Seagate Self Encrypting Drive in PC with TCG complaint hardware

Posted on 2013-12-06
Last Modified: 2013-12-09
I have fairly new HP PCs (HP Small Form Factor 8100's) that work fine with bit locker.
But to speed things up, I would like to use a self encrypting SATA hard drive, like the Seagate ST500NM0031.

The specs say it requires a TCG-compliant host.  If my computer can do full bit locker with its v1.2 TPM, does that mean it will support a SATA SED?

I can't find anything in HP specs that address this.

If not, anyone know of a PC hard drive controller that will support these SATA SED drives.  I've searched and can't find one.
Question by:dakota5
  • 2
  • 2
  • 2
LVL 38

Expert Comment

by:Rich Rumble
ID: 39702956
That's two different encryption schemes, one the HDD provides and the other the Windows OS provides. Neither protects the files when the OS is running. When the OS is running, the files look like files, a Trojan or attacker can get you data when the OS is up and running.
Understand that drive encryption only protects from physical theft when the OS is off. Using 2 HDD encryption schemes does nothing for your security unltimaetly, you only need one if any.
Bitlocker can work on non-TCG (not tgg) hosts, but a TCG compliant host has the TPM chip. BL can work on either, the seagate drive might not however. Check your BIOS for the TPM chip presence.
LVL 63

Assisted Solution

btan earned 250 total points
ID: 39702985
Bitlocker is just s/w encryption while SED is h/w encryption, rightfully they work independently. By default, Bitlocker sees any drive anything other than a normal drive. Not all OS recognised SED as OPAL compliant drive. See the below

I did got a answer from a technical lead at Seagate in the end that confirmed that the constellation ES.2 and ES.3 drives will not be able to be used as hardware encryption with bitlocker on Windows Server 2012/8 they will just show as normal hard disks as your seeing and then you can use Bitlocker software encryption.

The reason they don't work is because Windows Server 2012/8 requires a OPAL 2 compliant drive and the Seagate constellation ES.2 and ES.3 drives are not OPAL 2 compliant drives. This is common across all vendors at the moment I was told, so until someone releases a OPAL 2 compliant drive you will only be able to use bitlocker software encryption.

Coming back on the host requirement to support SED, see FAQ on SED in TCG page

Are there laptop compatibility issues to support this? It seems like no, due to the MBR/boot code.

A: Most ISV MBR/boot code is O/S independent and works with most modern PCs. The SED architecture has a significant advantage over the integration method used by many software encryption products. The latter often modify the MBR to insert the encryption function. However, other management middleware also modify the MBR, and in some cases this has caused serious conflicts. The SED and associated ISV management software does not have this issue as the MBR is not involved in the startup unlocking process. The unmodified MBR is loaded after authentication, so any other application that modifies the MBR can easily work with SEDs.

My SED is incorporated in a laptop that includes a system TPM. How does the SED interact with the system Trusted Computing software and hardware?

A: The TPM and the SED are not required to interact. However, depending on the software authentication, secrets held within the TPM could be used to authenticate or to help authenticate to the SED. Note that there is also a disadvantage to using a TPM to participate in SED authentication. Should the laptop fail and the user want to move the SED to a new model, the management software would have to support moving it from one TPM to another. Otherwise the SED could not be unlocked, as it is in part controlled by the TPM in the dead system.

Products that support the TCG Opal SSC (Security Subsystem Class) used primarily in client (notebook and desktop) applications

Author Comment

ID: 39706022
Thank you both, for the detailed explanation.  I am primarily interested in security of the drive in case of theft, thus SED is my choice.

There are very few SATA SED drives available, Seagate ST500NM0031 (and other sizes of same drive) is the only one I've seen.  SecureDoc by WinMagic seems to be the only software that can be licensed in small numbers;  other solutions are enterprise.

The references are good explanations, but don't provide details for practical, simple solutions.

I have a TPM chip.  Does anyone know of SED software for PCs that utilizes the TPM chip.
That would be ideal.

Because there are so many SAS SED drives available, that seems a better solution.
I'll post another question about SAS adapters for PCs.

If either of you can provide information on the new post, that would be appreciated.
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

LVL 38

Accepted Solution

Rich Rumble earned 250 total points
ID: 39706082
FDE's like those I mentioned in my article
Some FDE is done at the hardware level, like Seagate's Momentus drives, Hitachi's BDE and Toshiba's SED HDD's. These types of drives do all the encryption and decryption on the HDD's own electronics, then send the data to the rest of the computer's hardware as a normal unencrypted data.

Those don't utilize the TPM chip, and there is no need to on hardware encrypted drives like those. Some of the drives only come in laptop sizes, but all are SATA, and depending on your server, it may actually take the 2.5" drives as opposed to the 3.5".

As far as software products, you're mistaken, there are sooooo many products... but hardly any utilize the TPM chip, and they don't need to really. TPM isn't going to help in a physical theft situation, where they steal the whole server, it'd only help if they took just the HDD. Theft of computers happens more than the removal of the HDD's, you should have the server screwed or physically connected to something that isn't easy to steal or wheel away on a dolly :)

Here is a list of software from wikipedia, and you can sort them based on their use of TPM if you like: (click the TPM column)

Don't put so much faith in TPM, it has various weak spots, simply search for defcon +tpm.
LVL 63

Expert Comment

ID: 39706395
Indeed SED does not uses TPM and they are independent as stated in the faq from TCG. I proposed you see them as layer of defence and minimally SED must work first as it claims. The key is held within itself so in a way it mitigate cold boot type of attack. TPM is more for attestation and key storage assurance and machine state integrity.Operationally it can be tedious migrating to new machine as tpm key does not leave and hdd encrypted need to have data backup or decrypted as hdd to reuse the hdd in new machine with or without tpm.

Overall it is not a panacea and do consider file level encryption like efs or similar...

Author Closing Comment

ID: 39706404
thank you for the excellent feedback

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VNX 5800 - expanding storage pool issue. 3 78
SSD pci  question 16 60
RAID 5 and Upgrading drives 12 88
Seagate NAS110 Single Drive Hard Drive Failure 4 51
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question