Overview
This paper discusses the challenge of securing data on hard
drives that will inevitably leave the owner’s control. It introduces
Self-Encrypting Drives (SED), which may be used in two ways: to
provide instant secure erase (cryptographic erase or making the
data no longer readable), and to enable auto-locking to secure
active data if a drive is misplaced or stolen from a system while in
use. Two appendices then follow: The first compares SEDs to other
encryption technologies used to secure drive data. The second
provides detailed analysis of instant secure erase and auto-lock
SED technology, explaining how SEDs are used in servers, NAS and
SAN arrays, virtualized environments, RAIDs, JBODs and discrete
drives.
Introduction
When hard drives are retired and moved outside the physically
protected data center into the hands of others, the data on those
drives is put at significant risk. IT departments routinely retire drives
for a variety of reasons, including:
•
Returning drives for warranty, repair or expired lease agreements
•
Removal and disposal of drives
•
Repurposing drives for other storage duties
Nearly all drives eventually leave the data center and their owners’
control; Seagate estimates that 50,000 drives are retired from data
centers daily. Corporate data resides on such drives, and when
most leave the data center, the data they contain is still readable.
Even data that has been striped across many drives in a RAID array
is vulnerable to data theft, because just a typical single stripe in
today’s high-capacity arrays is large enough to expose hundreds of
names and social security numbers.
Self-Encrypting Drives for
Servers, NAS and SAN Arrays
Technology Paper