Fujitsu HDD with AES 256-bit Encryption

An anonymous reader writes "Fujitsu today updated its 2.5" 320GB hard disk drive with automatic hardware-based encryption to effectively secure data against theft or loss. According to Fujitsu, the MHZ2 CJ series is the first hard disk drive in the world to support the 256-bit Advanced Encryption Standard (AES). The drive implements the AES hardware encryption directly into the processor chip of the hard disk drive, resulting in more robust security and faster system performance than software-based encryption."

Is this really necessary?

[CRCulver (715279)]

Why have encryption at the hardware level when you can use e.g. Linux's crypto device-mapper tool? That also allows you to keep certain partition encrypted for privacy and other partitions unencrypted for performance.

Re:Is this really necessary?

[thegermanpolice (1194811)]

Why have encryption at the hardware level when you can use e.g. Linux's crypto device-mapper tool? That also allows you to keep certain partition encrypted for privacy and other partitions unencrypted for performance.

There is certain ring of truth to what you say...
However disk encryption on the whole can and will slow computers down, not significantly on modern computers but it does.
By transferring the overhead from the CPU to the processor built into the hard drive there is no slow down to the overall performance of the computer
I don't know if any of you linux fans out there have performance/overhead stats on using the device-mapper tool, but for someone who is trying to get the best out of their processor, moving this process from software to hardware is the ideal solution.

Re:Is this really necessary?

[SanityInAnarchy (655584)]

However disk encryption on the whole can and will slow computers down, not significantly on modern computers but it does.

Really not significantly.

I haven't done any benchmarks of the speed of the drive itself, though I suspect it adds some latency. But the actual CPU usage is insignificant, compared to just about anything else you might do on the machine.

Seriously, ntfs-3g is going to be a MUCH bigger slowdown -- yet I've run ntfs-3g on top of dm-crypt, and it was still usable. Just did a quick "find /", and watched top, and while find itself occasionally climbed to 10% CPU (and on Linux, that means 10% of one core), the actual kernel crypt process never rose above 1%. It's now installing software updates, and the kernel crypto process just rose to 15%.

Another statistic: After four days of using this computer since the last full reboot (hibernating every now and then), one crypt process has accumulated a little over an hour of CPU time. The other has a little over a second.

Keep in mind, most software doesn't know how to take advantage of more than one core, so most people do actually have most of a core just sitting idle. That's why dual-core feels faster. If, under heavy load, the crypt process might -- maybe -- take 20% of that core, you're still not really going to feel it. And most truly CPU-intensive tasks, like games, video encoding, raytracing, etc, are not incredibly disk-intensive.

All in all, I think that outside of embedded disks, the CPU time we spend on our storage isn't really relevant. At this point, doing some simple lzo compression may actually improve performance, as you're still going to be faster than the disk is, and reading less raw data from the disk takes less time.

No, the real reason we're seeing this in hardware is because Windows will support it, and easily. I imagine there's a fair chance there's some BIOSes out there that do it in software, too.

Re:

[menace3society (768451)]

You could also just use a hardware encryption accelerator, couldn't you? And that has the advantage of enhancing *all* your crypto, not just the disk-based stuff.

Re:Is this really necessary?

[dgatwood (11270)]

However disk encryption on the whole can and will slow computers down, not significantly on modern computers but it does. By transferring the overhead from the CPU to the processor built into the hard drive there is no slow down to the overall performance of the computer

...and significantly increase the odds of the crypto chip becoming a throughput bottleneck all while providing limited expandability.

The reason to do encryption in software is that the encryption can be replaced as existing crypto techniques become thoroughly broken. If you have a chip that does it in hardware, you're permanently limited to a given crypto scheme and probably limited in how long the key can be. Thus, if we conclude in a year that 256 bits really isn't enough, you get to either buy a new drive that does AES512 or switch to software crypto. At that point, you've paid the added expense of the outboard crypto chip, but have gotten little from it.

