Seagate 15K.2 Self-Encrypting Drives for Servers, NAS, and SAN Arrays - Page 9

Auto-Locking Self-Encrypting Drive, Technology

Get Seagate 15K.2 - Savvio 146.8 GB Hard Drive PDF manuals and user guides
UPC - 715663213772
View all Seagate 15K.2 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 9 highlights

Self-Encrypting Drives for Servers, NAS and SAN Arrays Figure 4 IBM Tivoli Key Lifecycle Manager serves keys at the time of use to allow for centralized storage of key material in a secure location, a unique approach that supports multiple protocols for key serving and manages certificates as well as symmetric and asymmetric keys. Users can also centrally create, import, distribute, back up, archive and manage the lifecycle of those keys and certificates using a customizable graphical user interface (GUI). In addition, IBM Tivoli Key Lifecycle Manager's transparent encryption implementation means that keys are generated and served from a centralized location and are never sent or stored "in the clear." Ultimately this technology applies across the entire data center, as shown in Figure 4. SelfEncrypting Drives may be in storage arrays, on SANs, NAS and servers, and in data centers, branch offices and small businesses. A unified key management service will support the key management requirements for all forms of storage (as well as other security applications). Auto-Locking Self-Encrypting Drive Technology To put the Self-Encrypting Drive in auto-lock mode, the drive owner may wish to first change the encryption key for added security confidence, using secure erase on a new SED; this also protects the drive against a warehouse attack. The owner must then establish an authentication key by first entering the SID (Security ID, proof of ownership) from the drive's external label, then setting the authentication key, which is used by the drive to encrypt the encryption key. The SED is now in auto-lock mode. It is in a secured state; when the drive is powered down it will be locked, and when powered back up it will require authentication to become unlocked. In an auto-locking SED, an encryption key and an authentication key work together to enable access to the data stored on the drive. An auto-locking SED, which is configured to use authentication, contains no secret that, if discovered, could reveal the encrypted data. A simple description of the unlock process explains why this is true. The unlock process is the part of the drive's power-on activity that enables access to the encrypted data. The drive expects a credential (authentication key) to be supplied to it, which it verifies as proof that the drive is being accessed by an authorized user. 9

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
Self-Encrypting Drives for
Servers, NAS and SAN Arrays
Ultimately this technology applies across the
entire data center, as shown in Figure 4. Self-
Encrypting Drives may be in storage arrays, on
SANs, NAS and servers, and in data centers,
branch offices and small businesses. A unified
key management service will support the key
management requirements for all forms of storage
(as well as other security applications).
Auto-Locking Self-Encrypting Drive
Technology
To put the Self-Encrypting Drive in auto-lock
mode, the drive owner may wish to first change
the encryption key for added security confidence,
using secure erase on a new SED; this also
protects the drive against a warehouse attack.
The owner must then establish an authentication
key by first entering the SID (Security ID, proof of
ownership) from the drive’s external label, then
setting the authentication key, which is used
by the drive to encrypt the encryption key. The
SED is now in auto-lock mode. It is in a secured
state; when the drive is powered down it will
be locked, and when powered back up it will
require authentication to become unlocked. In
an auto-locking SED, an encryption key and an
authentication key work together to enable access
to the data stored on the drive.
An auto-locking SED, which is configured to
use authentication, contains no secret that, if
discovered, could reveal the encrypted data. A
simple description of the unlock process explains
why this is true. The unlock process is the part
of the drive’s power-on activity that enables
access to the encrypted data. The drive expects
a credential (authentication key) to be supplied to
it, which it verifies as proof that the drive is being
accessed by an authorized user.
IBM Tivoli Key Lifecycle Manager serves keys at
the time of use to allow for centralized storage
of key material in a secure location, a unique
approach that supports multiple protocols for
key serving and manages certificates as well
as symmetric and asymmetric keys. Users can
also centrally create, import, distribute, back up,
archive and manage the lifecycle of those keys
and certificates using a customizable graphical
user interface (GUI). In addition, IBM Tivoli Key
Lifecycle Manager’s transparent encryption
implementation means that keys are generated
and served from a centralized location and are
never sent or stored “in the clear.”
9
Figure 4