Video Screencast Help
Encryption Blog

Hardware Based Full Disk Encryption Is Almost Here…Now what?

Created: 19 Aug 2011 • Updated: 05 Nov 2012 • 4 comments
Kelvin_Kwan's picture
+2 2 Votes
Login to vote

As many of you know, the Trusted Computing Group (TCG) was an initiative started by some well-known technology companies to help standardize and implement Trusted Computing.  One of the first “products” to come from this was the Trusted Platform Module (TPM).  There are various vendors that take advantage of the TPM chip for security related functions.  (Full disclosure:  Symantec is a member of the Trusted Computing Group.)

The next significant “product” to come from TCG is the Opal standards for Self Encrypting Drives (SED).  The Opal standard is an industry standard for any hard disk drive (HDD) manufacture to sell SEDs that would comply with these standards.  Now what this means, is that these HDDs will have encryption already built into the hardware.

“Great!  We won’t need to evaluate any of the software encryption vendors out there.  We can simply just buy SEDs from the major HDD manufactures and deploy them to our users and be fully encrypted and compliant,” you say.    

Well it’s never that simple…

Opal based HDDs have many advantages.  These include “always-on encryption,” full data-bus performance, and the ability to do a NIST approved cryptographic disk erase instantly.  These are all great reasons to move to an Opal based drive.  

However, there are some disadvantages as well.  Currently, one of the biggest disadvantages is that Opal based HDDs are difficult to procure.  If you check your favorite retailer or distributor, you’ll be hard-pressed to find an Opal drive that can be purchased immediately.  It is however expected that these drives will be much more available in the later half of 2012.  

Depending on your company’s requirements, you may or may not have a need for FIPS validated HDDs.  But, if you do need FIPS, then there’s a premium to pay for FIPS validated HDDs.  There are essentially two premiums to pay.  The first premium is the SED Opal compliant drive over a standard non-encrypting drive.  The second premium then becomes the FIPS certification.     If you really want to take advantage of the full data-bus performance for an encrypted HDD, then you’ll want a Solid State Drive (SSD), but you really will be paying a premium then!   I have to believe that only the truly hardcore users can fully take advantage of the increased performance of a SED and SSD combination.

The next issue with SEDs is how do you physically roll out the new HDDs to your user population?  For each user/endpoint, you would physically have to image their existing HDD to the SED HDD.  After that, you would then have to properly and securely erase or dispose of the original HDD.  If not, someone is going to have a field day dumpster diving.  Also, with today’s HDD capacities, it might take quite a bit of time to image a user’s 250GB+ HDD.  You multiply this by the number of users/endpoints you have and this could easily become a multi-year project.  Remember, each HDD you are replacing becomes a liability unless it is properly disposed of.  Time in this case, is not on your side since there’s always a probability that someone whose endpoint is not encrypted loses their device while waiting for the SED replacement.

The biggest issue for SEDs, however is the management.  Or, I should say, the lack of management out of the box.  How do you manage the users, the recovery keys, policies, and reporting?  You see, the HDD manufactures followed the Opal standard for software to interface with the HDDs.  They, however, do not provide any type of software to manage these HDDs at all.  This is where the various software vendors come into play.  You will still need the ability to manage these SEDs.  You will need the ability to recover the keys should the user forget their passphrase or need access for forensics.  You will need to enforce security policies.  You will need to be able to do reporting for compliance.  Merely having built-in encryption on the HDD that is Opal compliant will not pass an auditor’s audit.  You need to prove that the endpoint was properly encrypted at the time it went missing.  Saying it was encrypted will not be sufficient.  Per the various laws, you would then need to disclose the breach to the public and have your company’s reputation tarnished by the media and the public.  

