Seagate ST9500431SS About self-encrypting drives, Data encryption, Controlled access, Admin SP

Page 44

9.0About self-encrypting drives

Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data, com- monly known as “protection of data at rest.” These drives are compliant with the Trusted Computing Group (TCG) Enterprise Storage Specifications as detailed in Section 3.2.

The Trusted Computing Group (TCG) is an organization sponsored and operated by companies in the com- puter, storage and digital communications industry. Seagate’s SED models comply with the standards pub- lished by the TCG.

To use the security features in the drive, the host must be capable of constructing and issuing the following two SCSI commands:

•Security Protocol Out

•Security Protocol In

These commands are used to convey the TCG protocol to and from the drive in their command payloads.

9.1Data encryption

Encrypting drives use one inline encryption engine for each port, employing AES-128 data encryption in Cipher Block Chaining (CBC) mode to encrypt all data prior to being written on the media and to decrypt all data as it is read from the media. The encryption engines are always in operation, cannot be disabled, and do not detract in any way from the performance of the drive.

The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the drive, and is inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when it is in volatile temporary storage (DRAM) external to the encryption engine. A unique data encryption key is used for each of the drive's possible16 data bands (see Section 9.5).

9.2Controlled access

The drive has two security partitions (SPs) called the "Admin SP" and the "Locking SP." These act as gate- keepers to the drive security services. Security-related commands will not be accepted unless they also supply the correct credentials to prove the requester is authorized to perform the command.

9.2.1Admin SP

The Admin SP allows the drive's owner to enable or disable firmware download operations (see Section 9.4). Access to the Admin SP is available using the SID (Secure ID) password or the MSID (Makers Secure ID) password.

36	Constellation SAS Product Manual, Rev. E

Image 44

Contents ST9500430SSST9500431SS ST9500432SSStandard Model Self-Encrypting Drive Model SED Fips 140-2 ModelRevision history Contents Defect and error management InstallationAbout Fips About self-encrypting drives Interface requirementsPower Constellation SAS Product Manual, Rev. E List of Figures GB model current profilesConstellation SAS Product Manual, Rev. E Seagate Technology support services Seagate Online Support and ServicesScope Applicable standards and reference documentation StandardsElectromagnetic compatibility Electromagnetic susceptibilityElectromagnetic compliance Electromagnetic compliance for the European UnionAustralian C-Tick Korean KCCReference documents European Union Restriction of Hazardous Substances RoHSGeneral description Standard features Media descriptionPerformance ReliabilityFormatted capacities Programmable drive capacityFactory-installed options Performance characteristics Internal drive characteristicsSeek performance characteristics Access timeGeneral performance characteristics Start/stop timePrefetch/multi-segmented cache control Cache operationCaching write data Prefetch operationReliability specifications Error ratesRecoverable Errors Unrecoverable ErrorsReliability and service Seek errorsInterface errors Preventive maintenance4 S.M.A.R.T Controlling S.M.A.R.TPerformance impact Reporting controlThermal monitor Temperature Log Page 0Dh Parameter Code DescriptionPredictive failures State of the drive prior to testing Drive Self Test DSTDST failure definition ImplementationShort and extended tests Short test Function Code 001bExtended test Function Code 010b Log page entriesProduct repair and return information Product warrantyShipping PowerChoice modes Physical/electrical specificationsPowerChoiceTM power management AC power requirements DC power requirementsPage Conducted noise immunity General DC power requirement notesPower sequencing Current profiles GB model current profilesPower dissipation ST9500430SS, ST9500431SS and ST9500432SS in 3 Gbit operationST9500430SS, ST9500431SS and ST9500432SS in 6 Gbit operation Temperature a. Operating Environmental limitsRelative humidity Effective altitude sea level a. OperatingShock and vibration ShockPage Recommended mounting Corrosive environment Air cleanlinessVibration a. Operating-normal Acoustics Mechanical specifications Mounting configuration dimensionsLevel 2 security About FipsPurpose Controlled access Admin SPAbout self-encrypting drives Data encryptionDefault password Random number generator RNGDrive locking Data bandsAuthenticated firmware download Power requirementsSupported commands Cryptographic eraseDrive error recovery procedures Defect and error managementDrive internal defects/errors SAS system errors Deferred Auto-Reallocation Background Media ScanMedia Pre-Scan Idle Read After Write Installation Drive orientationCooling Air flowDrive mounting GroundingSAS features Interface requirementsDual port support Scsi commands supported Supported commandsSupported commands Supported commands Supported commands Constellation inquiry data Mode Sense dataInquiry data Page Mode Data Header Miscellaneous status Miscellaneous operating features and conditionsMiscellaneous features SAS physical interface Datum B Section C C Section a a Physical characteristics Connector requirementsElectrical description Pin descriptionsSignal characteristics PowerSAS transmitters and receivers Ready LED OutSAS-2 Specification Compliance LED drive signalDifferential signals General interface characteristicsConstellation SAS Product Manual, Rev. E Index NumericsKCC Msid Mtbf See also cooling Page Constellation SAS Product Manual, Rev. E Page Seagate Technology LLC