If you want to design something like this, start by creating a standard for communicating with crypto processors and creating a standard programming language for configuring these dedicated processors to handle various types of crypto. Put the control over the encryption in the hands of the OS where it should be, rather than in the hands of hardware manufacturers many of whom have repeatedly cut corners in their crypto implementations in the past. Do I trust crypto hardware? Not as far as I can throw it. How do you generate a good random number in such limited hardware, for one? How do we know they didn't incorporate a back door master key---two copies of the key that is actually used for encrypting the data, one encrypted with your AES key, one encrypted using a public key for the NSA or the Chinese government or even an organized crime syndicate---if we can't see the source code? How do we know that the AES key is even used to encrypt the data on disk at all and isn't just used as an authentication mechanism like those crappy "secure flash" devices? I mean, this entire concept just has disaster written all over it....

Hardware crypto just doesn't make sense. I trust hardware to do one thing: execute programs. Anything that requires a greater degree of trust should be done in software so that it can be readily audited and subject to verification if desired.

Re:

[blueg3 (192743)]

What does that get you? Good device-level encryption already has the performance level of an unencrypted drive.

The danger to having encrypted data and unencrypted other partitions is that generally the "other partition" is your OS and such. (If your unencrypted partition is just storage for video editing, no problem.) You tend to leak information all over the place in this space.

Re:

[blueg3 (192743)]

Software designed for this kind of operation certainly helps, though substantial information can still leak to disk. Core dumps, hibernation files, virtual memory pages help.

Presumably, though, people who are considering whole-disk encryption are ones interested in running software that hasn't been well-designed and still having that data encrypted.

Personally, I'd probably trust a virtual machine running off of an encrypted image more than hardware disk encryption, and it allows you to run applications that

Re:Is this really necessary?

[by Anonymous Coward]

This is totally necessary. Keep in mind that this is not geared towards the home enthusiast. In that case, you are right. Those who play around with Linux on their home machines can use the Linux software based encryption.

But in the enterprise, the ease of management of a built-in hardware-based encryption scheme can't be beat. And let's not forget that Window's dominates the enterprise market. Besides a few folk in the engineering department, nobody runs linux on their laptops. It's all Windows.

Having a laptop stolen is a huge concern today. This will help ease that concern.

Re:

[mr_death (106532)]

Why have encryption at the hardware level when you can use e.g. Linux's crypto device-mapper tool?

For the crypto in software case, a motivated bad guy can sniff memory to determine the key and method of encryption. To sniff the crypto in hardware takes a bit more effort, but I'm guessing your friendly neighborhood NSA can do it -- if they don't already have a back door.

My mouth is wattering

[by Anonymous Coward]

320GB is alot of child pornography.

No thanks

[by Anonymous Coward]

640k ought to be enough for anybody...

Way more than enough.

Re:

[Malevolyn (776946)]

640k of child pornography is certainly enough to get you thrown in the FBI van.

Re:No thanks

[Dachannien (617929)]

Apparently, so is zero. [arstechnica.com]

Re:No thanks

[querist (97166)]

Unfortunately, it was not zero if the Ars Technica article is accurate. It was very close to zero, two cached thumbnail pictures, but apparently it was enough.

It's frightening. According to the AT article, numerous computer experts offered their opinions that boiled down to "It's not his fault. The browser put them there and he didn't know they were there or how to remove them."

I would be very afraid of a court that would throw out (supposedly) expert opinions just to gain a conviction with regard to a truly evil (imho) crime.

Imagine...

[mulvane (692631)]

An encrypted raid volume on these.

Weakness?

[maz2331 (1104901)]

Could using these in a RAID-5 configuration lead to a weakness due to the XOR stripes? Since the parity stripes are a combination of the XOR of all other stripes, and is generated from the plaintext data before the crypto chip, a smart cracker might be able to use it to find a pattern.

Key Storage?

[by Anonymous Coward]

I fail to see how this is useful. The key is stored on the drive... and there are no authentication measures.

Aside from the data bits on the physical platter being encrypted, how is this secure?

Re:

[Kamineko (851857)]

It's better than that other one that was on Slashdot a couple of months ago which completely lied about its encryption (it had none) probably

Re:Key Storage?

[by Anonymous Coward]

Personally, I just implement my own encryption. An XOR cypher is very fast, but not very secure. That's why I run mine twice for added security.

