Seagate announces hardware FDE for laptop and desktop machines

Simon Josefsson simon at josefsson.org
Tue Oct 2 09:50:27 EDT 2007 

Following up on an old thread with some new information:

> Hitachi's white paper is available from:
>
> http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf
...
> The interesting part is the final sentence of the white paper:
>
>    Hitachi will be offering the Bulk Data Encryption option on all new
>    2.5-inch hard disk drive models launched in 2007, including both the
>    7200 RPM and 5400 RPM product lines. At the request of the customer,
>                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>    this option can be enabled or not, at the factory, without any impact
>    on the drive?s storage capacity, features or performance.

Interestingly, Hitachi has updated that paragraph in the paper (re-using
the same URL), and now it reads:

  Hitachi will be offering the Bulk Data Encryption option on specific
  part numbers of all new 2.5-inch hard disk drive products launched in
  2007, including both the 7200 RPM and 5400 RPM product lines. For a
  list of specific part numbers that include the Bulk Disk Encryption
  feature or for more information on how to use the encryption feature,
  see the ?How To Guide? for Bulk Data Encryption Technology available
  on our website.

The How To Guide includes screen shots from BIOS configuration.  The
disk appear to be using the standard ATA BIOS password lock mechanism.
The guide is available from:

http://hitachigst.com/tech/techlib.nsf/products/Travelstar_7K200
http://hitachigst.com/tech/techlib.nsf/techdocs/F08FCD6C41A7A3FF8625735400620E6A/$file/HowToGuide_BulkDataEncryption_final.pdf

Without access to the device (I've contacted Hitachi EMEA to find out if
it is possible to purchase the special disks) it is difficult to infer
how it works, but the final page of the howto seems strange:

   Disable security
   ----------------

   For an end user to disable security (i.e., turn off the password
   access control):

     1. Enter the BIOS and unlock the drive (when required, BIOS
     dependent).

     2. Find the security portion of your BIOS and disable the HDD user
     password, NOT the BIOS password. The master password is still set.
...

   NOTE: All data on the hard drive will be accessible. A secure erase
   should be performed before disposing or redeploying the drive to
   avoid inadvertent disclosure of data.

One would assume that if you disable the password, the data would NOT be
accessible.  Making it accessible should require a read+decrypt+write of
the entire disk, which would be quite time consuming.  It may be that
this is happening in the background, although it isn't clear.

Another interesting remark is:

  Note that the access method to the drive is stored in an encrypted
  form in redundant locations on the drive.

It sounds to me as if they are storing the AES key used for bulk
encryption somewhere on the disk, and that it can be unlocked via the
password.  So it may be that the bulk data encryption AES key is
randomized by the device (using what entropy?) or possibly generated in
the factory, rather than derived from the password.

/Simon

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list