The new company policy wants all your data encrypted…
Yes… it seems necessary… after all, there are all these hacks happening around the globe.
Your company faced a mini-crisis of its own during quarter 2 when the COO lost his laptop on a training trip, triggering a tug-of-war between your company and the rival. Apparently, that laptop had the initial designs for the upcoming flagship products.
All of which brought you to this day; facing at least a multi-hour long task.
Rather than looking into different encryption software, we encourage you to have a closer look at your hard disk.
Maybe, just maybe, it is one of the new ones called Self Encryption Drive’s SEDs, which have the ability to encrypt data at the hardware level without involving the operating system or any software.
If luck is on your side and it is an SED SSD drive, then follow the below mentioned steps to turn on its encryption and continue with the rest of the day.
An SED device is already doing the encryption/decryption all the time. You just need to take the control in your hands by …
- Restarting your computer and entering bios setup during the boot process.
- Set up the Password (KEK) for your drive.
And that is it. You are done.
Now whenever the computer will boot up, it will ask for the password for your SED SSD drive. Depending on which motherboard you are using, it will be giving you multiple (3-5) attempts. Even if all your attempts are incorrect, it will load the operating system, however your hard disk will be not accessible.
To make the hard disk accessible again, you will have to restart the computer and enter the correct password.
Seems pretty easy, but…
How Does It Work?
The SED SSD drives are Solid State Drives with the ability to encrypt the data it holds, hence the name Self Encrypting Drives. These drives are made so that the data is always encrypted whenever it is written on the disk or read from it.
This process is controlled by an additional chip added to the hard disk which overlooks and controls the whole process.
This process is seamless and is invisible to the user’s eyes.
The user’s control over the encryption and decryption is enforced with the combination of…
- KEK, a Key Encryption Key
- MEK, a Media Encryption Key
The MEK is the main encryption key which is used to encrypt and decrypt the data while reading/writing on/from the disk drive.
The KEK is the password which is left for the individual user to set. Even if it is not set, the device still keeps encrypting and decrypting data while performing actions on the disk. However, it does it in an automatic way and hence has no use for security purposes.
There is one benefit though, that you can simply delete the MEK rather than the whole drive to make the data unreadable.
If KEK is set, the computer will prompt for the password whenever it boots up. If the password entered is correct, then the drive is properly loaded; if not, then the operating system will boot up, but the data saved in the disk will not be accessible.
Even if the hard disk is attached to some other system, during boot up, the system will still require the password.
This system, although seemingly unbreakable, has a tiny flaw. Which is… the drive will only ask the password once it loses power completed, i.e., after a complete system shut down. If the computer is restarted or comes back online after being put to sleep (usually in a laptop), the drive will not ask for a password.
And that is not the end of it. There are…
The SED SSD drives are not particularly new; there is, however, a lower demand for them. This is mainly due to the disconnect between the security consultants and the people who authorize and order computer equipment for their companies.
This is one of the reasons that not all motherboards are manufactured to support SED devices. Manufacturers looking to fulfill the economic needs of buyers fill the markets with products which are cheap. They advertise and sell them more often and you end up having a computer where, even if you do get an SED, you end up facing the hard choice of changing your motherboard for it to work properly.
It is not that the SED will not work if the motherboard is not compatible. It will work, but the ability to set up a password to give the user control of the encryption is lost. The motherboard will not give access to set the password during boot time.
So, if you have a locked SED drive connected to an incompatible motherboard, it will be unusable; and if the drive is unlocked (KEK not set) then it will work as a normal drive, here the beneficial ability is unusable.
Laptop manufacturers are usually a bit friendlier towards SEDs. Most of them support SEDs and have their own SED management software for users to set the keys. There are, however, compatibility issues with HP and Windows 10. You will need to use BitLocker, Windows’ own encryption software.
Sometimes, the drive manufacturers lock the ability to change/set the password. This is out of fear of users locking their drives and then forgetting their passwords. This issue can be resolved by requesting your hard drive manufacturer for the software to remove the blockage. Most of them will happily oblige to do so.
The true benefits of using an SED SSD is taking advantage of its speed of encryption and decryption which happens at run time, all the time.
Setting up the password for security seemingly only blocks access to other users but in reality renders the whole data saved in the device useless, securing it completely.
Just remember to buy it when you have a compatible motherboard or buy both together, and always remember to shut down your computer rather than putting it to sleep.