Seagate 15K.2 Self-Encrypting Drives for Servers, NAS, and SAN Arrays - Page 3

Instant Secure Erase Without Managing Keys, Auto-Locking Self-Encrypting Drives With, Key Lifecycle - performance

Get Seagate 15K.2 - Savvio 146.8 GB Hard Drive PDF manuals and user guides
UPC - 715663213772
View all Seagate 15K.2 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 3 highlights

Self-Encrypting Drives for Servers, NAS and SAN Arrays Instant Secure Erase Without Managing Keys The Self-Encrypting Drive provides instant data destruction via cryptographic erase. When the SED is in normal use, its owner need not maintain authentication keys (otherwise known as credentials or passwords) in order to access the drive's data. The SED will encrypt data being written to the drive and decrypt data being read from it, all without requiring an authentication key from the owner. When it's time to retire or repurpose the drive, the owner sends a command to the drive to perform a cryptographic erase. Cryptographic erase simply replaces the encryption key inside the encrypted drive, making it impossible to ever decrypt the data encrypted with the deleted key. (A more detailed explanation of how secure erase works appears in Appendix A.) Self-Encrypting Drives reduce IT operating expenses by freeing IT from both drive control headaches and disposal costs. The SED's government-grade data security helps ensure Safe Harbor for data privacy compliance without hindering IT efficiency. Furthermore, SEDs simplify decommissioning and preserve hardware value for returns and repurposing by: • Eliminating the need to overwrite or destroy the drive • Securing warranty and expired lease returns • Enabling drives to be repurposed securely Auto-Locking Self-Encrypting Drives With Key Lifecycle Management Beyond using a Self-Encrypting Drive for instant secure erase at retirement, the drive owner may also choose to employ that same SED in the auto-lock mode to help secure active data against theft. Insider theft or misplacement is a growing concern for businesses of all sizes; in addition, managers of branch offices and small businesses without strong physical security face greater vulnerability to external theft. Utilizing the SED in auto-lock mode simply requires securing the drive during its normal use with an authentication key. When secured in this manner, the drive's data encryption key is locked whenever the drive is powered down. In other words, the moment the SED is switched off or unplugged, it automatically locks down the drive's data. When the SED is then powered back on, the SED requires authentication before being able to unlock its encryption key and read any data on the drive, thus protecting against misplacement and insider or external theft. The lifecycle of authentication keys can be managed by the IBM Tivoli Key Lifecycle Manager (formerly Encryption Key Manager), which is a Java-based software program that centrally generates, protects, stores and backs up authentication keys. It is a unified key management service that will support the key management requirements for all forms of storage (as well as other security applications). IBM, LSI and Seagate will support the Key Management Interoperability Protocol submitted to OASIS for advancement through their open standards process. With its platform neutrality, IBM Tivoli Key Lifecycle Manager offers a simple and effective method for managing the growing number of encryption keys across the enterprise. The auto-lock mode of Self-Encrypting Drives and IBM Tivoli Key Lifecycle Manager is discussed in detail in Appendix A. The owner of a Self-Encrypting Drive is able to use the SED first in secure erase-only mode, and then later change that SED to auto-lock mode. Later, after performing an instant secure erase and repurposing the drive, the drive may then go back to being used in secure erase-only mode. So, initially, the drive owner may choose to leave the SED in secure erase only mode during normal operation, intending to just perform an instant secure erase when needed. Later, perhaps due to growing concerns over theft, the owner may elect to use the SED in auto-lock mode for the remainder of the owner's use of the drive, by simply creating an authentication key that wraps the existing encryption key. Subsequently, once the SED has been securely erased and repurposed, its new owner may decide to not put the drive in auto-lock mode and use the drive in secure erase-only mode to securely erase the drive at the end of its useful life. 3

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
Instant Secure Erase Without Managing Keys
The Self-Encrypting Drive provides instant data
destruction via cryptographic erase. When
the SED is in normal use, its owner need not
maintain authentication keys (otherwise known
as credentials or passwords) in order to access
the drive’s data. The SED will encrypt data being
written to the drive and decrypt data being read
from it, all without requiring an authentication key
from the owner.
When it’s time to retire or repurpose the drive,
the owner sends a command to the drive to
perform a cryptographic erase. Cryptographic
erase simply replaces the encryption key inside
the encrypted drive, making it impossible to ever
decrypt the data encrypted with the deleted key.
(A more detailed explanation of how secure erase
works appears in Appendix A.)
Self-Encrypting Drives reduce IT operating
expenses by freeing IT from both drive control
headaches and disposal costs. The SED’s
government-grade data security helps ensure
Safe Harbor for data privacy compliance without
hindering IT efficiency. Furthermore, SEDs
simplify decommissioning and preserve hardware
value for returns and repurposing by:
Eliminating the need to overwrite or destroy the
drive
Securing warranty and expired lease returns
Enabling drives to be repurposed securely
Auto-Locking Self-Encrypting Drives With
Key Lifecycle Management
Beyond using a Self-Encrypting Drive for instant
secure erase at retirement, the drive owner
may also choose to employ that same SED in
the auto-lock mode to help secure active data
against theft. Insider theft or misplacement is a
growing concern for businesses of all sizes; in
addition, managers of branch offices and small
businesses without strong physical security face
greater vulnerability to external theft.
Utilizing the SED in auto-lock mode simply
requires securing the drive during its normal use
with an authentication key. When secured in this
manner, the drive’s data encryption key is locked
whenever the drive is powered down. In other
words, the moment the SED is switched off or
unplugged, it automatically locks down the drive’s
data.
When the SED is then powered back on, the
SED requires authentication before being able to
unlock its encryption key and read any data on
the drive, thus protecting against misplacement
and insider or external theft.
The lifecycle of authentication keys can be
managed by the IBM Tivoli Key Lifecycle
Manager (formerly Encryption Key Manager),
which is a Java-based software program
that centrally generates, protects, stores and
backs up authentication keys. It is a unified
key management service that will support the
key management requirements for all forms of
storage (as well as other security applications).
IBM, LSI and Seagate will support the Key
Management Interoperability Protocol submitted
to OASIS for advancement through their open
standards process. With its platform neutrality,
IBM Tivoli Key Lifecycle Manager offers a simple
and effective method for managing the growing
number of encryption keys across the enterprise.
The auto-lock mode of Self-Encrypting Drives and
IBM Tivoli Key Lifecycle Manager is discussed in
detail in Appendix A.
The owner of a Self-Encrypting Drive is able to
use the SED first in secure erase-only mode, and
then later change that SED to auto-lock mode.
Later, after performing an instant secure erase
and repurposing the drive, the drive may then go
back to being used in secure erase-only mode.
So, initially, the drive owner may choose to leave
the SED in secure erase only mode during normal
operation, intending to just perform an instant
secure erase when needed. Later, perhaps
due to growing concerns over theft, the owner
may elect to use the SED in auto-lock mode for
the remainder of the owner’s use of the drive,
by simply creating an authentication key that
wraps the existing encryption key. Subsequently,
once the SED has been securely erased and
repurposed, its new owner may decide to not put
the drive in auto-lock mode and use the drive in
secure erase-only mode to securely erase the
drive at the end of its useful life.
Self-Encrypting Drives for
Servers, NAS and SAN Arrays
3