The Hard Way
Hardware-based encryption does not require user intervention
- By Michael Willett
- Aug 01, 2008
Almost every day, a report of lost,
stolen or missing notebook PCs
and hard drives or of related data
breaches shocks the global community,
including those people whose data has
been compromised. Protection of data on
individual systems and drives, as well as
in data centers, has become a necessity
for corporations, universities, government
agencies and other organizations.
The Trusted Computing Group has
worked with storage standards groups to
create an open specification that enables
full-disk encryption for hard disk drives,
also called self-encrypting drives. This
encryption is hardware-based and transparent
to the user. Once the drive is in the
system, data is automatically and continually
encrypted. If a user cannot authenticate
access to the system or if the system
is lost or stolen, the hard drive locks and
becomes useless. Further, this hardware-based
encryption does not require user
intervention and does not impact system
performance as encryption usually does.
The Security Dilemma
Today, more than 40 breach notification
laws exist. These laws are rapidly moving
the industry toward full-disk encryption.
Protecting data that is lost or stolen
requires a breach notification, unless the
drive has FDE. With FDE, no notification
is required, as long as it can be proven
that the data was encrypted.
The transportability of laptops makes
them a prime target for loss, theft and
encryption of sensitive data. While drives
may be secure in the data center, eventually
every drive leaves due to failure,
maintenance, reconditioning, end of life,
or even loss or theft. In fact, 50,000
drives are decommissioned from data
centers each day.
As a result, the same rules for laptops
apply to drives, even in the data center.
The data on the drive should be encrypted
before it leaves the data center. Rather
than requiring an additional off-drive and
upstream process to encrypt the drive,
this on-drive encryption should protect
the data center under normal operation.
Encryption Solutions
In the data center, there are various
points to implement either software- or
hardware-based encryption. Softwarebased
schemes, however, can be thwarted
by the same viruses and malware they
attempt to prevent.
There are several reasons to perform
encryption directly on the hard drive as
opposed to some point upstream in the
data center. For example, there are performance
and efficiency issues in data
deduplication and data compression.
Deduplication tools require looking at
the plain text. Since much of the data is
the same, storing it once and pointing to
that data whenever it is needed in some
other context through deduplication techniques
frees up a significant amount of
storage space. With encrypted data, deduplication
cannot be performed because
the same data encrypted at different
points in the data stream could look different
in encrypted form. Decompression
techniques require redundancy in the
message for compression. Encrypted data
is totally random and has no built-in
redundancy, so it cannot be compressed.
As a result, encrypting too early in the
data flow makes deduplication and
decompression algorithms ineffective
and interferes with end-to-end integrity
metrics. Within the data center, data
should not be encrypted until it reaches
the drive. However, deduplication and
decompression provide only part of the
incentive for encrypting directly on the
drive. When encryption is performed
everywhere or anywhere instead of in the
drive, the situation is quite complex.
Managing encryption, as well as authentication
keys, is one of the more important
aspects of encryption. The authentication
key unlocks the drive. Only the
hash value of the authentication key is
stored on the drive for comparison during
authentication. Furthermore, the encryption
key is encrypted under the authentication
key and stored on the drive.
Full-disk Protection
In an FDE drive, the encryption keys are
established in the factory by on-board
random number generators and never
leave the drive, eliminating the need to
manage encryption keys. In the data center,
key management only requires managing
the authentication keys, which
eliminates layers of key management.
FDE reduces IT complexity. The database
administrators, application developers,
operating system, encryption engine
and network issues are all eliminated by
encrypting at the drive. The storage system
upgrades by schedule in an FDE system.
Adding drives is simple since each
drive comes with its own encryption key.
The system has scalability, and encryption
is performed in hardware, allowing
full-channel-speed operation.
Encrypting stored data outside the
drive has planning and management
issues that add to complexity, errors and
data recoverability risk. These include
problems that can occur in the following
scenarios: when application developers
change applications, when database
administrators change databases, in
managing and scaling encryption CPU
demand as storage and I/Os are added,
through extra storage for decreased
compression and deduplication effectiveness,
by tracking both encryption
and local keys on all associated hardware/
software for data recovery and in
granular data classification.
In contrast, when encryption is performed
in the drive, the process is simplified
by adding a key service to one server
and adding FDEs to application storage
with scheduled upgrades.
Cost is a primary business value. For
FDE, the initial acquisition costs are
reduced when encryption is integrated
into standard products and implemented
according to a standard storage upgrade
schedule. Additional cost reduction
occurs from reduced drive decommissioning
and insurance, the ability to compress
and deduplicate, and preservation
of drive hardware value through easy
repurposing. Since simply deleting the
key sanitizes the drive, the drive can continue
to perform a useful function rather
than being scrapped.
Without FDE, there are transport
issues, and degaussing, shredding and
overwriting techniques must be used at
the end of a drive’s life. None of these
techniques is foolproof, and all have
additional cost. With FDE, the simple
erasure of the key sanitizes the drive,
making it unreadable. FDE becomes
practical and ubiquitous with open industry
standards.