External hard drive encryption

To be able to understand better what hardware encryption actually is, let’s point some basics about encryption itself: what it is and how it works.

It is the transformation of data to become a form of unreadable text that cannot be read without a secret reading decryption key. This is for the sake of privacy and security – to keep the information from prying eyes. Files may be encrypted on a hard disk to keep an intruder from accessing them.

When multiple people are using a system, encryption allows for safe delivery of information over an insecure system. For example, Alice desires to send information to Bob and doesn’t want anyone else to be able to read it. Alice therefore will encrypt the plain text, which is what the message is called. She will do this by using an encryption key. Now encrypted message is called the cipher text. This is the text that Bob receives. He will then decipher the message with the decryption key to be able to read the text.

Decryption is the reverse of encryption. To encrypt and decrypt text, extra information is required, which is called the key. Sometimes in certain cases the same key can be used to perform encryption and decryption, but in most cases they require different keys.

When a message has been send, the receiver can be confident that the message is indeed from the sender only through a process called authentication. In terms of Alice and Bob: imagine, Alice sends a message to Bob and now Bob wants proof that the message has been indeed sent by Alice. This is made possible when the sender performs some action that will uniquely identify to the receiver to let the receiver know that indeed the message is from the sender. Authentication process is performed through a technological process called cryptography.

Three kinds of cryptographic techniques are employed, namely:

• Public key cryptography
• Secret key cryptography
• Hash key cryptography

Involves two key crypto system allowing a secure communication to take place even over an insecure communication channel. Since a pair of keys are applied, public key cryptography is also known as asymmetric encryption.

Each party involved in the communication is given a public and private key. If any party wants to communicate, the public key is used. The private key is secret and not revealed to anyone. For example, if the sender wants to send a message to the receiver, then the sender will encrypt the message with receiver’s public key and the receiver will decrypt the message with its private key.

Authentication is done using only a single key. When the sender sends the message, it is encrypted using a single key and the receiver applies the same key to decrypt the message.

Secret key cryptography is also referred to as symmetric encryption since only a single key is used. The only setback for this data authentication technique is the use of a single key for both encryption and decryption.

It doesn’t involve a secret key, but uses a hash value computed on the basis of the plain text message. Hash key cryptography is for checking the integrity of the message, ensuring that the message has not been compromised, affected by a virus or altered in any way.

Now, since we’ve looked at the basics of data encryption, let us look at how it applies to external hard drives.

External hard drives can be classified into ones:

• that don’t have
• ones that have built in encryption

For hard drives that don’t have in-built encryption, you can use third-party software or in-built features of your operating system to achieve encryption, but this will negatively affect the drive’s performance. Drives with in-built encryption perform 50% or 100% faster than those that don’t have in-built encryption.

If with first type of drives is pretty much obvious – need something to hide, install needed software and password protect sensitive information, than using 2nd type drives you need to be very caution.

You can buy hardware-based full disk encryption from almost any hard disk drive vendor. It comes with two major components: the hardware encryptor and the data storage. There are three kinds of hardware encryption for hard drives:

• Hard disk drive (HDD) full disk encryption, known as SED
• Enclosed hard disk drive full disk encryption
• Bridge and chipset full disk encryption

SED has a circuit in-built into the disk drive controller chip that encrypts all data to the magnetic media and decrypts all the data from the media automatically. All SEDs encryption occurs first hand, while the hard drive is in use, with the encryption not visible to the user.

Encryption is continuously in progress, by continuously scrambling data using a key, as it is written to the drive. As the data is retrieved, descrambling is done using the key, providing the users with a high level of data protection.

The encryption key called – Media Encryption Key (MEK) is used in encryption in SEDs. Decryption requires another key called – Key Encryption Key (KEK) supplied by the user. KEK is used to encrypt and decrypt the MEK. The KEK is never stored in plain text inside the drive. If no KEK is set, the drive is always unlocked and appears not to be encrypting even though it is. If KEK is set, the drive is powered up locked until the correct KEK is given to the drive by the user.

SEDs perform all the cryptography within the disk drive controller, meaning the disk encryption keys are never present in the computer’s memory or processor. Therefore, there is no risk of hackers getting access to the keys. Other parts of the computer system cannot access the hard drive contents since they are always encrypted and the keys themselves are also always encrypted.

When a locked self-encrypting drive (SED) is powered up, the Bios first detects an SED as a shadow disk on power up. A shadow disk is detected as having a much smaller capacity, usually 100 megabytes. The software in the shadow disk is read-only and it calls for the KEK from the user in order to unlock the real disk. After unlock, decryption of the MEK is done to enable read and write of the real disk.

The shadow disk software holds a cryptographic hash of the KEK so it can recognize the right KEK when the user gives it. When the user provides the KEK, the shadow disk creates a hash of that passcode and compares it with the stored hash of the KEK.

The MEK is decrypted if the two match, and placed into the encryption/decryption circuit inside the drive. The BIOS again is called to start from the disk, but this time recognizing it as the bigger real disk that holds capacity in gigabytes. So, the operating system boots normally.

SEDs perform all the cryptography within the disk drive controller, meaning the encryption keys are never present in the computer’s memory or processor. Therefore, they cannot be accessed by hackers.

One important characteristic of SEDs is the encryption cannot be seen by the user, cannot be turned off and does not interfere with the workflow.

Once the drive is unlocked, it remains so until power is off. Meaning it will remain so until the computer is switched off. Even rebooting or putting the computer into sleep mode won’t help.

Once you switch off and on the computer is when it will ask for authentication key to be entered. Therefore, when your computer is stolen while in sleep mode, the data in the drive is completely exposed. Even if you have a user password set on the operating system, the user can simply restart the machine, boot into a live environment, and have almost full access to your data.

Even if you have set a BIOS password, someone can still access the data in the drive by moving it into a different computer without powering off your computer. In laptops, your data may be somehow safe but not with desktops.

Another drawback in SED encryption is it only work in simple disk configuration. Not in multiple drive configurations. You can have multiple drives in one system with software encryption enabled. Hardware-level RAID is simply not supported.

Makes use of integrated encryption/decryption chip inside the chassis of the drive. Or can be in-built to the USB/eSATA controller featuring 256-bit AES Encryption.

The encryption/decryption functionality comes from the mechanics that the physical drive is connected to the controller built-in to the chassis. The drive is an internal component of the chassis and it is the chassis that carries the built-in decryption chip. Therefore, encryption/decryption occurs automatically as long as the drive is inside that chassis.

If the circuit board of the external unit gets damaged, data recovery “may not be possible”, even if disk drive is not damaged at all.

You must remember that encryption operates even if no password set. Also, if you do not use the password and remove the drive from the enclosure, the data will still be encrypted and inaccessible outside of the chassis.

if your external hard drive has built-in encryption, make sure you keep a good backup.

The encryptor Bridge and Chipset (BC) is put between the standard hard drive and the computer, encrypting every sector written to it which is out of current scope: external disk drives.

It is better to use SED disks for external hard disk drive with hardware encryption, rather than enclosed hard disk drives. And disk drive controllers provide much more stability and work much longer than USB/eSATA controllers built in enclosure.