manualshive.com logo in svg

Seagate 10K.3 - Savvio 300 GB Hard Drive, Brochure

Share
Download
Seagate 10K.3 - Savvio 300 GB Hard Drive Brochure Download Page 3

Instant Secure Erase Without Managing Keys

The Self-Encrypting Drive provides instant data 
destruction via cryptographic erase. When 
the SED is in normal use, its owner need not 
maintain authentication keys (otherwise known 
as credentials or passwords) in order to access 
the drive’s data. The SED will encrypt data being 
written to the drive and decrypt data being read 
from it, all without requiring an authentication key 
from the owner.

When it’s time to retire or repurpose the drive, 
the owner sends a command to the drive to 
perform a cryptographic erase. Cryptographic 
erase simply replaces the encryption key inside 
the encrypted drive, making it impossible to ever 
decrypt the data encrypted with the deleted key. 
(A more detailed explanation of how secure erase 
works appears in Appendix A.) 

Self-Encrypting Drives reduce IT operating 
expenses by freeing IT from both drive control 
headaches and disposal costs. The SED’s 
government-grade data security helps ensure 
Safe Harbor for data privacy compliance without 
hindering IT efficiency. Furthermore, SEDs 
simplify decommissioning and preserve hardware 
value for returns and repurposing by:

  Eliminating the need to overwrite or destroy the 

drive

  Securing warranty and expired lease returns

  Enabling drives to be repurposed securely

Auto-Locking Self-Encrypting Drives With  
Key Lifecycle Management 

Beyond using a Self-Encrypting Drive for instant 
secure erase at retirement, the drive owner 
may also choose to employ that same SED in 
the auto-lock mode to help secure active data 
against theft. Insider theft or misplacement is a 
growing concern for businesses of all sizes; in 
addition, managers of branch offices and small 
businesses without strong physical security face 
greater vulnerability to external theft.

Utilizing the SED in auto-lock mode simply 
requires securing the drive during its normal use 
with an authentication key. When secured in this 
manner, the drive’s data encryption key is locked 
whenever the drive is powered down. In other 

words, the moment the SED is switched off or 
unplugged, it automatically locks down the drive’s 
data.

When the SED is then powered back on, the 
SED requires authentication before being able to 
unlock its encryption key and read any data on 
the drive, thus protecting against misplacement 
and insider or external theft.  

The lifecycle of authentication keys can be 
managed by the IBM Tivoli Key Lifecycle 
Manager (formerly Encryption Key Manager), 
which is a Java-based software program 
that centrally generates, protects, stores and 
backs up authentication keys. It is a unified 
key management service that will support the 
key management requirements for all forms of 
storage (as well as other security applications). 
IBM, LSI and Seagate will support the Key 
Management Interoperability Protocol submitted 
to OASIS for advancement through their open 
standards process. With its platform neutrality, 
IBM Tivoli Key Lifecycle Manager offers a simple 
and effective method for managing the growing 
number of encryption keys across the enterprise.  

The auto-lock mode of Self-Encrypting Drives and 
IBM Tivoli Key Lifecycle Manager is discussed in 
detail in Appendix A.

The owner of a Self-Encrypting Drive is able to 
use the SED first in secure erase-only mode, and 
then later change that SED to auto-lock mode. 
Later, after performing an instant secure erase 
and repurposing the drive, the drive may then go 
back to being used in secure erase-only mode. 
So, initially, the drive owner may choose to leave 
the SED in secure erase only mode during normal 
operation, intending to just perform an instant 
secure erase when needed. Later, perhaps 
due to growing concerns over theft, the owner 
may elect to use the SED in auto-lock mode for 
the remainder of the owner’s use of the drive, 
by simply creating an authentication key that 
wraps the existing encryption key. Subsequently, 
once the SED has been securely erased and 
repurposed, its new owner may decide to not put 
the drive in auto-lock mode and use the drive in 
secure erase-only mode to securely erase the 
drive at the end of its useful life. 

Self-Encrypting Drives for 

Servers, NAS and SAN Arrays

3

Summary of Contents for 10K.3 - Savvio 300 GB Hard Drive

Page 1: ... drives are retired and moved outside the physically protected data center into the hands of others the data on those drives is put at significant risk IT departments routinely retire drives for a variety of reasons including Returning drives for warranty repair or expired lease agreements Removal and disposal of drives Repurposing drives for other storage duties Nearly all drives eventually leave...

