Secure hard disk drive encrypted


I need to find a hard disk drive that I can purchase to secure the information of my Desktop.
I read somewhere that there are hard disk drives with physical encryption.  I.E. if someone steals my Computer   (NOT a laptop), and takes it elsewhere,  the hard-disk drive will not be accessible.
I have found disks for laptops but not for Sata Drives.  Regular desktops. Any suggestions are appreciated.

I don't want a software, I would like actual physical hardware encryption.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I've got a few of these disks (Seagate Constellations) in the lab that I use for another project, and write code to slice and partition them up and enter the password and such ...

The way the HDDs work is that the programmer basically sets up the drive into partitions, and then commands get sent to the HDD to turn it on for a partition (which is 100% destructive), and then to unlock after power up so you can access it.

The stuff I do isn't for PC users, but the problem you have is that you need some software which will do this for you.  If you encrypt the entire HDD, then the O/S won't be able to boot the drive (Because it won't be able to read anything from it to find the boot partition).

So you would have to have software that boots the machine and submits the code to unlock.
I am not aware of a consumer product that does this.  I am not saying that something doesn't exist, and I hope somebody does have something that will work for your needs that doesn't cost an arm and a leg.

So just don't buy a HDD and expect you have what you need. W/o the right software (or special HDD controller with this function built in, then you won't be able to use it.

(If you are using LINUX or something similar, then it gets a lot easier, at least you can just boot the O/S onto a USB stick, and use 100% of the disk for encrypted data and put all of the apps you care about there).
There are Ironkey encrypted USB sticks, if you don't need a lot of disk space, but they are very expensive.  That tells me that a hard drive version might be very expensive as well.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

The encrypted flash memory products won't be fast enough either (USB2.0 is unusable), and nobody makes a high density one anyway.  

W/o software, probably easier and more practical to just use software encryption with what you have.  

If you found them for a laptop then why not take that HDD out of the case and disconnect the USB dongle and mount it inside your PC?

The modern laptop drives are standard SATA connectors, and mechanically the only significant difference is that they are designed to handle a lot of Gs, run quietly, and use less power.
The drives above won't do what you want.  They're either unaccessible after the drive changes hardware (ie, will still work after your computer is stolen), or are designed to destroy data quickly by deleting a key then removing the drive for recycling/reuse/destruction.  What you need is something inline between the processor and the disk which will encrypt the data, but the key for that encryption device still has to be stored somewhere.  There's one available from the NSA ("Can I speak to someone in Sales please?").  I'm sure it's possible to get a private key stored on a USB sick for a public/private algorithm which will block access to a drive partition, but I don't know it offhand.  This would *probably* also require that your USB stick is in place for the full time that your desktop is powered on, as free access to this data would generally be required at all times that applications are using it.

Your best option here is to store the data externally from your workstation.  If this is for an enterprise, you should always be storing your secure data on a secure network share anyway.  There are plenty of options for secure storage that way.  If it's for home use, get a USB HDD stored under either under the floorboards or in the attic (whichever's closer) or get a second-hand wireless-enabled laptop that you can plug in and leave under the floorboards where you can store your data.  This is probably the better option - you can access it to perform any administrative tasks remotely, but it's a pain if it bluescreens and you need to perform a hard boot.  

I'm not sure what you have against a software solution here.  Any encryption of data which occurs between the "write()" from the application and the implementation of that instruction on the physical disk media occurs from something sitting inline between the OS and the disk.  That can either be a piece of software or a piece of hardware.  Both of these will require some sort of authentication, probably either a "user level" password (generally 8-16 char key) or a generated key (128bit or higher) in order to decrypt that data.  Though the data format written to the disk will be somewhat proprietary, the fact remains that either software or hardware will work in the same way here.  You have no reasonable way to access to the data stored on the disk without the requisite key.

If you're looking at this level of security for vital information, then you also need to make sure that you have secure offsite backups btw.
I think password-protected hard drives on laptops are what he is looking for.  The password is set on a chip in the drive electronics.
Respectfully, am I the only one here who actually has some of these drives and use the programming API?

The previous answers are just plain wrong.  

The password is NOT set in a chip on the drive electronics.  The drives are encrypted and the password isn't set ANYWHERE. The key is suppled by the user and w/o the correct key, the data is junk.  The password is good to unlock a range of blocks supplied by the programmer.  So what you can do us leave X blocks unencrypted, for the O/S, and then leave the rest encrypted.  

If the drive changes hardware, then it makes absolutely no difference. This is one of the design points.  

They do not destroy data except from the perspective that if you change the password by adding the current password and then giving it a new one (there are some specific ATA commands / CDBs to do this), then the previous data is still there, but since it was encrypted differently, you can't use it.

The proper design for implementation, at least what I am doing, is that one initiates a command to prompt for the password, and then it gets sent to the disk.  If it worked then the data is readable.   It defeats the purpose of the device to actually save the key somewhere in the computer.

