I got thinking about this question today. Why do hard drive manufacturers add useless hardware encryption to external drives?
“Why, that should be obvious, Robbie; it’s because we are security conscious and want to protect our data from prying eyes,” you say. “And you call yourself a bald nerd!”
First of all, I don’t like your tone.
But second of all, exactly who are we protecting here?
Somewhere inside the chassis of your external hard drive, there is an integrated encryption/decryption chip. It boasts “256-bit AES Encryption”. Wow, sounds safe! So you plug in the drive to your computer, and place your private stuff on there, and feel safe. “It’s encrypted.”
Who is it safe from?
Bret Austen, General Manager of Positive E Solutions Inc., in Barrie, Ontario calls this feature a “false sense of security.” He explained to me that while his company does carry these drives, the encryption features are not a true protection for the users’ data. “That said, we do offer an encryption key solution which encrypts data in such a way that even if the drive is stolen, the data cannot be accessed since they require a literal key.” This key is one that you would keep on your keyring, and take home with you at the end of your shift. If that sounds more like what you’re hoping for, I suggest you get in touch with Mr. Austen to discuss this impressive solution.
So, back to your external hard drive. You placed your private data on it, and then you plugged it back into your computer a week later. Can you read the data? Sure you can. The hard drive is still an internal component of the chassis, which carries the built-in decryption chip. So as long as that drive is inside that chassis, you can read and write the “encrypted” data just as if it were unencrypted.
So exactly when does the encryption protect your data from prying eyes? Why it should be obvious: when the internal hard drive is removed from the external chassis.
When a thief steals your drive, are they going to sit down at your desk, pull out a Phillips screwdriver, and gently remove the internal hard drive from the chassis? Or are they going to grab the whole thing and run off with it, decryption chip and all? Similarly, if you lose the drive, will it still be readable by the finder? Sure, it will.
So when does the encryption actually take effect? When the chassis fails.
If your hard drive gets zapped from a surge, or otherwise the circuit board of the external unit gets damaged, data recovery “may not be possible,” says Phil Priest, a professional data recovery technician from PES Data Recovery in an interview with me this afternoon. “You’d have to track down a decryption chip with exactly the same key in order to access the data from the drive. We can recover the hard drive’s data, but it would be entirely garbled and unusable without the proper key,”
Data recovery may be possible in such a case. Mr. Priest goes on to say, “We had a recovery like that come in a while back. It was a Western Digital drive, and for some reason they had manufactured all the drives of the same model with the same decryption key.” He explained that the customer was fortunate in this case: the data was able to be recovered since a decryption key was readily available. However, the cost to procure the correct decryption key resulted in a notably higher cost of recovery and made expedited service impossible. Mr. Priest also warned, “if the manufacturer uses a different decryption key for each drive manufactured, there is likely no way to recover the data.”
So who is the encryption on your external drive really protecting? It would appear to me that the only person getting locked out of your data… is you.
Mr. Priest ended the conversation saying, “if your external hard drive has built-in encryption, make sure you keep a good backup.”
To protect your company data from accidental data leak or intentional data theft, please take a look at Endpoint Protector. This is the “proper” way to protect your data. www.endpointprotector.ca
Watch The Video
Please share your thoughts with a comment.
My understanding is that this kind of thing was developed to prevent employees form grabbing hot swappable drives out of servers and running off with valuable data. Since the chasis is bolted into a server rack (or at worst a NAS box) and these can be more difficult to pry loose form the premises (without being noticed, anyway) it provides some light protection for data on drives that fail.
OK, so I might even consider this paranoid by my own standards if I hadn’t received an earful of complaining form a “friend” who tried exactly that at work. He just faked a drive going down, dropped in a replacement blank and smuggled the drive home only to find out he couldn’t get everybody’s pay history off of it as he thought he would. Don’t ask me why he couldn’t get info off the drive while it was plugged in.
I agree that there doesn’t seem to be much reason for this tech for standalone external drives but it might just be a case of it being cheaper to manufacture 10,000 controller chips with this tech than making 9,000 without it and 1000 with it.
There is no software that can bspays the encryption.You can crack the encryption, but that can take weeks, months and sometimes years to crack it.Just live with what you have got. Was this answer helpful?
Hey you Bald Nerd.
