Seagate ST9500621SS About self-encrypting drives, Data encryption, Controlled access, Admin SP

Page 49

9.0About self-encrypting drives

Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data, com- monly known as “protection of data at rest.” These drives are compliant with the Trusted Computing Group (TCG) Enterprise Storage Specifications as detailed in Section 3.2.

The Trusted Computing Group (TCG) is an organization sponsored and operated by companies in the com- puter, storage and digital communications industry. Seagate’s SED models comply with the standards pub- lished by the TCG.

To use the security features in the drive, the host must be capable of constructing and issuing the following two SCSI commands:

Security Protocol Out

Security Protocol In

These commands are used to convey the TCG protocol to and from the drive in their command payloads.

9.1Data encryption

Encrypting drives use one inline encryption engine for each port, employing AES-128 data encryption in Cipher Block Chaining (CBC) mode to encrypt all data prior to being written on the media and to decrypt all data as it is read from the media. The encryption engines are always in operation and cannot be disabled.

The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the drive, and is inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when it is in volatile temporary storage (DRAM) external to the encryption engine. A unique data encryption key is used for each of the drive's possible16 data bands (see Section 9.5).

9.2Controlled access

The drive has two security providers (SPs) called the "Admin SP" and the "Locking SP." These act as gate- keepers to the drive security services. Security-related commands will not be accepted unless they also supply the correct credentials to prove the requester is authorized to perform the command.

9.2.1Admin SP

The Admin SP allows the drive's owner to enable or disable firmware download operations (see Section 9.4). Access to the Admin SP is available using the SID (Secure ID) password or the MSID (Manufacturers Secure ID) password.

9.2.2Locking SP

The Locking SP controls read/write access to the media and the cryptographic erase feature. Access to the Locking SP is available using the BandMasterX or EraseMaster passwords. Since the drive owner can define up to 16 data bands on the drive, each data band has its own password called BandMasterX where X is the number of the data band (0 through 15).

Constellation.2 SAS Product Manual, Rev. H

41

Page 48 Page 50
Image 49
Page 48 Page 50
Contents ST91000642SS ST9500622SS ST91000640SSST91000641SS ST9500620SSST9500621SSStandard Models Self-Encrypting Drive Models SED Fips 140-2 ModelsRevision history Contents Installation Defect and error managementAbout Fips About self-encrypting drives Interface requirementsPage Constellation.2 SAS Product Manual, Rev. H List of Figures Constellation.2 SAS Product Manual, Rev. H Seagate Online Support and Services Seagate Technology support servicesScope Standards Applicable standards and reference documentationElectromagnetic compatibility Electromagnetic susceptibilityElectromagnetic compliance for the European Union Electromagnetic complianceAustralian C-Tick Korean KCCChina Restriction of Hazardous Substances RoHS Directive European Union Restriction of Hazardous Substances RoHSSelf-Encrypting Drives Reference Manual Reference documentsGeneral description Media description Standard featuresReliability PerformanceFormatted capacities Programmable drive capacityFactory-installed options Internal drive characteristics Performance characteristicsSeek performance characteristics Access timeStart/stop time General performance characteristicsCache operation Prefetch/multi-segmented cache controlPrefetch operation Caching write dataError rates Reliability specificationsRecoverable Errors Unrecoverable ErrorsSeek errors Reliability and serviceInterface errors Preventive maintenanceControlling S.M.A.R.T 4 S.M.A.R.TPerformance impact Reporting controlPredictive failures Temperature Log Page 0Dh Parameter Code DescriptionThermal monitor Drive Self Test DST State of the drive prior to testingDST failure definition ImplementationShort test Function Code 001b Short and extended testsExtended test Function Code 010b Log page entriesShipping Product warrantyStorage Product repair and return informationPowerChoiceTM power management Physical/electrical specificationsPowerChoice modes DC power requirements AC power requirements1000GB drive Standard & SED model DC power requirements 500GB drive Standard & SED model DC power requirements Power sequencing General DC power requirement notesConducted noise immunity TB model current profiles Current profilesGB model current profiles 1TB model drive in 3Gb operation Power dissipation1TB model drive in 6Gb operation 500GB model drive in 3Gb operation 500GB model drive in 6Gb operation Environmental limits Temperature a. OperatingRelative humidity Shock and vibration Effective altitude sea level a. OperatingShock Recommended mounting Vibration a. Operating-normal Air cleanlinessAcoustics Corrosive environmentSee Section Constellation.2 SAS Product Manual, Rev. H Mounting configuration dimensions Mechanical specificationsPurpose About FipsValidation Program Seagate Enterprise SEDExample of Fips tamper evidence labels Admin SP Controlled accessAbout self-encrypting drives Data encryptionRandom number generator RNG Authenticated firmware downloadDrive locking Data bandsSupported commands Power requirementsDrive internal defects/errors Defect and error managementDrive error recovery procedures SAS system errors Media Pre-Scan Background Media ScanDeferred Auto-Reallocation Idle Read After Write Setting and determining the current Type LevelProtection Information PI Levels of PIIdentifying a Protection Information drive Drive orientation InstallationAir flow CoolingGrounding Drive mountingInterface requirements SAS featuresDual port support Supported commands Scsi commands supportedSupported commands Supported commands Supported commands Inquiry data Mode Sense dataConstellation.2 inquiry data Page Block Descriptor 00 00 00 00 3a 38 60 30 00 00 00 00 00 00 02 Miscellaneous features Miscellaneous operating features and conditionsMiscellaneous status SAS physical interface Datum B Section C C Section a a Connector requirements Physical characteristicsElectrical description Pin descriptionsPower Signal characteristicsSAS transmitters and receivers Ready LED OutLED drive signal SAS-2 Specification ComplianceDifferential signals General interface characteristicsNumerics IndexKCC Msid Mtbf See also cooling Page Constellation.2 SAS Product Manual, Rev. H Page Americas Seagate Technology LLC
Top Page Image Contents