Now there are password-protected disks, in fact if the disk is less then 3 years old, is SATA ATA-7 or ATA-8, then chances are good that you have such a disk.    This does NOT encrypt data. The password is used to unlock the drive.  The difference is that the data can be recovered by taking the disk to a recovery lab.  

The HDD does no decryption.  This is how those notebooks / desktop systems work that have a BIOS password, and it not an acceptable means to secure data.
Sorry, most of us only deal with drives at a user level.  I will defer to your insights on the inner workings of how the coding works.  I didn't think you could encrypt a terabyte's worth of data in any reasonable amount of time, and your explanation makes sense.

I hope we haven't made you violate an NDA - that information isn't readily available to the public.
No prob, sorry if I seemed a bit rude. was up till 4AM Last night ;)

Anyway, all this is public information, and the password-protection is official ANSI spec.  The encryption methodology has some vendor/product unique aspects, but there are proposed ANSI specs that have been published.  (But some secret sauce, as I'll say, that I didn't cover)

Another thing, the HDDs with the encryption feature have ZERO overhead.  The work is done by the electronics faster then the data can be read/written to the media.  

Pity, I have code right here that does exactly what the user wants, but it isn't productized for end-users and I am doing it for something I won't get into.  

I don't *think* there is a "retail" product that exploits this for end-users.  I know some people are working on them.  Maybe a web search will reveal it, but I can't release anything that I am privy to under NDA so won't go down that path.
dlethe, I suspect you are the only one here with knowledge of the API.  If you look at the links posted above, you'll see the kind of limited information that the sales pitch gives on this, and that infers that if you delete the password then the data becomes "hard" encrypted and unreadable.  Or there's the Toshiba one (IIRC) that locks your drive to specific hardware - I expect it's a case of generating a key based on a motherboard serial number or similar - which could be fun in the event of a replacement.  Nowhere do they mention the API used to create or access data on the disk.  

Also, the question is about making sure that the hard drive is unreadable, not specific blocks.  From what I gather from your posting, this has to be file-level encryption which is enabled via an OS driver for these disks, would that be right?  As such it would still rely on a software layer to activate the hardware encryption.
Hi Stu - my apologies to you too, as I do believe i was a bit rude, so let me start with that ...

Anyway, I've never looked at the toshiba, so can't comment on their design.

The encrypted disk standard that has emerged can encrypt 0 blocks, 1 block, the entire HDD, or multiple regions with the same or different passwords.

So if I was inclined to write the code for this situation, I would simply leave block 0-X unencrypted, and put in a bootstrap program that did nothing more then ask user what the magic word was, then jump to block X+1 and start executing the boot loader (GRUB, for example).

This would work just fine and solve the problem.  Absolutely no way to break this, no way to get the data back, even at a recovery lab, and not even Seagate has a back door. (Which would defeat the purpose).   Only way to break it would be to use a quantum computer.  So perhaps in 5 years the CIA will have something, but the rest of us will have to wait a lot longer.

The HDD is NOT aware of the concept of files.  It reads/writes blocks of data. If password has been entered, you get information that makes sense. If it hasn't, you don't.  Conversely when writing, you send it unencrypted data, and if the password has been loaded, it gets encrypted.  I don't know if it is public information on what happens when you write if the password hasn't been entered, so I won't say.

So the software layer is ONLY relied on as part of the implementation.  W/O the password, you get junk.
I just looked at the data sheets from Toshiba ....

Suffice to say the toshiba solution is absolutely consistent with what they have in the data sheet, but let's just say that if it was my data and I wanted to keep it safe, then I wouldn't use their solution.  

Darn, can't even say why, other then I am snickering at what they most likely did and that if I got into it further I would be breaking some EE rules about reverse engineering and talking about exploits ;)
RandallVillalobosAuthor Commented:
Wow, I have to say that this has been a great post!  Sorry didn't get back to all of you before.
Got stuck all night reading!   Trying to be be as good as all of you.  :-)   I will look into the options that you have suggested.

I indeed, need something simple.  I would imagine that the computer boots up (windows machine since I am working on my Linux), and in order to decrypt the information it would require a password that only I know.

Then voila .... nobody can access my files.  ( At least any regular user ).
It's been a good learning experience for all I expect :)  If this is Windows, you can encrypt directories and will require a password for accessing them from XP onwards.  Right click the directory, properties, advanced, encrypt contents.
Then just use Stu's advice, nice and easy and free.  Just don't forget the password, and be wary of any constraints when it comes to backup software, RAID, data recovery, and multi-booting.
Take a look at Addonics CipherChain,

About as simple as it gets.  Full hardware encryption by using a stand alone unit between the SATA controller and the hard drive.  So you can use it with any drive you want.  No software is involved and it works with any OS.

It uses a USB style encoded key,  without the key the drive is not usable.  You get 2 keys and they do not track the codes,  so if you lose both keys you will be totally locked out.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cool.  This is simple and elegant.  Just don't use it in any environment where you need performance or would ever need to do any data recovery.  I see a few red flags that are inherent in the architecture.   Biggest thing is bottleneck.  You won't see anything measurable unless you are using SSDs
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.