Slashdot Mirror
Fujitsu HDD with AES 256-bit Encryption
An anonymous reader writes "Fujitsu today updated its 2.5" 320GB hard disk drive with automatic hardware-based encryption to effectively secure data against theft or loss. According to Fujitsu, the MHZ2 CJ series is the first hard disk drive in the world to support the 256-bit Advanced Encryption Standard (AES). The drive implements the AES hardware encryption directly into the processor chip of the hard disk drive, resulting in more robust security and faster system performance than software-based encryption."
I fail to see how this is useful. The key is stored on the drive... and there are no authentication measures.
Aside from the data bits on the physical platter being encrypted, how is this secure?
Right, so if the drive is stolen and put in another machine, the AES key is included on the processor, which is part of the drive?
If you post as Anonymous Coward, don't expect a reply.
However disk encryption on the whole can and will slow computers down, not significantly on modern computers but it does.
By transferring the overhead from the CPU to the processor built into the hard drive there is no slow down to the overall performance of the computer
I don't know if any of you linux fans out there have performance/overhead stats on using the device-mapper tool, but for someone who is trying to get the best out of their processor, moving this process from software to hardware is the ideal solution.
What does that get you? Good device-level encryption already has the performance level of an unencrypted drive.
The danger to having encrypted data and unencrypted other partitions is that generally the "other partition" is your OS and such. (If your unencrypted partition is just storage for video editing, no problem.) You tend to leak information all over the place in this space.
This is totally necessary. Keep in mind that this is not geared towards the home enthusiast. In that case, you are right. Those who play around with Linux on their home machines can use the Linux software based encryption.
But in the enterprise, the ease of management of a built-in hardware-based encryption scheme can't be beat. And let's not forget that Window's dominates the enterprise market. Besides a few folk in the engineering department, nobody runs linux on their laptops. It's all Windows.
Having a laptop stolen is a huge concern today. This will help ease that concern.
"The Federal Reserve is a fraudulent system."--Lew Rockwell
End The FED. -
Please excuse my ignorance but I fail to understand how this could be faster.
In a modern day computer the bottleneck is the long term storage (HDD, DVD Rom etc). Memory and CPUs are extremely fast by comparison.
So I don't entirely understand how shifting encryption down the IO bus is really helpful.
Plus by doing so you lose tons of functionality and if the implementation gets "broken" (AES gets cracked) then you are kind of stuck unless Fujitsu are going to release an update back-ported to all of their old drives (and a lot of hardware vendors can't even support stuff from a year ago, let alone several).
Plus aren't laptops designed entirely around keeping the hard drive in almost a zero power state as long as it can?
I am intrigued. Perhaps somebody should write a boot sector virus which configures an AES password. That way the drive will become a brick with no possibility of recovery.
I'm guessing that most of the drives will be vulnerable to a dictionary attack. Every user will have to know the password, (and be able to enter it correctly), to boot up their machine, and if you forget the password, your hard drive becomes a brick. Enough people will be paranoid about forgetting their password that they will pick something short, simple, easy to remember and easy to type. In other words, they will likely choose a dictionary word of some sort.
If an organization has their IT staff assign passwords to the drive, so they are hard to crack, users will just keep the Post-it note with the password glued to their machine. Either way, a great idea that someone will screw up.
Users - making products insecure since the dawn of time.
Reading code is like reading the dictionary - you have to read half of it before you can go back and understand it.
Unfortunately, it was not zero if the Ars Technica article is accurate. It was very close to zero, two cached thumbnail pictures, but apparently it was enough.
It's frightening. According to the AT article, numerous computer experts offered their opinions that boiled down to "It's not his fault. The browser put them there and he didn't know they were there or how to remove them."
I would be very afraid of a court that would throw out (supposedly) expert opinions just to gain a conviction with regard to a truly evil (imho) crime.
Encrypting in hardware rather than software has some security advantages. Keys can be kept out of main memory, preventing cold boot attacks which have been used to break Linux's software encryption. Also, software encryption can be more vulnerable to side channel attacks such as cache timing attacks which have also been successful against dm-crypt.
Software designed for this kind of operation certainly helps, though substantial information can still leak to disk. Core dumps, hibernation files, virtual memory pages help.
Presumably, though, people who are considering whole-disk encryption are ones interested in running software that hasn't been well-designed and still having that data encrypted.
Personally, I'd probably trust a virtual machine running off of an encrypted image more than hardware disk encryption, and it allows you to run applications that higher performance demands outside of your encryption sandbox.
So if you need real security - you do in-software full disk encryption, if you need performance and deniability - go hardware.
I don't think that's really as big of an issue as you think it is.
Anyone who's worried about protecting super-secret classified military secrets or something is worried about this.
Any company who just wants some way to help ensure that the thug that breaks into the company car and grabs the laptop onto which some idiot copied 220'000 SSNs wont be able to access them would be quite content with hardware encryption.
I don't know of it's an axiom of security, but it should be:
Most people don't give a half a shit about the data you're trying to secure.
This statement is forty-five characters long.