Page 2: ...reconciling the services as well as internal reports and auditing More troubling transporting a drive to the service puts the drive s data at risk Just one lost drive could cost a company millions of dollars in remedies for the breached data With these shortcomings in mind it s no surprise that an IBM study found that 90 percent of the drives returned to IBM were still readable The key lesson here...

Page 3: ...er the drive is powered down In other words the moment the SED is switched off or unplugged it automatically locks down the drive s data When the SED is then powered back on the SED requires authentication before being able to unlock its encryption key and read any data on the drive thus protecting against misplacement and insider or external theft The lifecycle of authentication keys can be manag...

Page 4: ...ver or storage subsystem controller or hard drive are all possibilities But where should this encryption take place Using Self Encrypting Drives merely for instant secure erase provides an extremely efficient and effective means to help securely retire a drive But using SEDs in auto lock mode provides even more advantages In short from the moment the drive or system is removed from the data center...

Page 5: ...the wire encryption to technologies designed for securing data in motion Several years ago before Seagate began working on drive encryption the United States National Security Agency NSA analyzed the problem of data security and determined that the best place to perform encryption is in the hard drive It s a well known security maxim that guards should be placed as close to the jewels as possible ...

Page 6: ... SEDs as well and it won t be long until all hard drives will be Self Encrypting Drives Standardization of Self Encrypting Drives promises lower acquisition costs as well The world s top six hard drive vendors collaborated to develop the final enterprise specification published by the Trusted Computing Group TCG This specification created to be the standard for developing and managing Self Encrypt...

Page 7: ...being written to the disk When a read is performed the encrypted data on the disk is decrypted before leaving the drive During normal operation an SED is completely transparent to the system appearing to be the same as a non encrypting drive The Self Encrypting Drive is constantly encrypting encryption cannot be accidentally turned off When the owner acquires the drive this embedded encryption key...

Page 8: ...r operates on z OS i5 OS AIX Linux HP UX Sun Solaris and Windows operating systems and is designed to be a shared resource which can be deployed in several locations within an enterprise to help ensure the application is highly available With its platform neutrality and its ability to take advantage of the existing security policies and high availability environment in an organization s most secur...

Page 9: ...authentication to become unlocked In an auto locking SED an encryption key and an authentication key work together to enable access to the data stored on the drive An auto locking SED which is configured to use authentication contains no secret that if discovered could reveal the encrypted data A simple description of the unlock process explains why this is true The unlock process is the part of t...

Page 10: ...he authentication process is successfully completed the drive is unlocked until the next time it is powered down Note that this authentication process only occurs when the drive is first powered on it does not repeat with each read and write operation 3 Clear encryption key encrypts and decrypts the data The clear text encryption key is then used to encrypt data to be written to the disk and to de...

Page 11: ... each approach thus care must be taken when choosing where to encrypt Data encryption options come in many forms including Host based software Encryption hardware appliances Encryption ASICs that reside on the adapter switch RAID controller or hard drive When evaluating how to protect and where to encrypt data at rest on the SAN NAS or the server s direct attached storage the best solution is to e...

Page 12: ...s are incorporated into hard drives they can be intermixed with older drives in storage systems that support encryption without making any changes specific to the new drives higher level of protection Key management is also becoming interoperable IBM LSI and Seagate will support the Key Management Interoperability Protocol submitted to OASIS for advancement through their open standards process Gov...

Page 13: ... vendors are already shipping SEDs today This promises an end to the risk of data breaches when hard drives leave their owner s control Performance at Full Drive Speed Less Need for Data Classification The Self Encrypting Drive has a dedicated engine for full interface speed encryption Utilizing hardware based encryption the SED s encryption engine resides in the controller ASIC Each drive port us...

Page 14: ... required as long as the switches and routers support IPSec data encryption Fibre Channel technology can only reach a distance of about 10km but IT managers need to share protect and move data much farther than that sometimes across geographic borders QLogic provides routers and switches that enable SAN traffic to move over IP linking SANs over WANs As a result self encrypting storage is expected ...

Page 15: ...should be provided by IPSec or FC over IP Encrypting data on the drive is best performed by the drive itself for all of the reasons provided by the above sections Additional Information Additional information about storage security can be found at the Trusted Computing Group www trustedcomputinggroup org and at the Storage Networking Industry Association SNIA Storage Security Industry Forum SSIF w...

Reviews:

No comments

Brands by name

Popular brands

Load more brands