SED drives are hard drives and SSD drives designed to store the data they contain as safely as possible. With which they are ideal for work environments that deal with sensitive data. How do these types of storage units work, how do they differ from the usual ones for PCs and what advantages does their use bring?
Protecting sensitive information, whether personal or third-party, is one of the ongoing challenges of computing. There are two fronts for this, on the one hand the creation of new data encryption and decryption algorithms and on the other the implementation of the necessary hardware for greater efficiency in data security.
What are SED units?
The acronym SED comes from Self-Encrypting Drive, in Spanish “unit” with self-encryption, they refer to the hard disk drives and SSD that contain inside hardware for the encryption and decryption of the data they store . Which follow the data encryption standards of the Trusted Computer Group such as AES, Opal 2.0 and Enterprise encryption. About which we will not go into its operation in this article.
SED storage units are not usually seen, in theory, in the home market. Therefore, its adoption occurs more in environments where data protection is crucial . Especially for military and government uses. However, this does not mean that there are no SED storage units in the domestic market and many SSDs and hard drives that you can find in the market are SED storage units.
The SED units come with built -in hardware encryption and decryption systems that are completely transparent to the rest of the PC , so they do not require the work of the CPU to encrypt and decrypt the data, and neither do complex systems integrated into the operating system. and in applications, whose security could easily be breached.
How do SED units work?
It has to be clarified that a SED drive is not different from a conventional hard drive or even SSD . They do not use apparently different hardware and you can connect them to your PC like conventional storage units, so they do not require special interfaces . However, it is inside and therefore in the internal circuitry where the hardware in charge of the encryption and decryption of the data is located.
Each of the SED units contains what we call a cryptoprocessor, this is nothing more than a processor that works in isolation from the rest of the system. In the sense that the memory on which it works is inside the same processor. This is done to prevent the data from being accessed through a data analyzer.
When the CPU, GPU or other processor needs to store data from RAM or VRAM in the storage unit due to lack of space or RAM usage, the cryptoprocessor of the SED unit encrypts the data using two elements . The first of these is what is called a Data Encryption Key or DEK. Which is a key that is different for each unit that is for sale and is installed in the cryptoprocessor .
This key is used as a variable to generate the encrypted code through a complex mathematical formula , which converts the binary code that stores the data into a binary code that the CPU cannot understand if there is no decryption step, which also it is carried out by the SED unit’s cryptoprocessor in a completely opaque way to the rest of the system.
Data speed is important
All memory must not only have the capacity to contain the data, but also the sufficient speed for its transfer at the appropriate speed and that does not mean a bottleneck in performance. The storage system in the PC is based on a hierarchy where each new level has more storage capacity than the previous one, but is slower in access time and transfer speed. So the data is copied from the furthest levels to the closest.
With the arrival of NVMe SSDs based on high-speed PCI Express interfaces, we have gone from talking of tens and even hundreds of Megabytes per second of transfer speed to several Gigabytes per second already with the third and fourth generation of the PCI Express standard. This means that the encryption and decryption work has to be done an order of magnitude faster. Something that forces the development of cryptoprocessors for SED units much more powerful than what we can now find on the market.
Remember that the purpose of SED drives is to prevent the encrypted data on the drive from being accessible . An encryption or decryption system requires two memory areas, one for the data at the source and one for the data at the destination. If a CPU will take care of them then that information would be exposed in the RAM. So we cannot count on the power of the CPU to encrypt and decrypt the data, and this would go against the definition of what a SED unit is.
How do I know that I have a SED drive in my PC?
The marketing departments of different hard drive manufacturers do not consider talking about secure data encryption a function that sells drives to users, who prefer to hear about storage capacity and transfer speed.
However, and as we have mentioned before, SED units exist in the market for hard drives and SSDs for PCs and it is only necessary to take a look at the specifications and characteristics of an SSD or a hard drive to know if we are dealing with a unit. THIRST.
If you have a company and you work with data that is highly sensitive, whether it is from third parties or from yourself, we recommend that you use SED units . The reason for this is very simple, today there is an information economy where your data and those of your clients are sensitive information with which to trade. Every day thousands of companies suffer attacks against the security of the data stored in their computer systems.
