Filter
Top Products
Constellation CS Serial ATA Product Manual, Rev. C 25
www.seagate.com
4.0 About Seagate Instant Secure Erase drives
Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data, commonly known as
“protection of data at rest”.
4.1 Data encryption
Encrypting drives use one inline encryption engine for each port, employing AES-256 data encryption in Cipher Block
Chaining (CBC) mode to encrypt all data prior to being written on the media and to decrypt all data as it is read from the
media. The encryption engines are always in operation, cannot be disabled, and do not detract in any way from the
performance of the drive.
The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the drive, and is
inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when it is in volatile temporary
storage (DRAM) external to the encryption engine. A unique data encryption key is used for each of the drive's possible16 data
bands (see Section 6.5).
4.2 Cryptographic erase
A significant feature of SEDs is the ability to perform a cryptographic erase. This involves the host telling the drive to change
the data encryption key for a particular band. Once changed, the data is no longer recoverable since it was written with one key
and will be read using a different key. Since the drive overwrites the old key with the new one, and keeps no history of key
changes, the user data can never be recovered. This is tantamount to an instantaneous data erase and is very useful if the drive
is to be scrapped or redispositioned.
4.3 Power requirements
The standard drive models and the SED drive models have identical hardware, however the security and encryption portion of
the drive controller ASIC is enabled and functional in the SED models. This represents a small additional drain on the 5V
supply of about 30mA and a commensurate increase of about 150mW in power consumption. There is no additional drain on
the 12V supply. See the tables in Section 4.3 for power requirements on the standard (non-SED) drive models.
4.4 RevertSP
The SED models will support RevertSP feature where it erases all data in all bands on the device and returns the contents of all
SPs (Security Providers) on the device to their Original Factory State.
4.5 ATA Security Erase Unit Command on SED SATA drives
The ATA SECURITY ERASE UNIT command shall support both the Normal and Enhanced erase modes with the following
modifications/additions:
• Normal Erase: Normal erase shall be accomplished by changing the media encryption key for the drive followed by an
overwrite operation that repeatedly writes a single sector containing random data to the entire drive. The write operation
shall bypass the media encryption. On reading back the overwritten sectors, the host will receive a decrypted version, using
the new encryption key, of the random data sector (the returned data will not match what was written).
• Enhanced Erase: Enhanced erase shall be accomplished by changing the media encryption key for the drive.
4.6 Sanitize Feature Set on SED Drives
The drive shall support the Sanitize Feature Set as defined in ANSI/INCITS ACS-2 with the exceptions and/or modifications
described in this section.
The drive shall not support the OVERWRITE EXT and BLOCK ERASE EXT sub-commands.
Support of the SANITIZE FREEZE LOCK EXT command shall be determined on a customer-specific basis. OEM drives
shall support the command.