Re:Key Storage?

[jandrese (485)]

Where do you see that? The article is so light on details that you can't have gotten that from it. I thought it would just install a bios module that asks you for the password when it boots, and use that password until it is power cycled or whatever. That should even be compatible with the hibernate mode of most laptops, which would make it useful against laptop theft.

Storing the key on the drive with no authentication would be retarded, the only thing it would protect you from are those data recovery places that people who don't have proper backups use.

Actually, there are authentication measures.

[Valdrax (32670)]

You can view the official press release [prnewswire.com] for more information.

They claim that the drive generates its crypto key from a password supplied externally. However, they don't explain how it gets this password. I presume from the BIOS, but there's no solid info.

It could be from the OS if the drive isn't intended to be a boot drive, but that would be very strange and limit its usefulness.

Re:

[mr_mischief (456295)]

No. It isn't. The particular article linked in the summary doesn't make that clear, but it's calculated over again every boot time. This article [news.com] has at least a bit more info.

Don't leave it in standby mode...

Private key

[Dishwasha (125561)]

Let's hope Fujitsu doesn't take after Microsoft "security" and embedd the private key in a dll of their driver or within the firmware of the drive.

Re:

[eln (21727)]

They have come up with a new scheme that allows decryption without a key, while still being secure. It builds on one of the earliest encyption techniques on the Internet, and is more than ten times more secure. The new technology is called "ROT-156".

Data Recovery?

[b.thompson (542104)]

My question/concern that I've always had with encryption is how can I recover from a crash? On a normal HD, if Windows won't boot (from a bad MBR or a failing drive), I could hook the drive up as a slave to another machine and start pulling data off of it. Is it possible to do this with any full drive encryption (software or hardware)?

I realize that being able to pull data when hooked up as a slave defeats the purpose of encryption, but I would hope that there is some way (maybe with a key created prior to the failure?) to recover.

Re:Data Recovery?

[TheThiefMaster (992038)]

It depends on where the encryption key is. If it's generated from the drive or stored on the drive, there's not really any security, you take the key with you to the new pc. If it's generated from the disk controller or motherboard serial number or similar, then you can't move it to another pc at all. If it has to be entered by a person then you have real security and the ability to move the drive to another machine if you want. However in that last case you have the annoyance of having to enter the key every boot.

Re:

[CastrTroy (595695)]

If you don't have to enter the password every time you boot up, there might as well not be a password.

Re:Data Recovery?

[Zonk (troll) (1026140)]

My question/concern that I've always had with encryption is how can I recover from a crash?

Backups.

Re:

[loxosceles (580563)]

Those backups had better be encrypted (manually) as well. At least there you can use real crypto, not some ECB-mode AES garbage.

More robust security unitl...

[neonman (544)]

your friends at the NSA ask Fujitsu for the back door.

I'm going to stick with kernel-mode volume encryption.

Re:More robust security unitl...

[by Anonymous Coward]

Yeah, this is a problem for me too. The NSA is always trying to get at my data. Bastards.

Maybe we're being too hasty...

[L4t3r4lu5 (1216702)]

Maybe this is a sensible design, and there is a software front end to the driver which passes a key you specify to the processor to encrypt data (with all the trimmings; keyfiles, salt, entropy etc), but all the enc/dec overhead is handled on-chip, not in main memory.

Kind of like accessing a TrueCrypt volume on a networked machine, if you catch my drift.

Then again, none of these devices seem to have been thought out properly... I'll stick to TrueCrypt volumes and cheap external drives (which, by the way,

Encryption's End Game?

[Phoenixhunter (588958)]

We encrypt our torrents, mount our flash drives with TrueCrypt, we use TOR /w SSL to browse anonymously...all in pursuit of maintaining privacy in an increasingly interconnected world.

10 Years from now will we all be content with the promise delivered with quantum cryptography, traveling the globe with all of our data instantly available with 'unbeatable' security?

Or will it continuously escalate to the point that we start seeing more and more networks running 'off' the grid? Transporting data in person as on-the-fly decryption becomes increasingly prevalent. (Here we come Johnny Mnemonic)

So where is that key anyway?

