Seagate Technology is currently the only company on the market to offer disk-based hardware encryption with its...
Momentus 5400 Full Disk Encryption laptop hard drive. It's also quietly developing encryption for enterprise-level drives, as is Hitachi Global Technologies Inc., SearchStorage.com has learned.
With the Momentus, encryption functions -- using the triple Data Encryption Standard algorithm -- are performed on the physical drive, separate from the operating system (OS). The encryption key is stored in a separate partition in a chip on the drive.
The idea is that if a laptop is lost or stolen, data on the hard drive will be physically inaccessible to anyone else. The user's access code is entered before the OS can load to address the possibility of spyware having visibility of the key.
According to Seagate, the Momentus drive, launched June 8, also has provisions for establishing a master-level password to access the system, so that data can still be accessed in a disaster recovery scenario or if the user loses his/her password.
In the case of someone deliberately stealing a laptop to hack the disk, neither the password or the encryption key are stored "in the clear" on the drive where it could be vulnerable to brute force attack, according to the company.
The advantages to hardware-based encryption on disk drives, according to Henry Fabian, Seagate's executive director of global product marketing, are ease of use, since they require no installation or configuration of software by the user, and cost effectiveness, since companies repurposing or disposing of outdated machines would not have to spend time or money doing repeated disk erasures.
According to Hitachi Global Storage Technologies (Hitachi) spokesman Jim Pascoe, though Hitachi doesn't have an encrypted disk on the market yet, such a product is currently in development.
"I can't provide details of unannounced products," Pascoe said in an e-mailed statement. "(But) I can tell you that Hitachi is working on a set of security technologies for hard drives that involve encryption for data protection to guard against loss or theft."
Seagate is also keeping its specific product plans close to the vest, but did indicate they are working on adapting the encrypted hard disk for the enterprise level.
"We feel we have developed a technology that could be applied broadly," said Mark Pastor, strategic marketing director for Seagate. "We see a lot of resonance in the enterprise space, because there's a lot of confidential data out there at the enterprise level. This is a good and efficient way of accomplishing the task of encrypting data on drives."
"You will see FDE [Full Disc Encryption] and other security capabilities and others on enterprise and other products from Seagate, across the spectrum," according to Fabian.
Challenges of enterprise level disk drive encryption
Though disk-based encryption is certainly possible with enterprise level drives, that doesn't mean it will be easy -- or practical.
According to Arun Taneja, president of the Taneja Group, there are two major concerns with disk-based encryption at the enterprise level: performance and distance.
"With a laptop, do you know how much of that microprocessor you're using? Almost nothing," Taneja said. "Less than 5%. The compute cycles are so low that it makes sense to put disk encryption on a laptop. It might even make sense to put it on a desktop. But with a larger system, if they have big gigabyte files, the CPU will work harder, and I may not have compute cycles to spare to do encryption.
"Even if I did have spare subcycles," Taneja continued, "today the disk drives can be literally in a different state from where the server is. If I ask for the data out of a disk drive from miles away, it's still naked on the wire."
"At the enterprise level, it's rare the drives themselves are going to leave the controller," pointed out Greg Schultz, senior analyst with the Evaluator Group. "And in an environment that's truly concerned about someone taking a disk drive from an array, they're going to have multiple layers of physical security already."
"This is a very good solution for laptops," said W. Curtis Preston, vice president of GlassHouse Technologies Inc. "But it would only be valid in the enterprise if they were able to have as good of an answer to key management as the current hardware encryption vendors. Otherwise, I don't see why I would use their encryption."
Decru Inc., Kasten Chase Applied Research Ltd., Disuk Ltd., NeoScale Systems Inc. and Vormetric Inc. all make encryption appliances for enterprise systems.
"Right now, Decru has a better (method) than anyone I know," Preston said.
"There's a variety of things that would change for enterprise drives," Pastor said. "The interface is most likely going to be different, for serial-attached SCSI and Fibre Channel. It's certainly a consideration. The way you manage keys from a systems perspective would have to be further explored and defined. And there are a lot of differences between a client drive and an enterprise drive, mechanically and elsewhere."
Pastor declined to comment on how Seagate might address these issues with future products.