What Are Self-Encrypting Drives (SEDs) and How Do They Work?

For organizations that are looking into strengthening their IoT systems’ security – or that are in the process of introducing IoT solutions – self-encrypting drives (SEDs) present an attractive solution for edge data security needs. Providing excellent data security through military-grade encryption, and with no impact on system performance, SEDs are often a primary contender when evaluating security solutions.

IoT and Data Security

Data security plays a central role in any Internet of Things (IoT) project and is a primary consideration for companies looking to roll out such projects.

According to a 2019 study of 20,000 IoT adopters by Pod Group, 70 percent of respondents said that they were very or extremely concerned with IoT security. In a separate study by 451 Research, 55.1 percent of IT professionals listed IoT security as their top priority.

Edge devices are particularly vulnerable to security threats

Edge devices in IoT systems are particularly vulnerable to security threats. Often located in places that are difficult to oversee, such devices risk being subject to physical access attempts in addition to remote access attempts. That puts enormous importance on local data security.

Take a network recording device, for instance. Using advanced encryption when transmitting data to a highly secure cloud may seem secure, but if it all it takes to get ahold of all the device’s data is to simply open it up and plug its storage device into another computer, then all other security measures are effectively useless.

Self-encrypting Drives (SEDs)

Self-encrypting drives are a type of storage devices that employs hardware encryption. By storing all user data in an encrypted format on the storage device, only authorized users with the correct credentials will be able to access any data. As the data contained on SEDs is completely scrambled through encryption, the physical possession of the device by illicit actors does not pose a threat to data security. As opposed to software encryption, hardware encryption has a negligible impact on system performance.

The hardware encryption used in SEDs has a negligible impact on performance

Hardware Encryption

With SEDs’ hardware encryption, encrypted data passes through a crypto processor on the hardware, before being processed by the SATA interface and passed on over to the host computer and its operating system. The crypto processor decrypts the data, meaning that cleartext data is passed over to the host computer. In other words, the host computer does not need to decrypt any data, as all the data it receives is already decrypted. Consequently, no computing power is required to constantly encrypt and decrypt data written to and read from the computer’s storage device.

Compliance with TCG Opal 2.0

TCG Opal 2.0-compliance means compliance with the Trusted Computing Group’s (TCG) Opal Security Subsystem Class (SSC), a set of specifications for self-encrypting drives that ensures a high level of data security.

In an Opal-compliant SED, all data is encrypted using the Media Encryption Key (MEK). This key is then encrypted using the Key Encryption Key (KEK), which in turn is stored on the device. The KEK is generated from a password the user inputs or using Opal management software such as Innodisk’s iOpal. As soon as the storage device loses power (for example, if the user turns the computer off or if the storage device is removed), re-entering credentials is necessary to access the stored data. Hence, if a device is stolen the perpetrator will be unable to access any of the data contained within the SED.

Destroying the Media Encryption Key (MEK) is all it takes to render data stored on devices useless

Another key benefit of this encryption layout is that all it takes to render data stored on the device completely useless is to destroy the MEK. As the original MEK gets destroyed and a new MEK is generated, the data originally stored on the device is completely unreadable and unrecoverable. This process is called a cryptographic erase. Since only the short MEK string needs to be destroyed to render any user data completely useless, the process is virtually instantaneous.

Opal 2.0-compliant SEDs come with additional useful security features

Opal 2.0-compliant SEDs also come with other useful security features. For instance, storage devices can be divided into so-called Locking Ranges, which in turn can only be accessed by entering specific users’ credentials. That way, authorized users can only access data on the storage device that they are authorized to access – all other data remains encrypted and inaccessible.

SEDs in 60 Seconds

Self-encrypting drives compliant with the TCG Opal 2.0 specifications provide a high-level of data security well suited for Internet of Things applications. By using hardware data encryption, the performance impact on the host system is negligible. Moreover, by providing support for features such as Locking Ranges, different levels of authorization are possible – allowing for added flexibility in complex systems with multiple users.


Share on facebook
Share on twitter
Share on linkedin
Share on email