ capabilities with BitLocker which Microsoft claims improves system performance up to 35%.

Despite this encryption’s under-the-hood power and complexity, a single login keeps the user experience remarkable simple and streamlined. With older Windows versions, a shadow master boot record (MBR) had to be created outside of the operating system. When a user powered up the PC, he or she had to log in first through the shadow MBR, then login in again with the regular Windows system interface. In Windows 8, the initial shadow partition is replaced with UEFI and secure boot for new PCs, making for an improved user experience and more reliable system. Only the user partition gets secured the key parts of the system needed for operation remain unlocked and ready while most files—and definitely anything even remotely tied to user data—require unlocking. This allows for a single logon experience with no sacrifice in security.

Businesses should note that BitLocker can interface with Microsoft BitLocker Administration and Monitoring (MBAM) as well as Active Directory credentials. This can greatly help with the management of large numbers of eDrives across an organization. As with other SED management tools, MBAM can assist with policy enforcement, protected key management, and the maintenance of a compliance audit trail. Just keep in mind that BitLocker does not support ISE functionality. However, the eDrive can still be repurposed or recycled using Seagate’s SeaTools for Windows application available for download on the company’s website.