Protecting sensitive information, whether personal or third-party, is one of the ongoing challenges of computing. There are two fronts for this, on the one hand the creation of new data encryption and decryption algorithms and on the other the implementation of the necessary hardware for greater efficiency in data security.
What are SED units?
Abbreviations THIRST they’re coming from Self-Encrypting Drive, in Spanish “Drive” with self-encryption, refer to the hard drives and SSD that contain inside hardware for encryption and decryption of the data they store. Which follow the data encryption standards of the Trusted Computer Group such as AES, Opal 2.0 and Enterprise encryption. About which we will not go into its operation in this article.
SED storage units are not usually seen, in theory, in the home market. So that its adoption occurs more in environments where data protection is crucial. Especially for military and government uses. This does not mean that there are no SED storage units in the domestic market and many SSDs and hard drives that you can find in the market are SED storage units.
SED units have built-in hardware encryption and decryption systems that are completely transparent to the rest of the PC, so that they do not require the work of the CPU for the encryption and decryption of the data and not complex systems built into the operating system and applications, whose security could easily be breached.
How do SED units work?
It has to be clarified that a SED drive is no different from a hard drive or even a conventional SSD. They do not use apparently different hardware and you can connect them to your PC like conventional storage units, so do not require special interfaces. However, it is inside and therefore in the internal circuitry where the hardware in charge of encryption and decryption of data is located.
Each of the SED units contains what we call a cryptoprocessor, this is nothing more than a processor that works in isolation from the rest of the system. In the sense that the memory on which it works is inside the same processor. This is done to prevent the data from being accessed through a data analyzer.
When the CPU, GPU or other processor needs to store data from RAM or VRAM on the storage unit due to lack of space or RAM usage, andThe cryptoprocessor of the SED unit what it does is encrypt the data using two elements. The first of these is what is called a Data Encryption Key or DEK. Which is a key that is different for each unit that is for sale and is installed in the cryptoprocessor.
Said key it is used as a variable to generate the encrypted code through a complex mathematical formula, which converts the binary code that stores the data into a binary code that the CPU cannot understand if there is no decryption step, which is also carried out by the SED unit’s cryptoprocessor in a totally opaque way to the rest of the system.
Data speed is important
All memory must not only have the capacity to contain the data, but also the sufficient speed for its transfer at the appropriate speed and that does not mean a bottleneck in performance. The storage system in the PC is based on a hierarchy where each new level has more storage capacity than the previous one, but is slower in access time and transfer speed. So the data is copied from the furthest levels to the closest.
With the arrival of NVMe SSDs based on high-speed PCI Express interfaces, we have gone from talking of tens and even hundreds of Megabytes per second of transfer speed to several Gigabytes per second already with the third and fourth generation of the PCI Express standard. This means that the encryption and decryption work has to be done an order of magnitude faster. Something that forces the development of cryptoprocessors for SED units much more powerful than what we can now find on the market.
Remember that the purpose of SED drives is to prevent encrypted data on the drive from being accessible. An encryption or decryption system requires two memory areas, one for source data and one for target data. If a CPU will take care of them then that information would be exposed in RAM. So we cannot count on the power of the CPU for the encryption and decryption of the data, and this would go against the definition of what a SED unit is.
How do I know that I have a SED drive in my PC?
The marketing departments of different hard drive manufacturers do not consider talking about secure data encryption a function that sells drives to users, who prefer to hear about storage capacity and transfer speed.
However, and as we have commented before, SED drives exist in the PC hard drive and SSD market Y all it takes is a look at the specs and features of an SSD or hard drive to know if we are facing a SED unit.
If you have a company and you work with data that is highly sensitive, either from third parties or from yourself we recommend that you use SED units. The reason for this is very simple, today there is an information economy where your data and those of your customers are sensitive information with which to trade. Every day thousands of companies suffer attacks against the security of the data stored in their computer systems.