Loading ...
Loading ...
Loading ...
Seagate BarraCuda Product Manual, Rev. A 27
www.seagate.com About (SED) Self-Encrypting Drives
4.4 Drive Locking
In addition to changing the passwords, as described in Section 4.2.3 Default password, the owner should also set the data access
controls for the individual bands.
The variable "LockOnReset" should be set to "PowerCycle" to ensure that the data bands will be locked if power is lost. In addition
"ReadLockEnabled" and "WriteLockEnabled" must be set to true in the locking table in order for the bands "LockOnReset" setting of
"PowerCycle" to actually lock access to the band when a "PowerCycle" event occurs. This scenario occurs if the drive is removed from its
cabinet. The drive will not honor any data read or write requests until the bands have been unlocked. This prevents the user data from
being accessed without the appropriate credentials when the drive has been removed from its cabinet and installed in another system.
4.5 Data Bands (TBD)
When shipped from the factory, the drive is configured with a single data band called Band 0 (also known as the Global Data Band)
which comprises LBA 0 through LBA max. The host may allocate additional bands (Band1 to Band15) by specifying a start LBA and an
LBA range. The real estate for this band is taken from the Global Band.
Data bands cannot overlap but they can be sequential with one band ending at LBA (x) and the next beginning at LBA (x+1).
Each data band has its own drive-generated encryption key. The host may change the Encryption Key (see
Section 4.6
Cryptographic Erase
) or the password when required.
4.6 Cryptographic Erase
A valuable feature of SEDs is the ability to perform a cryptographic erase. This involves the host telling the drive to change the data
encryption key for a particular band. Once changed, the data is no longer recoverable since it was written with one key and will be read
using a different key. Since the drive overwrites the old key with the new one, and keeps no history of key the older key, the user data
can never be recovered. This is done in a matter of seconds and is very useful if the drive is to be scrapped or repurposed.
4.7 Authenticated Firmware Download
In addition to providing a locking mechanism to prevent unwanted firmware download attempts, the drive also only accepts download
files which have been cryptographically signed by the appropriate Seagate Design Center.
Three conditions must be met before the drive will allow the download operation:
1. The download must be an SED file. A standard drive (non-SED) file will be rejected.
2. The download file must be signed and authenticated.
3. As with a non-SED drive, the download file must pass the acceptance criteria for the drive. For example it must be applicable to the
correct drive model, and have compatible revision and customer status.
4.8 Power Requirements
The standard drive models and the SED drive models have identical hardware, however the security and encryption portion of the drive
controller ASIC is enabled and functional in the SED models. This represents a small additional drain on the 5V supply of about
30mA and a commensurate increase of about 150mW in power consumption. There is no additional drain on the 12V supply. See the
tables in Section 2.8 Power specifications for power requirements on the standard (non-SED) drive models.
4.9 Supported Commands
The SED models support the following two commands in addition to the commands supported by the standard (non-SED) models as
listed in
Table 8:
•Trusted Send
•Trusted Receive
4.10 RevertSP
SED models will support the RevertSP feature which erases all data in all bands on the device and returns the contents of all SPs (Security
Providers) on the device to their original factory state. In order to execute the RevertSP method the unique PSID (Physical Secure ID)
printed on the drive label must be provided. PSID is not electronically accessible and can only be manually read from the drive label or
scanned in via the 2D barcode.
Loading ...
Loading ...
Loading ...