Solved

Seagate Self Encrypting Drive in PC with TCG complaint hardware

Posted on 2013-12-06
6
935 Views
Last Modified: 2013-12-09
I have fairly new HP PCs (HP Small Form Factor 8100's) that work fine with bit locker.
But to speed things up, I would like to use a self encrypting SATA hard drive, like the Seagate ST500NM0031.

The specs say it requires a TCG-compliant host.  If my computer can do full bit locker with its v1.2 TPM, does that mean it will support a SATA SED?

I can't find anything in HP specs that address this.

If not, anyone know of a PC hard drive controller that will support these SATA SED drives.  I've searched and can't find one.
0
Comment
Question by:dakota5
  • 2
  • 2
  • 2
6 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39702956
That's two different encryption schemes, one the HDD provides and the other the Windows OS provides. Neither protects the files when the OS is running. When the OS is running, the files look like files, a Trojan or attacker can get you data when the OS is up and running.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
Understand that drive encryption only protects from physical theft when the OS is off. Using 2 HDD encryption schemes does nothing for your security unltimaetly, you only need one if any.
Bitlocker can work on non-TCG (not tgg) hosts, but a TCG compliant host has the TPM chip. BL can work on either, the seagate drive might not however. Check your BIOS for the TPM chip presence.
-rich
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 39702985
Bitlocker is just s/w encryption while SED is h/w encryption, rightfully they work independently. By default, Bitlocker sees any drive anything other than a normal drive. Not all OS recognised SED as OPAL compliant drive. See the below

http://social.technet.microsoft.com/Forums/windowsserver/en-US/c49b6e3e-a965-4b1b-bcf4-4e954ca78015/bitlocker-with-self-encrypting-drives?forum=winserverfiles

I did got a answer from a technical lead at Seagate in the end that confirmed that the constellation ES.2 and ES.3 drives will not be able to be used as hardware encryption with bitlocker on Windows Server 2012/8 they will just show as normal hard disks as your seeing and then you can use Bitlocker software encryption.

The reason they don't work is because Windows Server 2012/8 requires a OPAL 2 compliant drive and the Seagate constellation ES.2 and ES.3 drives are not OPAL 2 compliant drives. This is common across all vendors at the moment I was told, so until someone releases a OPAL 2 compliant drive you will only be able to use bitlocker software encryption.

Coming back on the host requirement to support SED, see FAQ on SED in TCG page
https://www.trustedcomputinggroup.org/resources/commonly_asked_questions_and_answers_on_selfencrypting_drives

Are there laptop compatibility issues to support this? It seems like no, due to the MBR/boot code.

A: Most ISV MBR/boot code is O/S independent and works with most modern PCs. The SED architecture has a significant advantage over the integration method used by many software encryption products. The latter often modify the MBR to insert the encryption function. However, other management middleware also modify the MBR, and in some cases this has caused serious conflicts. The SED and associated ISV management software does not have this issue as the MBR is not involved in the startup unlocking process. The unmodified MBR is loaded after authentication, so any other application that modifies the MBR can easily work with SEDs.

My SED is incorporated in a laptop that includes a system TPM. How does the SED interact with the system Trusted Computing software and hardware?

A: The TPM and the SED are not required to interact. However, depending on the software authentication, secrets held within the TPM could be used to authenticate or to help authenticate to the SED. Note that there is also a disadvantage to using a TPM to participate in SED authentication. Should the laptop fail and the user want to move the SED to a new model, the management software would have to support moving it from one TPM to another. Otherwise the SED could not be unlocked, as it is in part controlled by the TPM in the dead system.

Products that support the TCG Opal SSC (Security Subsystem Class) used primarily in client (notebook and desktop) applications
http://www.trustedcomputinggroup.org/community/2010/03/selfencrypting_drives_take_off_for_strong_data_protection
0
 

Author Comment

by:dakota5
ID: 39706022
Thank you both, for the detailed explanation.  I am primarily interested in security of the drive in case of theft, thus SED is my choice.

There are very few SATA SED drives available, Seagate ST500NM0031 (and other sizes of same drive) is the only one I've seen.  SecureDoc by WinMagic seems to be the only software that can be licensed in small numbers;  other solutions are enterprise.

The references are good explanations, but don't provide details for practical, simple solutions.

I have a TPM chip.  Does anyone know of SED software for PCs that utilizes the TPM chip.
That would be ideal.

Because there are so many SAS SED drives available, that seems a better solution.
I'll post another question about SAS adapters for PCs.

If either of you can provide information on the new post, that would be appreciated.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 38

Accepted Solution

by:
Rich Rumble earned 250 total points
ID: 39706082
FDE's like those I mentioned in my article
Some FDE is done at the hardware level, like Seagate's Momentus drives, Hitachi's BDE and Toshiba's SED HDD's. These types of drives do all the encryption and decryption on the HDD's own electronics, then send the data to the rest of the computer's hardware as a normal unencrypted data.

Those don't utilize the TPM chip, and there is no need to on hardware encrypted drives like those. Some of the drives only come in laptop sizes, but all are SATA, and depending on your server, it may actually take the 2.5" drives as opposed to the 3.5".

As far as software products, you're mistaken, there are sooooo many products... but hardly any utilize the TPM chip, and they don't need to really. TPM isn't going to help in a physical theft situation, where they steal the whole server, it'd only help if they took just the HDD. Theft of computers happens more than the removal of the HDD's, you should have the server screwed or physically connected to something that isn't easy to steal or wheel away on a dolly :)

Here is a list of software from wikipedia, and you can sort them based on their use of TPM if you like: http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software#Features (click the TPM column)

Don't put so much faith in TPM, it has various weak spots, simply search for defcon +tpm.
-rich
0
 
LVL 61

Expert Comment

by:btan
ID: 39706395
Indeed SED does not uses TPM and they are independent as stated in the faq from TCG. I proposed you see them as layer of defence and minimally SED must work first as it claims. The key is held within itself so in a way it mitigate cold boot type of attack. TPM is more for attestation and key storage assurance and machine state integrity.Operationally it can be tedious migrating to new machine as tpm key does not leave and hdd encrypted need to have data backup or decrypted as hdd to reuse the hdd in new machine with or without tpm.

Overall it is not a panacea and do consider file level encryption like efs or similar...
0
 

Author Closing Comment

by:dakota5
ID: 39706404
thank you for the excellent feedback
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now