Solved

Secure hard disk drive encrypted

Posted on 2012-03-13
17
900 Views
Last Modified: 2012-08-14
Experts,

I need to find a hard disk drive that I can purchase to secure the information of my Desktop.
I read somewhere that there are hard disk drives with physical encryption.  I.E. if someone steals my Computer   (NOT a laptop), and takes it elsewhere,  the hard-disk drive will not be accessible.
I have found disks for laptops but not for Sata Drives.  Regular desktops. Any suggestions are appreciated.

I don't want a software, I would like actual physical hardware encryption.

Thanks,
R
0
Comment
Question by:RandallVillalobos
  • 8
  • 3
  • 3
  • +3
17 Comments
 
LVL 7

Assisted Solution

by:micropc1
micropc1 earned 200 total points
ID: 37718029
0
 
LVL 47

Assisted Solution

by:dlethe
dlethe earned 100 total points
ID: 37718168
I've got a few of these disks (Seagate Constellations) in the lab that I use for another project, and write code to slice and partition them up and enter the password and such ...

The way the HDDs work is that the programmer basically sets up the drive into partitions, and then commands get sent to the HDD to turn it on for a partition (which is 100% destructive), and then to unlock after power up so you can access it.

The stuff I do isn't for PC users, but the problem you have is that you need some software which will do this for you.  If you encrypt the entire HDD, then the O/S won't be able to boot the drive (Because it won't be able to read anything from it to find the boot partition).

So you would have to have software that boots the machine and submits the code to unlock.
I am not aware of a consumer product that does this.  I am not saying that something doesn't exist, and I hope somebody does have something that will work for your needs that doesn't cost an arm and a leg.

So just don't buy a HDD and expect you have what you need. W/o the right software (or special HDD controller with this function built in, then you won't be able to use it.

(If you are using LINUX or something similar, then it gets a lot easier, at least you can just boot the O/S onto a USB stick, and use 100% of the disk for encrypted data and put all of the apps you care about there).
0
 
LVL 69

Expert Comment

by:Callandor
ID: 37718175
There are Ironkey encrypted USB sticks, if you don't need a lot of disk space, but they are very expensive.  That tells me that a hard drive version might be very expensive as well.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 37718201
The encrypted flash memory products won't be fast enough either (USB2.0 is unusable), and nobody makes a high density one anyway.  

W/o software, probably easier and more practical to just use software encryption with what you have.  

If you found them for a laptop then why not take that HDD out of the case and disconnect the USB dongle and mount it inside your PC?

The modern laptop drives are standard SATA connectors, and mechanically the only significant difference is that they are designed to handle a lot of Gs, run quietly, and use less power.
0
 
LVL 3

Assisted Solution

by:StuWhitby
StuWhitby earned 100 total points
ID: 37719453
The drives above won't do what you want.  They're either unaccessible after the drive changes hardware (ie, will still work after your computer is stolen), or are designed to destroy data quickly by deleting a key then removing the drive for recycling/reuse/destruction.  What you need is something inline between the processor and the disk which will encrypt the data, but the key for that encryption device still has to be stored somewhere.  There's one available from the NSA ("Can I speak to someone in Sales please?").  I'm sure it's possible to get a private key stored on a USB sick for a public/private algorithm which will block access to a drive partition, but I don't know it offhand.  This would *probably* also require that your USB stick is in place for the full time that your desktop is powered on, as free access to this data would generally be required at all times that applications are using it.

Your best option here is to store the data externally from your workstation.  If this is for an enterprise, you should always be storing your secure data on a secure network share anyway.  There are plenty of options for secure storage that way.  If it's for home use, get a USB HDD stored under either under the floorboards or in the attic (whichever's closer) or get a second-hand wireless-enabled laptop that you can plug in and leave under the floorboards where you can store your data.  This is probably the better option - you can access it to perform any administrative tasks remotely, but it's a pain if it bluescreens and you need to perform a hard boot.  

I'm not sure what you have against a software solution here.  Any encryption of data which occurs between the "write()" from the application and the implementation of that instruction on the physical disk media occurs from something sitting inline between the OS and the disk.  That can either be a piece of software or a piece of hardware.  Both of these will require some sort of authentication, probably either a "user level" password (generally 8-16 char key) or a generated key (128bit or higher) in order to decrypt that data.  Though the data format written to the disk will be somewhat proprietary, the fact remains that either software or hardware will work in the same way here.  You have no reasonable way to access to the data stored on the disk without the requisite key.

If you're looking at this level of security for vital information, then you also need to make sure that you have secure offsite backups btw.
0
 
LVL 69

Expert Comment

by:Callandor
ID: 37719690
I think password-protected hard drives on laptops are what he is looking for.  The password is set on a chip in the drive electronics.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 37720092
Respectfully, am I the only one here who actually has some of these drives and use the programming API?

The previous answers are just plain wrong.  

The password is NOT set in a chip on the drive electronics.  The drives are encrypted and the password isn't set ANYWHERE. The key is suppled by the user and w/o the correct key, the data is junk.  The password is good to unlock a range of blocks supplied by the programmer.  So what you can do us leave X blocks unencrypted, for the O/S, and then leave the rest encrypted.  

If the drive changes hardware, then it makes absolutely no difference. This is one of the design points.  

They do not destroy data except from the perspective that if you change the password by adding the current password and then giving it a new one (there are some specific ATA commands / CDBs to do this), then the previous data is still there, but since it was encrypted differently, you can't use it.

The proper design for implementation, at least what I am doing, is that one initiates a command to prompt for the password, and then it gets sent to the disk.  If it worked then the data is readable.   It defeats the purpose of the device to actually save the key somewhere in the computer.

