Seagate Archive HDD Product Manual, Rev. D
18
4.2.3
Default password
When the drive is shipped from the factory, all passwords are set to the value of MSID. This 32-byte random value can only be
read by the host electronically over the interface. After receipt of the drive, it is the responsibility of the owner to use the default
MSID password as the authority to change all other passwords to unique owner-specified values.
4.2.4
ATA Enhanced Security
The drive can utilize the system's BIOS through the ATA Security API for cases that do not require password management and
additional security policies.
Furthermore, the drive's ATA Security Erase Unit command shall support both Normal and Enhanced Erase modes with the
following modifications/additions:
Normal Erase:
Normal erase feature shall be performed by changing the Data Encryption Key (DEK) of the drive, followed by
an overwrite operation that repeatedly writes a single sector containing random data to the entire drive. This write operation
bypasses the media encryption. On reading back the overwritten sectors, the host will receive a decrypted version, using the
new DEK of the random data sector (the returned data will not match what was written).
Enhanced Erase:
Enhanced erase shall be performed by changing the Data Encryption Key of the drive.
4.3
Random Number Generator (RNG)
The drive has a 32-byte hardware RNG that it is uses to derive encryption keys or, if requested to do so, to provide random
numbers to the host for system use, including using these numbers as Authentication Keys (passwords) for the drive's Admin
and Locking SPs.
4.4
Drive Locking
In addition to changing the passwords, as described in
Section 4.2.3 Default password
, the owner should also set the data
access controls for the individual bands.
The variable "LockOnReset" should be set to "PowerCycle" to ensure that the data bands will be locked if power is lost. In
addition "ReadLockEnabled" and "WriteLockEnabled" must be set to true in the locking table in order for the bands
"LockOnReset" setting of "PowerCycle" to actually lock access to the band when a "PowerCycle" event occurs. This scenario
occurs if the drive is removed from its cabinet. The drive will not honor any data read or write requests until the bands have
been unlocked. This prevents the user data from being accessed without the appropriate credentials when the drive has been
removed from its cabinet and installed in another system.
4.5
Data Bands
When shipped from the factory, the drive is configured with a single data band called Band 0 (also known as the Global Data
Band) which comprises LBA 0 through LBA max. The host may allocate additional bands (Band1 to Band15) by specifying a
start LBA and an LBA range. The real estate for this band is taken from the Global Band.
Data bands cannot overlap but they can be sequential with one band ending at LBA (x) and the next beginning at LBA (x+1).
Each data band has its own drive-generated encryption key. The host may change the Encryption Key (see
) or the password when required. The bands should be aligned to 4K LBA boundaries.