If you have material you don’t want the police to see, you set a password and what actually happens is the encryption key is “sealed” by the password. What this means is that you do not supply the password the encryption key cannot be obtained so the Hardware Encryption does a very effective job when used properly and not by Bald Nerds.
This is why you can change the password and not have to decrypt/re-encrypt the drive. When you change the password (or turn it off) it simply “re-seals” the encryption key with the new password.
So what you need to say is that Self Encrypting HDDs are a danger for people who have no use for encryption. However for people that DO have a legitimate use for the encryption, they are super strong.
Grow some hair, a brain might follow.
Hey Captain Obvious,
Most people included in the target audience of these types of ‘over the counter’ external HDDs are not that interested in encryption for a specific purpose but are just regular joes that think they are getting a better deal with this ‘safety stuff’ over a ordinary unprotected HDD.
A person that actively seeks to protect the data from the police (?) is probably not stupid enough to go for a cheap unreliable mass-produced piece of crap who use encryption mostly as a selling point.
In that context, these types of protection does a disservice to their customers and only provide business to data recovery companies when the device breaks (which they inevitably do).
Perhaps you yourself could use less hair and more stuff under it.
Hi
Read your blog re this issue, and viewed the video – I had this problem with a Western Digital (My Book) external hard drive – My questions are… if I want to buy an UNencrypted external hard drive (I am in the UK) , are these available? If so, can you recommend/advise of any? Also, can the original WD drive be reformatted WITHOUT the encryption chip? As I understand it, the problem occurred because the drive casing or connection port had become damaged. (By the way, I managed to find someone to retrieve my data but have no clue how he did it !!)
I have some experience with a few wd external drives (my passport & wd my book) and they need to have the passwords typed in (previously set by me) every time to access the data (otherwise they simply provide sea of random encrypted bytes).
So, what is all about…?? Please explain..
Thank you very much
The point of the article is that encryption in current WD external hard drives operates even if you set no password via WD software.
Meaning that it is not possible to switch off encryption.
Most users do not set a password anyway. In which case, if the drive is stolen, the thief will be able to access the data.
In your case , you don’t run this risk, as you set the password.
But you still have something in common with less cautious users.
If the drive stops working due to a problem with the enclosure hardware but the drive itself is fine, as it is most commonly the case, your data should be recoverable by prying the enclosure open, taking the drive out and fitting it in a dock, desktop or a generic external enclosure.
But not with WD. If your enclosures fail and they are the recent models, your password will not be enough to read the data unless you find another enclosure, exactly the same model, and fit the old drive in. Otherwise, you need the few data recovery companies WD provides with the chip keys, be prepared to pay though your nose though, after all you have lost your data and they know it.
I am sure you have a backup for your important data, but if the fail happens between writing new files and backing them up..
So one would have to wonder why, say in the case of WD, there would be an option to install encryption with a password. So does this mean that they are misleading their customers by implying that not checking this option has the drive not being encrypted by the chip? This would not make me happy, as I just bought one. Of course, having very good surge protection would make this concern a lot less, but it is one of the main purposes of an external hard drive to back up data. It’s a bit silly to have to have a backup of the backup.
What does WD tech support have to say about this?
Sorry, I just don’t understand this article. Who uses encryption without having to type in the password each time you boot the system ? I thought all hardware-encrypted drives required that.
Nope. The external drives we’re talking about contain an encryption/decryption chip built-in to the USB/eSATA controller. There is no password involved: the ability to encrypt/decrypt the drive’s data falls entirely on the fact that the physical drive (eg., 2.5″ or 3.5″ SATA drive) is connected to the controller built-in to the chassis.
I know what you’re probably thinking–that’s mental! And you are correct. Hence the blog post 🙂
Okay, you’re right, that is “mental”. I’m not interested in an encrypted drive where I have to use a physical key or device to unlock it. What drives do hardware encryption, where the user has to type in a password each time the drive is mounted ? Thanks.
From reading http://www.buffalotech.com/support-and-downloads/faqs/how-does-hardware-encryption-work-on-ministation-extreme , it would seem the Buffalo MiniStation Extreme drive does it “right”, correct ?
From reading http://wdc.custhelp.com/app/answers/detail/a_id/3741/~/setting-up-security-to-lock-or-unlock-a-wd-external-drive-with-wd-smartware , it would seem the WD My Passport Ultra 1TB portable drive and other WD drives that use “WD Security” utility do it “right”, correct ?