==
Now there are password-protected disks, in fact if the disk is less then 3 years old, is SATA ATA-7 or ATA-8, then chances are good that you have such a disk.    This does NOT encrypt data. The password is used to unlock the drive.  The difference is that the data can be recovered by taking the disk to a recovery lab.  

The HDD does no decryption.  This is how those notebooks / desktop systems work that have a BIOS password, and it not an acceptable means to secure data.
0
 
LVL 69

Expert Comment

by:Callandor
ID: 37720138
Sorry, most of us only deal with drives at a user level.  I will defer to your insights on the inner workings of how the coding works.  I didn't think you could encrypt a terabyte's worth of data in any reasonable amount of time, and your explanation makes sense.

I hope we haven't made you violate an NDA - that information isn't readily available to the public.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 47

Expert Comment

by:dlethe
ID: 37720211
No prob, sorry if I seemed a bit rude. was up till 4AM Last night ;)

Anyway, all this is public information, and the password-protection is official ANSI spec.  The encryption methodology has some vendor/product unique aspects, but there are proposed ANSI specs that have been published.  (But some secret sauce, as I'll say, that I didn't cover)

Another thing, the HDDs with the encryption feature have ZERO overhead.  The work is done by the electronics faster then the data can be read/written to the media.  

Pity, I have code right here that does exactly what the user wants, but it isn't productized for end-users and I am doing it for something I won't get into.  

I don't *think* there is a "retail" product that exploits this for end-users.  I know some people are working on them.  Maybe a web search will reveal it, but I can't release anything that I am privy to under NDA so won't go down that path.
0
 
LVL 3

Expert Comment

by:StuWhitby
ID: 37720270
dlethe, I suspect you are the only one here with knowledge of the API.  If you look at the links posted above, you'll see the kind of limited information that the sales pitch gives on this, and that infers that if you delete the password then the data becomes "hard" encrypted and unreadable.  Or there's the Toshiba one (IIRC) that locks your drive to specific hardware - I expect it's a case of generating a key based on a motherboard serial number or similar - which could be fun in the event of a replacement.  Nowhere do they mention the API used to create or access data on the disk.  

Also, the question is about making sure that the hard drive is unreadable, not specific blocks.  From what I gather from your posting, this has to be file-level encryption which is enabled via an OS driver for these disks, would that be right?  As such it would still rely on a software layer to activate the hardware encryption.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 37720383
Hi Stu - my apologies to you too, as I do believe i was a bit rude, so let me start with that ...

Anyway, I've never looked at the toshiba, so can't comment on their design.

The encrypted disk standard that has emerged can encrypt 0 blocks, 1 block, the entire HDD, or multiple regions with the same or different passwords.

So if I was inclined to write the code for this situation, I would simply leave block 0-X unencrypted, and put in a bootstrap program that did nothing more then ask user what the magic word was, then jump to block X+1 and start executing the boot loader (GRUB, for example).

This would work just fine and solve the problem.  Absolutely no way to break this, no way to get the data back, even at a recovery lab, and not even Seagate has a back door. (Which would defeat the purpose).   Only way to break it would be to use a quantum computer.  So perhaps in 5 years the CIA will have something, but the rest of us will have to wait a lot longer.

The HDD is NOT aware of the concept of files.  It reads/writes blocks of data. If password has been entered, you get information that makes sense. If it hasn't, you don't.  Conversely when writing, you send it unencrypted data, and if the password has been loaded, it gets encrypted.  I don't know if it is public information on what happens when you write if the password hasn't been entered, so I won't say.

So the software layer is ONLY relied on as part of the implementation.  W/O the password, you get junk.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 37720487
I just looked at the data sheets from Toshiba ....

Suffice to say the toshiba solution is absolutely consistent with what they have in the data sheet, but let's just say that if it was my data and I wanted to keep it safe, then I wouldn't use their solution.  

Darn, can't even say why, other then I am snickering at what they most likely did and that if I got into it further I would be breaking some EE rules about reverse engineering and talking about exploits ;)
0
 

Author Comment

by:RandallVillalobos
ID: 37720956
Wow, I have to say that this has been a great post!  Sorry didn't get back to all of you before.
Got stuck all night reading!   Trying to be be as good as all of you.  :-)   I will look into the options that you have suggested.

I indeed, need something simple.  I would imagine that the computer boots up (windows machine since I am working on my Linux), and in order to decrypt the information it would require a password that only I know.

Then voila .... nobody can access my files.  ( At least any regular user ).
0
 
LVL 3

Expert Comment

by:StuWhitby
ID: 37720984
It's been a good learning experience for all I expect :)  If this is Windows, you can encrypt directories and will require a password for accessing them from XP onwards.  Right click the directory, properties, advanced, encrypt contents.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 37721535
Then just use Stu's advice, nice and easy and free.  Just don't forget the password, and be wary of any constraints when it comes to backup software, RAID, data recovery, and multi-booting.
0
 
LVL 25

Accepted Solution

by:
kode99 earned 100 total points
ID: 37722101
Take a look at Addonics CipherChain,

http://www.addonics.com/category/cipherchain.php

About as simple as it gets.  Full hardware encryption by using a stand alone unit between the SATA controller and the hard drive.  So you can use it with any drive you want.  No software is involved and it works with any OS.

It uses a USB style encoded key,  without the key the drive is not usable.  You get 2 keys and they do not track the codes,  so if you lose both keys you will be totally locked out.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 37722153
Cool.  This is simple and elegant.  Just don't use it in any environment where you need performance or would ever need to do any data recovery.  I see a few red flags that are inherent in the architecture.   Biggest thing is bottleneck.  You won't see anything measurable unless you are using SSDs
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now