Six hard drive manufacturers have joined forces behind a standard for firmware-level hard drive encryption, an important step for security interoperability.
The Trusted Computing Group (TCG) has released three final specifications for hardware-level data encryption, and virtually all the major storage manufacturers have declared that they intend to adopt the new standards in the near future. Self-encrypted disks are already available on the market— Seagate has been actively pushing its DriveTrust technology for several years—but there was no central standard for drive encryption developers to refer to. The two new encryption standards provide a blueprint for desktop, laptops, and enterprise-level protection, while the third (dubbed the Storage Interface Interactions Specification) details how self-encrypted drives should interact with various communication protocols.
These new encryption methods do not require the presence of a Trusted Platform Module (TPM), but it's hard to imagine why an OEM would bother to build a system using self-encrypting hard drives and not include one. The TCG expects self-encrypting drives (and presumably TPM modules) to become ubiquitous across the enterprise/business market over the next few years. "With 48 states and many countries enforcing data protection laws, it has become crucial for enterprises to protect all data to avoid fines, lawsuits or even being put out of business. Encryption with authentication directly in the drive or enterprise storage devices as outlined in the Trusted Computing Group specifications is one of the most effective ways to ensure data is secure against virtual and physical attacks,” noted Jon Oltsik, senior analyst, Enterprise Strategy Group.
Expect future versions of consumer hardware to eventually adopt Opal (TCG's moniker for the desktop/laptop version of the standard) as well. ""This represents interoperability commitments from every disk drive maker on the planet," Robert Thibadeau, chief technologist at Seagate Technology and chairman of the TCG, told Computer World. "We're protecting data at rest. When a USB drive is unplugged, or when a laptop is powered down, or when an administrator pulls a drive from a server, it can't be brought back up and read without first giving a cryptographically-strong password. If you don't have that, it's a brick. You can't even sell it on eBay."
Thibadeau's last comment would seem to imply that the drive can't even be formatted or otherwise wiped without the requisite password. If that's actually true, it substantially diminishes the value of a stolen laptop, provided said machine is stolen for personal use rather than data theft. Enterprise users and anyone with access to sensitive data obviously can't afford to ignore the possibility that someone might steal their system for the purposes of accessing the information it contains, but I rather think this is not the case. The TPC reports that some 12,000 notebooks are lost/stolen in US airports, and only one-third are ever recovered by the rightful owner. Unless you carry a laptop case with "BIG IMPORTANT SECRETS" embroidered on the side, the thefts are most likely aimed at the hardware, not the data on the hardware. If the would-be thief knows in advance that he won't be able to use the system, the value of the laptop drops.
Manufacturers that have announced support for the new encryption standard include Fujitsu, Hitachi, Toshiba, Samsung, Seagate, and Western Digital. Drive manufacturers will be able to choose between 128-bit and 256-bit AES encryption, which should prove adequate to protect the drive's data even in situations where a TPM module is unavailable. Combined with TPM, any data stored on the encrypted drive would be as secure as modern technology can make it.
Source: ars technica
