Should you use self encrypting hard disk drives?

Self Encrypting hard disk drives just encrypt anything that you store on your desktop/ laptop hard-disk drives. One important reason to use encrypted drives is to ensure that sensitive data is not disclosed to third parties if your hard drive/ laptop is stolen. Let us see more about Self Encrypting hard disk drives, in this article.

What is a Self Encrypting Drive and Why is it used?

Encryption, has long been used to protect confidential documents and communications. Software based encryption tools are available to either selectively encrypt certain files (or) encrypt whole disks. But software based encryption tools mostly leave the decision of encrypting (or) not, to employees. So, there is a chance that employees may not encrypt important information stored in their laptop disks (or) encrypt only those files which they consider as important. So, that’s a bit like leaving it to chance.

Encryption, as a technology has matured enough and these days encryption is done using 128 bit/ 256 bit keys. Encryption can be done using existing hardware / processing resources and is very difficult to break (It might take many years for hackers to decrypt info using brute force methods). But authentication, is as important as encryption. Even the biggest encryption key may be useless if the password is ‘123’.

Self encrypting hard drives are transparent to users. It doesn’t matter what operating system / applications are being used, as the encryption is done using specialized hardware ASIC modules on the disk itself. This improves the encryption performance and precious CPU cycles can be utilized for other processes.

Some vendors support pre-boot authentication, which allows the user to enter a password to decrypt the disk contents, before the booting process starts. Its possible to integrate self encrypting disks to Windows single log-on / password update policy in order to support a single password log-in and subject it to corporate policies like mandatory password changes – once in 90 days, for example.

Some vendors even offer centralized administration features like management of users, user credentials (passwords), access rights, resetting forgotten passwords, etc. Its possible to integrate some self encrypting drives with corporate directories like Active Directory. Other enterprise systems like Servers, NAS/ SAN Storage etc can also use self encrypted disks (perhaps in future, if not already). Even Solid State Drives (SSD) manufacturers are coming out with Self encrypting solid state drives.

The main advantage of encrypting the whole disk is to secure confidential data/ information from being exposed if a laptop/ disk drive is stolen. Think about this – even if you give a laptop for service/ disk for replacement, some sensitive information can be recovered/ stolen. In an auto-lock mode, disks are by default kept encrypted and even if a colleague tries to break into your laptop and look for/ steal some data, they may not be able to. And besides, it is easy to dispose off the self encrypting drives as the encryption key can be just removed from the drive in order to render the disk useless.

Speaking of keys, the encryption keys are stored in a secure/ inaccessible place in the disk along with other manufacturer information. This is the key that is checked against user-input credential which should generate an identical copy of the key, for the authentication to succeed.

Software Encryption (vs) Self Encrypting Drives:

There are software tools that are installed over an operating system to either selectively or completely encrypt the disk drives. But these are operating system specific, unlike self encrypting drives that are operating system independent.

Software based encryption has some advantages like encrypting only the important/ required files and folders, encrypting email attachments, can be used along with digital signatures, encrypting external hard disks/ USB drives, encrypting content stored in mobile / tablet drives, etc.

But self encrypting drives use hardware based ASIC chips to encrypt all the content stored on disks. They don’t use the main CPU and henceĀ  encryption performance is faster and better (Often encryption is transparent to users). The keys are stored in a secure (inaccessible location) on the disk drive itself and most of the operations that can be done using normal drives can be done by self encrypting drives without introducing major changes – For example, once decrypted, RAID controllers work in the same way for both.

You could stay up to date on the various computer networking/ related IT technologies by subscribing to this blog with your email address in the sidebar box that says, ‘Get email updates when new articles are published’.

One Comment

  • Anonymy

    I understand the basic concept of hardware vs software encryption, however, I was curious to know, more specifically, how a self-encrypting hdd might be affected, if for example, I also chose to implement FDE software such as VeraCrypt, while at the same time choosing to disable Bitlocker.

    Would this in effect, just be another example of system hardening (layering different security components together) or would it even matter in this type of scenario?

    If so, could a software FDE program like VeraCrypt possibly interfere with the encryption feature already built into an SED?

    (My guess is that since VeraCrypt has pre-boot authentication built in, it still offers an increased level of security over other standard FDE software vendors, thereby, possibly rendering the actual need of a self-encrypting hard drive unnecessary?…)

    Please note:

    I’m not opposed to properly storing and maintaining encryption keys for good software that works. My inquiry is basically just to understand the important difference between these two specific options I mentioned and what the advantages vs the disadvantages would be of using either both together or one or the other (SED/FDE vs Software/FDE).