Encrypting disk hard drives – Best security practice today

When a drive is first bought into service, before anything is written to it, a high quality entropy source should be used to produce a large (128 or 256 bit), high entropy symmetric secret. This is the encryption key. It will then be forever used to key an inline AES algorithm which encrypts / decrypts the drive contents on the fly. All the data stored on the drive will then be complete gyberish without knowing the key.

If the inline AES encryption is fast enough to keep up with the read/write performance of the drive and/or its interface then there is no performance penalty of using the encryption.

How can the encryption key be protected

A user or the operating system supplies a secret (e.g. a password). A PBKDF (Password-Based Key Derivation Function) is used to to encrypt the drive encryption key with it and this can then be stored on the drive in place of the encryption key. This has therefore become a “password dependant key”. Without the user / OS secret the drive encryption key cannot be obtained by the decryption software and the drive is therefore protected.

Securely wiping an encrypted drive

If you change the encryption key and you will have securely wiped the drive with cryptgraphic security, including all sectors that have ever been taken out of service by the drive wear levelling and fault detection functions.

Software vs hardware encrypted drives?

A hardware encrypted drive simply has the software encryption applied within the drive itself. Researchers have shown (2018-12) that many of the popular encrypted drives have not implemented security correctly and therefore have vulnerabilities. There is therefore a strong argument that you should not rely upon hardware encrypted drives over proven software encryption to achieve proper security.

USEFUL?
We benefit hugely from resources on the web so we decided we should try and give back some of our knowledge and resources to the community by opening up many of our company’s internal notes and libraries through mini sites like this. We hope you find the site helpful.
Please feel free to comment if you can add help to this page or point out issues and solutions you have found, but please note that we do not provide support on this site. If you need help with a problem please use one of the many online forums.

Comments

Your email address will not be published. Required fields are marked *