Seagate announces hardware FDE for laptop and desktop machines
Daniel Carosone
dan at geek.com.au
Wed Oct 3 00:15:38 EDT 2007
On Tue, Oct 02, 2007 at 03:50:27PM +0200, Simon Josefsson wrote:
> Without access to the device (I've contacted Hitachi EMEA to find out if
> it is possible to purchase the special disks) it is difficult to infer
> how it works, but the final page of the howto seems strange:
>
> ...
>
> NOTE: All data on the hard drive will be accessible. A secure erase
> should be performed before disposing or redeploying the drive to
> avoid inadvertent disclosure of data.
>
> One would assume that if you disable the password, the data would NOT be
> accessible. Making it accessible should require a read+decrypt+write of
> the entire disk, which would be quite time consuming. It may be that
> this is happening in the background, although it isn't clear.
> It sounds to me as if they are storing the AES key used for bulk
> encryption somewhere on the disk, and that it can be unlocked via the
> password.
Assumption: clearing the password stores the key encrypted with
password "" or an all-zeros key, or some other similar construct,
effectively in plain text.
> So it may be that the bulk data encryption AES key is
> randomized by the device (using what entropy?) or possibly generated in
> the factory, rather than derived from the password.
Speculation: the drive always encrypts the platters with a (fixed) AES
key, obviating the need to track which sectors are encrypted or
not. Setting the drive password simply changes the key-handling.
Implication: fixed keys may be known and data recoverable from factory
records, e.g. for law enforcement, even if this is not provided as an
end-user service.
--
Dan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20071003/410f50f8/attachment.pgp>
More information about the cryptography
mailing list