You are evaluating solutions to protect data at rest. Which of the following is correct?
A. Full Disk Encryption (FDE) is a software solution that protects data at rest.
B. A Self-Encrypting Drive (SED) doesn’t rely on the CPU and has no degradation in performance.
C. The Data Encryption Key (DEK) of a SED should be stored on and protected by a trusted platform module (TPM).
D. A TPM is a built-in component on a SED to speed up cryptographic operations and protect keys.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is B. A Self-Encrypting Drive (SED) doesn’t rely on the CPU and has no degradation in performance.
Full Disk Encryption (FDE) can be a software or hardware solution that protects data at rest. Hardware-based full disk encryption is usually referred to as a self-encrypting drive (SED), typically compliant with the OPAL (e.g., Encrypted Hard Drive for Windows) and Enterprise standards developed by the Trusted Computing Group (TCG).
“Hardware-based encryption when built into the drive or within the drive enclosure is notably transparent to the user. The drive, except for bootup authentication, operates just like any drive, with no degradation in performance. There is no complication or performance overhead, unlike disk encryption software, since all the encryption is invisible to the operating system and the host computer’s processor.” (Wikipedia)
Authentication and Confidentiality
A SED enforces security by locking the drive and encrypting data. The authentication key (AK) is required to unlock the drive (decrypt the DEK) when power on, and then the data encryption key (DEK) decrypts data. A SED won’t store the DEK in a Trusted Platform Module (TPM), typically implemented as a motherboard or chipset component.
Data Encryption Key (DEK)
- Used to encrypt and decrypt data.
- Generated by the drive and never leaves the drive (not stored on a TPM).
- If changed or erased, no prior existing data can be decrypted.
Trusted Platform Module
The following is an excerpt from Wikipedia:
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.
There are five different types of TPM 2.0 implementations:
- Discrete TPMs are dedicated chips that implement TPM functionality in their own tamper resistant semiconductor package. They are theoretically the most secure type of TPM because the routines implemented in hardware should be[vague] more resistant to bugs[clarification needed] versus routines implemented in software, and their packages are required to implement some tamper resistance.
- Integrated TPMs are part of another chip. While they use hardware that resists software bugs, they are not required to implement tamper resistance. Intel has integrated TPMs in some of its chipsets.
- Firmware TPMs are firmware-based (e.g. UEFI) solutions that run in a CPU’s trusted execution environment. Intel, AMD and Qualcomm have implemented firmware TPMs.
- Hypervisor TPMs are virtual TPMs provided by and rely on hypervisors, in an isolated execution environment that is hidden from the software running inside virtual machines to secure their code from the software in the virtual machines. They can provide a security level comparable to a firmware TPM.
- Software TPMs are software emulators of TPMs that run with no more protection than a regular program gets within an operating system. They depend entirely on the environment that they run in, so they provide no more security than what can be provided by the normal execution environment, and they are vulnerable to their own software bugs and attacks that are penetrating the normal execution environment. They are useful for development purposes.
- Hardware-based full disk encryption
- Opal Storage Specification
- Data Security Features for SSDs
- TCG sets the drive encryption standard
- Your All-In-One Guide to Self-Encrypting Drives (SEDs)
- TCG Storage Security Subsystem Class: Opal
- TCG/Opal 2.0 Compliant Self-Encrypting Drive (SED)
- The Fundamentals of FDE: Comparing the Top Full Disk Encryption Products
- Encrypted Hard Drives (TCG OPAL & IEEE 1667 compliant Self-Encrypting Hard Drives)
- Self-encrypting drives
- SSD encryption vulnerability & TPM
- Opal SSDs Integrated with TPMs
- Trusted Platform Module – A Survey
- Implementing Hardware Roots of Trust: The Trusted Platform Module Comes of Age
- Quick Tutorial on TPM 2.0
- Enterprise Self-Encrypting Drives
- Enterprise SED Presentation
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
A. 全盤加密(FDE, Full Disk Encryption)是一種保護靜態數據(data at rest)的軟體式解決方案。
B. 自加密驅動器(SED, Self-Encrypting Drive)不倚賴CPU，因此不會降低效能(performance)。
C. SED的數據加密金鑰(DEK, Data Encryption Key)應該存儲在受信任的平台模塊(TPM)上並受其保護。