[Tridus (79566)]

They don't want to tell you, but here's what information they made available: http://www.fujitsu.com/global/news/pr/archives/month/2008/20080421-01.html [fujitsu.com]

"The conventional response to this problem has been the use of BIOS passwords(4) and software-based encryption. Seeking a more robust form of data security, Fujitsu has now developed 2.5" hard disk drives with hardware-based AES encryption using industry-leading 256-bit key.

The built-in AES automatically encrypts all data when storing it on the hard disk drive and decrypts the data when read. Unlike software-based encryption, the key does not reside in the computer's memory. This makes it more resistant to attack and imposes no processing overhead on the CPU, optimizing system performance. "

Let the guesswork begin?

Re:

[TechyImmigrant (175943)]

They don't want to tell you, but here's what information they made available: http://www.fujitsu.com/global/news/pr/archives/month/2008/20080421-01.html [fujitsu.com]

My first guess is that there is an ATA specification for the key management, either published or in the works. Someone should go and check because I won't get around to it today.

How could this be faster?

[Manip (656104)]

Please excuse my ignorance but I fail to understand how this could be faster.

In a modern day computer the bottleneck is the long term storage (HDD, DVD Rom etc). Memory and CPUs are extremely fast by comparison.

So I don't entirely understand how shifting encryption down the IO bus is really helpful.

Plus by doing so you lose tons of functionality and if the implementation gets "broken" (AES gets cracked) then you are kind of stuck unless Fujitsu are going to release an update back-ported to all of their old drives (and a lot of hardware vendors can't even support stuff from a year ago, let alone several).

Plus aren't laptops designed entirely around keeping the hard drive in almost a zero power state as long as it can?

Re:

[evanbd (210358)]

Not all applications are IO bound. Some people are actually using their CPUs, and would like to offload the encryption.

Re:

[TechyImmigrant (175943)]

Please excuse my ignorance but I fail to understand how this could be faster.

Performing encryption in software takes multiple CPU cycles per byte.

Performing encryption in hardware encrypts multiple bytes per cycle and takes none of the CPU's time since it is done on the disk's chips.

Hardware based?

[Thelasko (1196535)]

Hardware based doesn't seem to mean much anymore. It seems to me that hardware based used to mean purpose built hardware to do only one task. Now it means "we put a tiny computer in the hardware." It's only slightly more secure than doing things like encryption on the OS because your just moving the work from one generic processor to another. If some malicious programmer knows what you are doing he/she could just as easily take over that "tiny computer in the hardware" as the CPU.

It's simply security through obscurity.

Scenario where this is useful?

[gmuslera (3436)]

If the encryption is transparent to the OS, means that if i, dont know, open the disk, extract the plates and read it in some way (dont know how people recover data from phisically broken hard disks), will have all scrambled. But if i take the disk as a whole, and put it in another computer, or under another OS (even booting from USB or another OS, in the same PC) the data should be shown unencripted.

If that is right, well, dont see where this is useful. If the hard disk is stolen, could be used directly, a

Prediction: Availability will suck

[BenEnglishAtHome (449670)]

Seagate has been most active in this space and the most disappointing. Seagate announced their encrypted drives a couple of years ago. Complete vaporware and required a custom BIOS, to boot. Seagate re-announced their encrypted drives about 7-8 months ago. A few of the Momentus FDE drives showed up in retail channels only to go out-of-stock/back-ordered in a matter of weeks. A month or so ago, Seagate showed their encrypted portable drives. Anybody seen one for sale? Seagate announced their encrypted SAS-connected and FC-connected server drives a couple of days ago. Availbility? Only to OEMs. I don't think even OEMs have access to the 1TB desktop disks that Seagate announced months ago and that's the model that home users and hobbyists would scarf up by the truckload if it were only available.

n-Crypt [n-crypt.co.uk] has never answered my emails.

Digisafe [digisafe.com] has a nice web site but I can't find any place to actually buy the drives.

