Seagate ST32000646SS Constellation ES.2 SAS Product Manual - Page 43

About self-encrypting drives

Get Seagate ST32000646SS PDF manuals and user guides View all Seagate ST32000646SS manuals
Add to My Manuals
Save this manual to your list of manuals

Page 43 highlights

9.0 About self-encrypting drives Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data, commonly known as "protection of data at rest." These drives are compliant with the Trusted Computing Group (TCG) Enterprise Storage Specifications as detailed in Section 3.2. The Trusted Computing Group (TCG) is an organization sponsored and operated by companies in the computer, storage and digital communications industry. Seagate's SED models comply with the standards published by the TCG. To use the security features in the drive, the host must be capable of constructing and issuing the following two SCSI commands: • Security Protocol Out • Security Protocol In These commands are used to convey the TCG protocol to and from the drive in their command payloads. 9.1 Data encryption Encrypting drives use one inline encryption engine for each port, employing AES-128 data encryption in Cipher Block Chaining (CBC) mode to encrypt all data prior to being written on the media and to decrypt all data as it is read from the media. The encryption engines are always in operation, cannot be disabled, and do not detract in any way from the performance of the drive. The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the drive, and is inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when it is in volatile temporary storage (DRAM) external to the encryption engine. A unique data encryption key is used for each of the drive's possible16 data bands (see Section 9.5). 9.2 Controlled access The drive has two security partitions (SPs) called the "Admin SP" and the "Locking SP." These act as gatekeepers to the drive security services. Security-related commands will not be accepted unless they also supply the correct credentials to prove the requester is authorized to perform the command. 9.2.1 Admin SP The Admin SP allows the drive's owner to enable or disable firmware download operations (see Section 9.4). Access to the Admin SP is available using the SID (Secure ID) password or the MSID (Makers Secure ID) password. 9.2.2 Locking SP The Locking SP controls read/write access to the media and the cryptographic erase feature. Access to the Locking SP is available using the BandMasterX or EraseMaster passwords. Since the drive owner can define up to 16 data bands on the drive, each data band has its own password called BandMasterX where X is the number of the data band (0 through 15). Constellation ES.2 SAS Product Manual, Rev. C 35

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
Constellation ES.2 SAS Product Manual, Rev. C
35
9.0
About self-encrypting drives
Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data,
commonly known as “protection of data at rest.” These drives are compliant with the Trusted Computing Group
(TCG) Enterprise Storage Specifications as detailed in Section 3.2.
The Trusted Computing Group (TCG) is an organization sponsored and operated by companies in the
computer, storage and digital communications industry. Seagate’s SED models comply with the standards
published by the TCG.
To use the security features in the drive, the host must be capable of constructing and issuing the following two
SCSI commands:
Security Protocol Out
Security Protocol In
These commands are used to convey the TCG protocol to and from the drive in their command payloads.
9.1
Data encryption
Encrypting drives use one inline encryption engine for each port, employing AES-128 data encryption in Cipher
Block Chaining (CBC) mode to encrypt all data prior to being written on the media and to decrypt all data as it
is read from the media. The encryption engines are always in operation, cannot be disabled, and do not detract
in any way from the performance of the drive.
The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the
drive, and is inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and
when it is in volatile temporary storage (DRAM) external to the encryption engine. A unique data encryption
key is used for each of the drive's possible16 data bands (see Section 9.5).
9.2
Controlled access
The drive has two security partitions (SPs) called the "Admin SP" and the "Locking SP." These act as
gatekeepers to the drive security services. Security-related commands will not be accepted unless they also
supply the correct credentials to prove the requester is authorized to perform the command.
9.2.1
Admin SP
The Admin SP allows the drive's owner to enable or disable firmware download operations (see Section 9.4).
Access to the Admin SP is available using the SID (Secure ID) password or the MSID (Makers Secure ID)
password.
9.2.2
Locking SP
The Locking SP controls read/write access to the media and the cryptographic erase feature. Access to the
Locking SP is available using the BandMasterX or EraseMaster passwords. Since the drive owner can define
up to 16 data bands on the drive, each data band has its own password called BandMasterX where X is the
number of the data band (0 through 15).