What is a self-encrypting drive (SED)
A self-encrypting drive (SED) is a drive with a built-in encryption mechanism so that all data written to the drive is automatically encrypted.The encryption hardware is built into the drive, including a processor - you do not need any software to encrypt the data. Further the Encryption key (DEK) used to encrypt (and decrypt) data is stored on the hard drive too.
This means that the drive requires no input from the user to encrypt or decrypt the data - and that's exactly what happens while the drive is powered on and unlocked - the encryption and decryption is completely transparent to the user. It is done automatically because the key is stored on the hard disk, always available to the encryption system.
SED secures your data at rest. Online, unlocked hard drives are not.
So for a user accessing this powered-on, unlocked hard disk (whether legitimate or malicious), there is virtually no encryption - because even though the hard disk stores the data in encrypted form, it decrypts it and reads it back to you using the DEK it already has. You don't have to know the DEK to access your data.So where is the security? Well, the security kicks in when you turn off the drive. When you turn it off, the drive locks itself. And when you turn it back on, it will not just use the DEK to encrypt/decrypt the data. It will ask you for an AEK - an authentication encryption key.
If you have the AEK, enter it and the drive will unlock and reappear to the user as a normal disk. If you have lost your AEK, there is no way to recover your data.
This is called securing your data at rest. If your drive is powered off (at rest) , you can be sure that without the AEK, no one can access the data stored on the drive.
If both DEK and AEK are stored on SED disk, how can it be safe?
Both the DEK and the AEK are stored in a special area on the disk that OS cannot access, so there is no way to recover the DEK and the AEK. Also, the DEK is stored in encrypted form, so technically you need the encrypted DEK and the KEK (the key used to encrypt the DEK) as well as access to the algorithm used to encrypt it in order to access the data.Although there is some proof that a brute force attack MAY works, no actual attack has been reported, so SED drives are considered secure.
SED drives allow for fast erasure - as fast as it takes to erase a 128 or 256-bit key.
With traditional drives, it takes several writes to the entire drive to irretrievably erase all the data on the disk. So with a NON-SED drive, you must erase and write to the entire drive multiple times to ensure that all previous data cannot be recovered.With SED, you do not have to worry about deleting the encrypted data. You only delete the encryption key - the DEK, so erasing the drive is very quick. Deleting the DEK generates a new DEK, so the drive can be reused .
All in all, SED drives are great for backing up your data at rest - just remember to keep your AEK in a safe place, or you might lock yourself out of your own drive one day.