Lots of other manufacturers, including some of the big ones, have made announcements but nothing has shown up in the retail channels. Even if you're willing to buy a new laptop to get the encrypted drives that are apparently going preferentially to OEMs, actually finding encrypted machines for sale on the web sites of the major players will have you clicking fruitlessly until your fingers cramp. Even the much simpler "bump in the wire" encryptors (e.g. from Digisafe [digisafe.com]) that are supposed to work with any IDE drive are simply non-existent in the marketplace. The whole range of products from Enova [enovatech.com] is tantalizing until you realize that you can't actually lay hands on any of it.

For years, I've used Flagstone [stonewood.co.uk]. They're expensive and insufficiently large. But at least I can pick up the phone and order one of them and, lo and behold, actually receive it in the mail. Given the way the dollar is tanking and the size of the available drives, I'd love to have another choice. Realistically, I don't.

Call me back when I can drop an encrypted drive into my shopping cart at NewEgg. Until then, this is so much supremely frustrating vapor.

As an evil genius this intrigues me.

[pclminion (145572)]

I am intrigued. Perhaps somebody should write a boot sector virus which configures an AES password. That way the drive will become a brick with no possibility of recovery.

Users and Passwords

[Bender0x7D1 (536254)]

I'm guessing that most of the drives will be vulnerable to a dictionary attack. Every user will have to know the password, (and be able to enter it correctly), to boot up their machine, and if you forget the password, your hard drive becomes a brick. Enough people will be paranoid about forgetting their password that they will pick something short, simple, easy to remember and easy to type. In other words, they will likely choose a dictionary word of some sort.

If an organization has their IT staff assign passwords to the drive, so they are hard to crack, users will just keep the Post-it note with the password glued to their machine. Either way, a great idea that someone will screw up.

Users - making products insecure since the dawn of time.

Re:

[Major Blud (789630)]

Right, so if the drive is stolen and put in another machine, the AES key is included on the processor, which is part of the drive?

Re:

[Deanalator (806515)]

Presumably, they will just be using the standard ATA password extensions. Instead of just unlocking the device when the password is entered, it would also set the key in whatever hardware device is doing the crypto, and wipe it when the hard drive is powered down.

Note that I have not read the specs, that just seems to be the most logical way to design something like this.

Re:

[mr_mischief (456295)]

I had this same question, but no. [news.com] It figures the key at boot time.

Hopefully there's some way to keep the thing from figuring the key once it's stolen, as most people will try to, you know, use the PC as a whole before they resort to stripping the drives out of it.

Re:

[gnick (1211984)]

There were vendors showing off similar drives at a show here last year. (These may differ significantly - I dunno.) The drives at the show stored the keys on small devices similar to thumb drives. So, unless somebody also stole your key, everything was locked up. They actually had received approval for storing classified information (up to SRD I believe) on the drives without having to remove them and lock them up when not in use. So, if you're working and need to get up and grab some coffee/relieve yo

Re:

[mr_mischief (456295)]

The news.com story [news.com] says the hard drive doesn't store the key at all. It's figured during the POST process within the hard drive's BIOS config and isn't known to the drive itself when the power is down.

What it sounds like is that if you keep the computer from booting, like a pre-boot password, the drive is utterly useless to a thief. If they can get it to boot instead of staring blankly at the password prompt, the thing will recalculate the key and go merrily on its way.

Hopefully it figures the key on stored

Re:

[DamnStupidElf (649844)]

Firstly, AES-256 smacks of a marketing gimmick. AES-128 is perfectly sufficient for anything that anyone wishes to protect; nobody has ever discovered a weakness in AES-128 that would be cause for concern.

Two possibilities: We've seen dramatic weaknesses in md5 and sha1, and it's not impossible that something similar could be found for AES. A reduction from 128 bit security to ~96 or even ~64 bits of security would be a relative disaster; 64-bit ciphers are simply not secure anymore.

Additionally, quant

Re:

[Detritus (11846)]

Firstly, AES-256 smacks of a marketing gimmick. AES-128 is perfectly sufficient for anything that anyone wishes to protect; nobody has ever discovered a weakness in AES-128 that would be cause for concern. Using AES-256 bloats the key size while providing absolutely no additional protection above and beyond what we already get from AES-128. Whenever I hear of a crypto product advertising AES-256, I am suspicious that the company is more concerned with marketing than it is with actually providing good level-