Sorry, change “WD Security” to “WD SmartWare” in previous comment.
i got this issue too, i dislike hardware encrytion, because i got a fail case with WD essensial 3TB…what a bad experience…next one must be ext drive without encription
since i need the data more than the harddrive itself, i tried open the cassing myself , and found that the usb-sata chip is broken…
i tried connect to my sata port, and though the disk is detected, it was unformatted
tried to scan with hdtune, all sector is fine…it just the data is lost…
try all recovery software just useless…
finally i have to find the same model WD essensial 3TB case…and my data is found…
now i blacklist all WD essensial for use…now using docking for ext drive
btw, can you give us info about list of extenal drive with/without hardware encription??
it could help us a lot.
Thx
Hi David,
Yeah, it’s a bad situation when you think you’re getting something to protect your data (built-in hardware encryption on the chassis) but meanwhile it only hurts you (and your data).
A lot of people don’t get it. They need to re-read the blog post, or read your comment, because you understand first-hand how bad of a situation this can be.
I do not have a list of drives, but typically they will say on the box that they have encryption. If in doubt, DIY… get a hard drive and a chassis and put the drive in yourself. That way you can be sure to buy a basic chassis that does not have any form of encryption on chip.
Glad you were able to find a compatible decryption chip in the end. Could have been much, much worse. But what a headache!
-Robbie
Interesting point, but I did not see any mentions of Authentication methods. With the DataLocker ( http://www.datalocker.com ) hardware encrypted external hard drives, the key and CSP (Critical Security Parameter) is protected by the physical enclosure through passcode authentication (RFID Tag/NFC 2-factor available). In addition, the key is stored in a reserved sector of the hard disk drive that is inaccessible to operators. In the event that the hard drive enclosure/chassis fails, the encrypted data can be accessed again by swapping the internal HDD into a new DataLocker enclosure. The data can only be decrypted if the correct passcode has been entered.
In a situation where the thief tries to guess the password, the DataLocker drive will self-destruct and zeroize all CSPs if a certain amount of consecutive failed authentication attempts are made. The probability that a brute force attack, given one minute of time, will succeed is 9 in 5,000,000, which is less than the required probability of one in 100,000.
DataLocker drives are portable, secure and 100% independent of the host computer. And with the DL-Link feature of the DL3, devices can be linked to specific computers for added security.
The encryption algorithm and encryption keys are not the weak link for encrypted storage products ; its the authentication. Even 1024 Bit encryption is worthless if the password is set to 123456. Software encrypted products are much easier to brute force attack than hardware encrypted devices such as our product DataLocker.
http://datalocker.com/product-category/encrypted-storage/ (Confession, I work for DataLocker)
Most all encrypted hard drives and flash drives use a hash of a password to create a key (KEK or Key Encrypting Key) which is used to encrypted a randomly generated AES Data Encryption Key (DEK). For software based encryption you can run a password generator to brute force the password that unlocks the encryption keys since this resides in memory or on the hard drive itself. For products such as ours, you have to physically enter the password plus the keys are stored in secure flash memory.
In addition, asic based hardware encryption runs much faster than software based encryption..
Interesting that no one seems to remember the basis of public key encryption. Data is encrypted and decrypted using a combination of a public key (in this case on the encryption chip) and private key (which the user sets when they set up the drive.) No one can steal your encrypted drive, plug it into a computer and read your data unless they have your private key. Your data is safe. In the event (highly unlikely) that you get a power surge that fries the encryption chip and doesn’t also fry your drive, the company should be able to send you a new enclosure with the same public key. So you add your private key and your data is available.
If you have an encrypted drive that works as soon as you plug it into your computer, you probably have an app on the computer that provides the private key automatically. There is your security weak link. Not the drive. Make sure you set up the drive so that the key has to be entered every time you connect. This applies to software as well as hardware encryption.
It is interesting that you mention the problem of failing chassis and hardware encryption, I work for a company that produces rugged external drives with FIPS 140-2 level software encryption.
You can see a comparison of our products here:
http://www.olixir.com/products/external-hard-drives/
Certainly. When I realized this possibility for issues in the event of a failed chassis on a model with hardware encryption, I just had to talk about it! Thanks for letting us know about your products which use software instead of hardware, thereby bypassing the very issue.