Self Encrypting Hard Drives

dmnEPC

dmnEPC

New member
Dec 23, 2010
5,994
95
0
Looking at picking up a Self Encrypting Drive (SED) and curious to know if anyone has any experience/recommendations regarding them? It looks like 256 AES encryption is pretty much the norm. From what I have read it looks like it handles all the encryption automatically on the fly. Some of them offer auto wipe (i believe by deleting the key) if the drive is removed from system or incorrect pass-codes are entered. This pretty much seems like a no brainer in maintaining the security of a drive. Anyone running one? Any other pros or cons that may come to mind? Or is this just a waste of money and software some software can do all this faster or better?
 


Call me paranoid, but these drives aren't a whole lot more secure than a bios password against a determined attacker. The encryption is no more secure as AES than as plaintext.

The general principal behind them, is that ALL data on the drive is encrypted. The device has a key, generated and set by the manufacturer, that all data is encrypted with. The drive uses a BIOS trick to get a password out of the user, and if it matches, it starts using it's key to crypt data. When you change passwords, you aren't changing the key, only the password to access the key.

Because of this, anyone who is determined (especially the government), should be able to access the key (or password) and decrypt the data with little more than some fancy equipment.
 
are you thinking the auto deleting of the key is BS? Supposedly this is how the auto wipe feature works and assuming it is irreversible (not so sure about that) wouldn't they then be forced to actually decrypt the drive? Do you think the gov has the capability of doing that w/ 256aes? I am sure its a mute point the gov probably has the manufacturers build in a backdoor
 
dmnEPC said:
are you thinking the auto deleting of the key is BS? Supposedly this is how the auto wipe feature works and assuming it is irreversible (not so sure about that) wouldn't they then be forced to actually decrypt the drive? Do you think the gov has the capability of doing that w/ 256aes? I am sure its a mute point the gov probably has the manufacturers build in a backdoor
Click to expand...

The government (and the manufacturer) doesn't need to have a backdoor. If the key is physically stored on the device, then there shouldn't be a whole lot stopping someone from pulling the chip and seeing what is on it. Granted you can get a little complex with physical security, but as I mentioned, all of the implementations I've read up on appear to be more of a marketing ploy. I suspect the auto wipe feature doesn't even change the key, but rather changes the block allocation table on the drive (we're talking SSD's here).

In a few years we might start seeing drives that are actually encrypted with the key YOU provide, but until there is a better BIOS function to do it (more advanced than the current workaround), it will probably remain nonviable. Also there is a huge issue related to changing your key, as it would potentially take quite some time, and brick your data if you have a power interruption.
 
The only real reason to go for these is for speed and convenience, not security. The speed boost would be from the dedicated hardware handling the encryption.

However, if the key (or even a partial key or hash) is stored on NVRAM, it can be got. my guess is that part of it is stored, and the other part is generated when powered up, and stored somewhere volatile. That can be gotten as well; I've seen it done on something running TrueCrypt, where they sprayed the RAM with canned air upside down to freeze the chip.

There have always been those BIOS-level drive passwords that 'platter lock' the disk. Whenever I had a drive go bad, I could still get something for it on ebay, because people were buying the circuit board. They had locked up their drive, and by replacing the circuit board, they could get back into it.

I have always wanted an auto-wipe feature, and looked at incorporating DBANto run in the background while a decoy OS booted up, but it takes a long ass time to really wipe a disk, and it makes a lot of noise.

If the drive is already encrypted, you can render it (feasibly) unrecoverable by writing random data to random sectors. It takes nowhere near as long to do this; you just have to destroy enough to defeat error checking capabilities in the decryption process. The flaw is that this requires the disk to stay with the rest of the machine, unless you want to fuck around with the onboard circuitry.
 
dmnEPC said:
Looking at picking up a Self Encrypting Drive (SED) and curious to know if anyone has any experience/recommendations regarding them? It looks like 256 AES encryption is pretty much the norm. From what I have read it looks like it handles all the encryption automatically on the fly. Some of them offer auto wipe (i believe by deleting the key) if the drive is removed from system or incorrect pass-codes are entered. This pretty much seems like a no brainer in maintaining the security of a drive. Anyone running one? Any other pros or cons that may come to mind? Or is this just a waste of money and software some software can do all this faster or better?
Click to expand...
i am using external drive + truecript combo. Pretty happy so far.
never used SED, can't compare...
 
To all of those thinking the gov would have a backdoor, you have to remember two simple things about the government.