Now you might be trying to figure out what my agenda is.  To be honest, there is no agenda; this is really just food for thought.  I believe in playing devil’s advocate and always looking at things from both sides – is the glass half empty or half full? With that said, the release of Symantec Endpoint Encryption Full Disk Edition will be able to manage Opal compliant hardware.  Thus, I have every reason to be pointing out the strengths of Opal and none of its weaknesses since Symantec sells the software to help manage, store recovery keys, enforce policies, and report on the status of the endpoints.  I should also point out that if absolute speed is not your first priority, then PGP Whole Disk Encryption (WDE) might be of better value.  You would really need to do a cost benefit analysis to see if SEDs are worth it for your company.  I will say that when PGP WDE is on hardware that has AES NI, the performance “hit” is not perceptible by users at all.  The only way to see the difference in performance would be to use performance-measuring software.  If you’d like even more performance, you can also choose the cipher bit strength.  By default, PGP WDE uses AES 256.  PGP allows the InfoSec admins (via policy) to use AES 128 as an option.  The combination of AES NI and AES 128 cipher on an SSD would satisfy even the most demanding SSD users.  (AES 128 can also be used on standard spindle HDDs.)

Don’t forget, you will have to pay for the SEDs (more if it’s FIPS validated), and also the management of the SEDs regardless of which software vendor you choose.  What is the true total cost of the increased performance?

Further reading:
For those of you that believe that AES 128 is not secure enough, please take a look at this blog posting:

Comments 4 CommentsJump to latest comment

Mordac the Preventer's picture

Nice article.

I find myself wondering why more hard drives aren't being supported by Symantec Endpoint Encryption.

It would be so awesome to be able to start bringing in SED drives, while continuing to use the existing software based encryption from SEE on other computers.   Presumably they could both use SEE-RS(Symantec Endpoint Encryption Removable Storage).  

I notice that the Dell Models we currently use have an option for a SSD SED hard drive for only $30 than the same drive without SED. (My manager wants to know if we can use that).  The problem is Symantec Endpoint Encryption has a very short hardware compatibility list and I have no way of knowing what Dell is shipping today and what they will ship tomorrow.

The other problem is proving the security of the SED. 

thanks for reminding me about AES NI.   I dont believe Symantec Endpoint Encryption customers get to take advantage of that.   :(

Login to vote
BGR's picture

I find there is a confusing plethora of Symantec endpoint encryption related products, compounded by the re-branding of PGP WDE to "Symantec Encryption Desktop." You have that, "Symantec Endpoint Encryption" ,"Symantec Endpoint Encryption Full Disk Edition", "Symantec Encryption Desktop Corporate", etc. This makes it difficult for customers to distinguish one product versus another and really, why would Symantec want to continue supporting competing product lines?

Another example of the problem is Opal drives. We're currently using PGP WDE and find it suitable for Windows and Mac, with the added benefit of Red Hat linux support. Now we're starting to bring in Opal drives, but we cannot manage them without also purchasing Symantec Endpoint  Encryption and managing them outside of the existing PGP Universal Server framework.

I would hate to see the PGP line disappear as I think it is superior to other solution in some respects, but really, Symantec needs to consolidate drive encryption and its management under one product line for the sake of its customers.

Login to vote
sven_frank's picture

@BGR: Consolidation is happening I can tell you this. I can't tell you in which direction but you hopefully like the outcome.

OPALv2 drives are a big change for Disk Encryption Products but from a performance side a lovely change.

Also when Software Based Encryption with AES-NI based encryption is quite fast.

In my case i run a MBP with an SSD on Mountain Lion and reach easly data throuput above 300MB/s (encrypted with SED 10.3.0 MP1)

Yes this has a slide degredation without encryption but not noticable for me.

But as you said Mangement of OPAL is currently in SEE versus you do the rest in SED/SEMS

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

Login to vote
PGP_Ben's picture

I stumbled on this blog posting and wanted to provide an update on this. Regarding Opal Support. Our official response as of May 2013 see this KB article here. The offical word as of May 2013 is that we will work in best effort to work with OPAL compliant drives. But this is still working with an un-initialized drive using our software based encryption. We have plans in our roadmap changes to introduce management of native OPAL drive encryption down the road.

As far as having competing product lines, I can tell you that it is certainly not the goal to keep heading dow nthis line. That is part of the reason for the rebranding of the PGP product line as it is. Stay tuned for a lot of changes coming up in the next year or so regarding encryption. I think most customers will be surprised with the changes that are happening.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.

Login to vote