The world's six largest computer drive makers today published the final specifications(download PDF) for a single, full-disk encryption standard that can be used across all hard disk drives, solid state drives (SSD) and encryption key management applications. Once enabled, any disk that uses the specification will be locked without a password -- and the password will be needed even before a computer boots.
The three The Trusted Computing Group (TCG) specifications cover storage devices in consumer laptops and desktop computers as well as enterprise-class drives used in servers and disk storage arrays.
"This represents interoperability commitments from every disk drive maker on the planet," said Robert Thibadeau, chief technologist at Seagate Technology and chairman of the TCG. "We're protecting data at rest. When a USB drive is unplugged, or when a laptop is powered down, or when an administrator pulls a drive from a server, it can't be brought back up and read without first giving a cryptographically-strong password. If you don't have that, it's a brick. You can't even sell it on eBay."
By using a single, full-disk encryption specification, all drive manufacturers can bake security into their products' firmware, lowering the cost of production and increasing the efficiency of the security technology.
For enterprises rolling out security across PCs, laptops and servers, standardized hardware encryption translates into minimum security configuration at installation, along with higher performance with low overhead. The specifications enable support for strong access control and, once set at the management level, the encryption cannot be turned off by end-users.
Whenever an operating system or application writes data to a self-encrypting drive, there is no bottleneck created by software, which would have to interrupt the I/O stream and convert the data "so there's no slowdown," Thibadeau said.
"Also, the encryption machinery uses no power. When it reads data from the drive, it displays it to the user in the clear. It's completely transparent to the user," he said.
The TCG includes Fujitsu, Hitachi GST, Seagate Technology, Samsung, Toshiba, Western Digital, Wave Systems, LSI Corp., ULink Technology and IBM.
"In five years time, you can imagine any drive coming off the production line will be encrypted, and there will be virtually no cost for it," said Jon Oltsik, an analyst at Enterprise Strategy Group.
Here are the three specifications:
- The Opal specification, which outlines minimum requirements for storage devices used in PCs and laptops.
- The Enterprise Security Subsystem Class Specification, which is aimed at drives in data centers and high-volume applications, where typically there is a minimum security configuration at installation.
- The Storage Interface Interactions Specification, which specifies how the TCG's existing Storage Core Specification and the other specifications interact with other standards for storage interfaces and connections. For example, the specification supports a number of transports, including ATA parallel and serial, SCSI SAS, Fibre Channel and ATAPI.
Several of the drive manufacturers, including Seagate, Fujitsu and Hitachi, already support the standard on some of their drives. Hitachi, for instance, is shipping its internal Travelstar 5K500.B laptop drives with full-disk encryption.
Several encryption management software vendors, including Wave Systems, WinMagic Inc. and CryptoMill Technologies, have also announced product certification for the standard.
Brian Berger, a marketing manager with Wave Systems and chair of the TCG marketing work group, said the specifications call for the use of Advanced Encryption Standard (AES). Vendors are free to choose either AES 128-bit or AES 256-bit keys depending on the level of security they want. Neither have been broken.
"Things like key manageability and patch management become things of the past," he said. "You don't have to worry about what version of encryption software is running or what [encryption appliance] your system's plugged into. When encrypted drives are under management, users can't turn off encryption, so there's no chance of users losing machines with valuable data on them after having turned off encryption."
The effort to create the encryption specifications, which began six years ago, focused on full-disk encryption, which protects data on a computer by encrypting all of the information on the computer's hard drive regardless of what partition it's on. In order to gain access to the information, users would first have to supply a password, which, in turn, would be used to unlock a key used to decrypt the data.
"You can use these [enabled] drives to childproof your laptop because it operates outside of Windows. Windows hasn't even booted yet. Your kid can't crack it unless [he] has the password. You can leave the laptop at home and rest assured a 14-year-old can't get on it," Thibadeau said.
IT departments will also be able to repurpose drives using the encryption standard by cryptographically erasing them with a few keystrokes. Cryptographic erasure changes the cryptographic key, thus making data permanently inaccessible.
"The specific way in which encryption is done inside the drive doesn't matter for interoperability," said Jorge Campello, senior manager of architecture and electronics at Hitachi. "What matters is how they drives are configured and how access control is configured. So any drive, in conforming to these standards, will have the same interface commands."