1: The cool tech they get and build, they get because of university research for the most part. If the worlds universities can't break AES256, neither can the government. Think about that. It applies to a lot of government 'questions' like that. If the smartest professors and bodies of brilliant students can't touch something, neither can the government. If they COULD, the universities would figure it out as well.

2: If the government DID have back doors, they would NOT use them on people like us. Even if you were hoarding kiddie porn and shit like that, they wouldn't use the back door for you. Why? Records. If they used the back door to bust you, they blow it. They can't use it anymore. That means the manufacturer is fucked, the government is in trouble, the case may not stick, and everyone knows about the issue and thus gets rid of whatever it is that provides a back door. It would be a fucking PR DISASTER to use one in a court case.

The ONLY time they WOULD use a backdoor (if one were to exist) would be for black-bag type operations. The kind that the news never hears about, and a judge never oversees. If you are taken away in a head bag by armed mercenaries in them middle of the night and shipped off to some foreign secret CIA prison, THEN the backdoor might be used, because you won't ever have the chance to tell anyone about it.

So you REALLY REALLY have to piss off some powerful and secret people in order to worry about a backdoor.
 
you cant stop government from decrypting your shit, they are building supercomputer that can process data at some ridiculus speeds, like brute force that would take a normali5 2500k computer a year to do, the supercommputer can do in a couple of hours.. They'll just brute force the fuck out of that shit..

Though if you really just want to stop random people from accessing your data a basic password is enough
 
oh btw in the UK it's illegal to not disclose your encryption keys, whateve crime they are accusing you of, you will be found guilty if you do not disclose your encryption keys when demanded to do so.
 
TigerUK said:
you cant stop government from decrypting your shit, they are building supercomputer that can process data at some ridiculus speeds, like brute force that would take a normali5 2500k computer a year to do, the supercommputer can do in a couple of hours.. They'll just brute force the fuck out of that shit..

Though if you really just want to stop random people from accessing your data a basic password is enough
Click to expand...
If your hard drive password only takes a year to crack on a standard computer, you're doing it wrong.
TigerUK said:
oh btw in the UK it's illegal to not disclose your encryption keys, whateve crime they are accusing you of, you will be found guilty if you do not disclose your encryption keys when demanded to do so.
Click to expand...
Just looked this up, amazed this got passed. However you don't get found guilty of the crime, you get found guilty under the regulation of investigatory powers act, which has a maximum sentence of 2 years.
 
TigerUK said:
you cant stop government from decrypting your shit, they are building supercomputer that can process data at some ridiculus speeds, like brute force that would take a normali5 2500k computer a year to do, the supercommputer can do in a couple of hours.. They'll just brute force the fuck out of that shit..

Though if you really just want to stop random people from accessing your data a basic password is enough
Click to expand...

Many of the brightest minds in the security field believe that the Gov only has the ability to decrypt yesterday's encryption standards. They have ammased huge volumes of encrypted data over the years. For this they are building these mega systems for unlocking this older data and storing the current for sometime in the future when the technology becomes available. As mentioned earlier the "keys" are the week link and carelessness or lack of knowledge is what leads to today's encryption to be broke
 
TigerUK said:
you cant stop government from decrypting your shit, they are building supercomputer that can process data at some ridiculus speeds, like brute force that would take a normali5 2500k computer a year to do, the supercommputer can do in a couple of hours.. They'll just brute force the fuck out of that shit..

Though if you really just want to stop random people from accessing your data a basic password is enough
Click to expand...
This is not the case right now. The strongest super computer in the world, even if it were focused only on cracking one persons password would take 10^big# years to break something encrypted with an algorithm like AES.

Eventually, maybe, but for the next 20-30+ years you are probably safe.


TigerUK said:
oh btw in the UK it's illegal to not disclose your encryption keys, whateve crime they are accusing you of, you will be found guilty if you do not disclose your encryption keys when demanded to do so.
Click to expand...
What if I forgot my key? Is it a crime to have a bad memory?
 
cardine said:
What if I forgot my key? Is it a crime to have a bad memory?
Click to expand...
What'd be the defence for that?

"So you bought your hard drive 5 years ago, yet you've forgotten the password? Do you regularly forget it?"

if yes = I think most courts would find it hard to believe you format your hard drive every few months from forgetting the password.

if no = then you're either lying, or have a scrap of paper with it written down. Where's the piece of paper?
 
cardine said:
A polygraph test is only ~90% accurate. That's pretty unprecedented to send 10% of people who have a bad memory to prison.
Click to expand...

If its that important to them to get whats on that drive the poly probably wont matter to much. They will more than likely torture the info out of you
 
You must log in or register to reply here.
Top Bottom