Seagate 15K.2 Self-Encrypting Drives for Servers, NAS, and SAN Arrays - Page 10

Authentication, Decrypt the encrypted encryption key, Clear encryption key encrypts and decrypts,

Get Seagate 15K.2 - Savvio 146.8 GB Hard Drive PDF manuals and user guides
UPC - 715663213772
View all Seagate 15K.2 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 10 highlights

Self-Encrypting Drives for Servers, NAS and SAN Arrays The following describes the steps that occur during the authentication process of a previously secured drive (see Figure 5): Figure 5 1. Authentication • The storage system gets the authentication key from the key management service and sends it to the correct locked drive. • The drive hashes the authentication key and compares the result with the hash of the authentication key that's stored in a secure area of the disk. • If the two hashed authentication key values do not match, the authentication process ends, and the drive will not permit reading data from the disk. The drive remains locked. Note that the drive never sends cipher text from the drive. 2. Decrypt the encrypted encryption key • If the two hashes match, the drive is then unlocked, and the drive uses the authentication key it received from the storage system to decrypt a copy of the encryption key (which was previously encrypted with the authentication key) that's stored in a secure area of the disk. Once the authentication process is successfully completed, the drive is unlocked until the next time it is powered down. Note that this authentication process only occurs when the drive is first powered on; it does not repeat with each read and write operation. 3. Clear encryption key encrypts and decrypts the data • The clear-text encryption key is then used to encrypt data to be written to the disk and to decrypt data that's being read from the disk. • The drive now works in standard fashion during data transfers, with encryption and decryption transparently occurring in the background. Once the drive is put in auto-lock mode, it can be put back into secure erase-only mode only after a secure erase is performed. If an owner wishes to repurpose or retire the drive (i.e., change the drive from being in an auto-lock mode to a secure erase-only mode so that someone else can use the drive), the owner would simply perform a secure erase to replace the encryption key. 10

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
Self-Encrypting Drives for
Servers, NAS and SAN Arrays
1. Authentication
The storage system gets the authentication key
from the key management service and sends it
to the correct locked drive.
The drive hashes the authentication key and
compares the result with the hash of the
authentication key that’s stored in a secure
area of the disk.
If the two hashed authentication key values do
not match, the authentication process ends,
and the drive will not permit reading data from
the disk. The drive remains locked. Note that
the drive never sends cipher text from the drive.
2. Decrypt the encrypted encryption key
If the two hashes match, the drive is then
unlocked, and the drive uses the authentication
key it received from the storage system
to decrypt a copy of the encryption key
(which was previously encrypted with the
authentication key) that’s stored in a secure
area of the disk. Once the authentication
process is successfully completed, the drive
is unlocked until the next time it is powered
down. Note that this authentication process
only occurs when the drive is first powered
on; it does not repeat with each read and write
operation.
3. Clear encryption key encrypts and decrypts
the data
The clear-text encryption key is then used to
encrypt data to be written to the disk and to
decrypt data that’s being read from the disk.
The drive now works in standard fashion during
data transfers, with encryption and decryption
transparently occurring in the background.
Once the drive is put in auto-lock mode, it can be
put back into secure erase-only mode only after
a secure erase is performed. If an owner wishes
to repurpose or retire the drive (i.e., change the
drive from being in an auto-lock mode to a secure
erase-only mode so that someone else can use
the drive), the owner would simply perform a
secure erase to replace the encryption key.
The following describes the steps that occur
during the authentication process of a previously
secured drive (see Figure 5):
10
Figure 5