• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1247
  • Last Modified:

Seagate Self Encrypting Drive in PC with TCG complaint hardware

I have fairly new HP PCs (HP Small Form Factor 8100's) that work fine with bit locker.
But to speed things up, I would like to use a self encrypting SATA hard drive, like the Seagate ST500NM0031.

The specs say it requires a TCG-compliant host.  If my computer can do full bit locker with its v1.2 TPM, does that mean it will support a SATA SED?

I can't find anything in HP specs that address this.

If not, anyone know of a PC hard drive controller that will support these SATA SED drives.  I've searched and can't find one.
  • 2
  • 2
  • 2
2 Solutions
Rich RumbleSecurity SamuraiCommented:
That's two different encryption schemes, one the HDD provides and the other the Windows OS provides. Neither protects the files when the OS is running. When the OS is running, the files look like files, a Trojan or attacker can get you data when the OS is up and running.
Understand that drive encryption only protects from physical theft when the OS is off. Using 2 HDD encryption schemes does nothing for your security unltimaetly, you only need one if any.
Bitlocker can work on non-TCG (not tgg) hosts, but a TCG compliant host has the TPM chip. BL can work on either, the seagate drive might not however. Check your BIOS for the TPM chip presence.
btanExec ConsultantCommented:
Bitlocker is just s/w encryption while SED is h/w encryption, rightfully they work independently. By default, Bitlocker sees any drive anything other than a normal drive. Not all OS recognised SED as OPAL compliant drive. See the below


I did got a answer from a technical lead at Seagate in the end that confirmed that the constellation ES.2 and ES.3 drives will not be able to be used as hardware encryption with bitlocker on Windows Server 2012/8 they will just show as normal hard disks as your seeing and then you can use Bitlocker software encryption.

The reason they don't work is because Windows Server 2012/8 requires a OPAL 2 compliant drive and the Seagate constellation ES.2 and ES.3 drives are not OPAL 2 compliant drives. This is common across all vendors at the moment I was told, so until someone releases a OPAL 2 compliant drive you will only be able to use bitlocker software encryption.

Coming back on the host requirement to support SED, see FAQ on SED in TCG page

Are there laptop compatibility issues to support this? It seems like no, due to the MBR/boot code.

A: Most ISV MBR/boot code is O/S independent and works with most modern PCs. The SED architecture has a significant advantage over the integration method used by many software encryption products. The latter often modify the MBR to insert the encryption function. However, other management middleware also modify the MBR, and in some cases this has caused serious conflicts. The SED and associated ISV management software does not have this issue as the MBR is not involved in the startup unlocking process. The unmodified MBR is loaded after authentication, so any other application that modifies the MBR can easily work with SEDs.

My SED is incorporated in a laptop that includes a system TPM. How does the SED interact with the system Trusted Computing software and hardware?

A: The TPM and the SED are not required to interact. However, depending on the software authentication, secrets held within the TPM could be used to authenticate or to help authenticate to the SED. Note that there is also a disadvantage to using a TPM to participate in SED authentication. Should the laptop fail and the user want to move the SED to a new model, the management software would have to support moving it from one TPM to another. Otherwise the SED could not be unlocked, as it is in part controlled by the TPM in the dead system.

Products that support the TCG Opal SSC (Security Subsystem Class) used primarily in client (notebook and desktop) applications
dakota5Author Commented:
Thank you both, for the detailed explanation.  I am primarily interested in security of the drive in case of theft, thus SED is my choice.

There are very few SATA SED drives available, Seagate ST500NM0031 (and other sizes of same drive) is the only one I've seen.  SecureDoc by WinMagic seems to be the only software that can be licensed in small numbers;  other solutions are enterprise.

The references are good explanations, but don't provide details for practical, simple solutions.

I have a TPM chip.  Does anyone know of SED software for PCs that utilizes the TPM chip.
That would be ideal.

Because there are so many SAS SED drives available, that seems a better solution.
I'll post another question about SAS adapters for PCs.

If either of you can provide information on the new post, that would be appreciated.
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Rich RumbleSecurity SamuraiCommented:
FDE's like those I mentioned in my article
Some FDE is done at the hardware level, like Seagate's Momentus drives, Hitachi's BDE and Toshiba's SED HDD's. These types of drives do all the encryption and decryption on the HDD's own electronics, then send the data to the rest of the computer's hardware as a normal unencrypted data.

Those don't utilize the TPM chip, and there is no need to on hardware encrypted drives like those. Some of the drives only come in laptop sizes, but all are SATA, and depending on your server, it may actually take the 2.5" drives as opposed to the 3.5".

As far as software products, you're mistaken, there are sooooo many products... but hardly any utilize the TPM chip, and they don't need to really. TPM isn't going to help in a physical theft situation, where they steal the whole server, it'd only help if they took just the HDD. Theft of computers happens more than the removal of the HDD's, you should have the server screwed or physically connected to something that isn't easy to steal or wheel away on a dolly :)

Here is a list of software from wikipedia, and you can sort them based on their use of TPM if you like: http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software#Features (click the TPM column)

Don't put so much faith in TPM, it has various weak spots, simply search for defcon +tpm.
btanExec ConsultantCommented:
Indeed SED does not uses TPM and they are independent as stated in the faq from TCG. I proposed you see them as layer of defence and minimally SED must work first as it claims. The key is held within itself so in a way it mitigate cold boot type of attack. TPM is more for attestation and key storage assurance and machine state integrity.Operationally it can be tedious migrating to new machine as tpm key does not leave and hdd encrypted need to have data backup or decrypted as hdd to reuse the hdd in new machine with or without tpm.

Overall it is not a panacea and do consider file level encryption like efs or similar...
dakota5Author Commented:
thank you for the excellent feedback
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now