Introduction and Guide to Managing Self-Encrypting Drives


Posts: 3,073   +97

-encrypting drives quick introduction step step guide puget security encryption guest repub sed self-encrypting drives

A SED, or self-encrypting drive, is a type of hard drive that automatically and continuously encrypts the data in it without any user interaction. What may surprise many is that a decent potion of the drives currently in the market, including the popular Samsung 840 and 850 Pro SSD series are in fact SEDs. But since manufactures do not tout this as a major feature, it often gets lost in the large number of typically more important specifications.

Even once you purchase, install and start using one of these SED drives, the encryption is so transparent to the user that it is unlikely they would ever realize they have such a feature. The encryption process is done through the use of a unique and random Data Encryption Key that both encrypts and decrypts data whenever data is written to the drive or read from it.

Read the complete article.

Last edited by a moderator:
I work in the photocopier/printer industry, for the past 33 years. A few years ago, there was a 60 minutes report on how a security expert was able to purchase some used copiers, pull the hard drives, and obtain personal information from them. Ever since, the entire industry went nuts with security, to the point you have to be VERY careful when replacing HDD's or circuit boards, for fear of bricking them. All of the HDD's on most machines now, are "self wipe" drives. The encryption is automatically done on the boards, but, the HDD's have a self wiping function. A hash is generated when a HDD is connected at the factory. If that drive is pulled, and connected to ANYTHING other than the machine it was married to, it will automatically wipe itself and cannot be used for anything (so the manufacturer says). I even tried to "fix" a bad drive, by taking the exact same HDD, a non wipe, pulled the board, connected that drive to the wipe drive board, and the non wipe board, to a wipe drive, but neither one would work. Something on the board of the wipe, marries to the standard mechanics of the drive I suppose. All machines today, have DOD level encryption, and it's a pain when machines come in off lease, most companies want to retain the physical drives, when a machine leaves their office, requiring a tech to swap out the customer drive, with a new one.
Caveat Emptor: SED encryption can have adverse effects on your backup/recovery plan.

Products like Acronis True Image which access the raw media directly (ie not via the NTFS filesystem)
will have issues (see this).

IMO, whereas a large percentage of the HD is the windows OS (encrypt \windows ???),
and a large portion of the user data has no privacy or security exposure, (My Music??, My Pictures??)
whole disk encryption has more CONS than it's worth to me.

My approach is to create a folder %USERPROFILE%\Precious and place all sensitive data inside it.
Now you can use 3rd party PGP tools to protect those specific files.

That's my $0.02
A few problems.

1. My HP DC 7900 and 8000 systems ask for the password at every reboot. Even when the power remains on. This may be a vendor specific setting.

2. SEDs will NOT mess up disk imaging as mentioned above. This is because the data is decrypted before entering the RAM where your software (ie Acronis) creates the image before dumping to the target. What ends up happinging is your backup will be unencrypted (unless you enable it in your image settings)
Hmm; I'll stick with the Acronis statement. IMO it would be irrational to allow direct access to the drive by just attaching it to just any system. The whole point is to have the data protected when it is not attached to it's 'home system' (ie dismounted from one and attached to another).

The data transfer via DMA should never decrypt for exactly this reason. The device driver is necessary to access the AES encryption key.
Does this method work with UEFI firmware on which the manufacturer (ASUS) has seemingly disabled the function of asking for the authentication key at boot?

Thank you
OK, so I've posted detailed stuff on this on vxLabs and superuser and Tom's. In short, SED is fast and reliable. Cloning is not an issue. I've used Casper after unlocking a drive and have cloned it to an UNlocked SSD without problem. That SSD can then be encrypted if you want. Downsides to Bitlocker or Truecrypt: Performance hit, plus software is always crackable (and what backdoors did Microsoft leave for the NSA?). Plus if you lose power, software encryption has its issues also. The REAL problem with the hardware encryption of Samsung EVO and Intel SSDs? You need a motherboard BIOS that has ATA Password support. And this little feature is never mentioned in mobo reviews, comparisons or even in the manufacturers' specs and advertisements. So you don't know until AFTER you buy a mobo! I had an ASRock Extreme6, what I thought was the latest and greatest. It did NOT have ATA password support. Fortunately an email to the Taiwan ASRock team and they wrote a 1.70B version with the feature and emailed it to me . . . but did NOT make it available on their website. Why not? According to rumor, SED is so effective that if you forget your password, no one can help you. At all. Not Samsung, Intel, ASRock, or the NSA. Even forensics guys at Shmoocon say encrypted SSDs could spell the end for forensics in drives.