Skip to content

Main Navigation

Puget Systems Logo
  • Solutions
    • Recommended Systems For:
    • Content Creation
      • Photo Editing
        • Recommended Systems For:
        • Adobe Lightroom Classic
        • Adobe Photoshop
      • Video Editing
        • Recommended Systems For:
        • Adobe After Effects
        • Adobe Premiere Pro
        • DaVinci Resolve
        • Foundry Nuke
      • 3D Design and Animation
        • Recommended Systems For:
        • Autodesk 3ds Max
        • Autodesk Maya
        • Blender
        • Cinema 4D
        • Houdini
        • ZBrush
      • Real-Time Engines
        • Recommended Systems For:
        • Game Development
        • Unity
        • Unreal Engine
        • Virtual Production
      • Rendering
        • Recommended Systems For:
        • OctaneRender
        • Redshift
        • V-Ray
      • Digital Audio
        • Recommended Systems For:
        • Ableton Live
        • FL Studio
        • Pro Tools
    • Engineering
      • CAD
        • Recommended Systems For:
        • Autodesk AutoCAD
        • Autodesk Inventor
        • Autodesk Revit
        • Lumion
        • SOLIDWORKS
      • Photogrammetry
        • Recommended Systems For:
        • ArcGIS Pro
        • Agisoft Metashape
        • Pix4D
        • RealityCapture
    • Scientific Computing
      • Recommended Systems For:
      • Data Science
      • Machine Learning / AI
      • Scientific Computing
    • More
      • Recommended Systems For:
      • Compact Size
      • Live Streaming
      • NVIDIA RTX Studio
      • Quiet Operation
      • Virtual Reality
  • Products
    • Intel Core i7 & i9
      Workstations with 13th Gen Intel Core i7 & i9 processors on Z690 and Z790 chipsets
    • AMD Ryzen 7 & 9
      Workstations with AMD Ryzen 7000 Series processors on B650 and X670 chipsets
    • AMD Threadripper PRO
      Workstations with AMD Threadripper PRO 5000 WX processors on the WRX80 chipset
    • Intel Xeon W
      Workstations with Intel Xeon W 3300 processors on the C621E chipset
    • Rackmount & Server
      Servers and workstations in rackmount chassis
    • Custom Computers
      Customize a desktop workstation from scratch
    • Custom Servers
      Customize a rackmount server from scratch
    • QNAP Network Attached Storage
      Check out our external storage options as an authorized reseller for QNAP
    • Recommended Third Party Peripherals
      View our list of recommended peripherals to use with your new PC
  • Publications
    • Articles
    • HPC Blog
    • Blog Posts
    • Case Studies
    • Podcasts
    • Press
  • Support
    • Contact Support
    • Support Articles
    • Warranty Details
  • About Us
    • About Us
    • Contact Us
    • Press Kit
    • Testimonials
    • Careers
  • Talk to an Expert
  • My Account
  1. Home
  2. /
  3. Hardware Articles
  4. /
  5. Introduction to Self-Encrypting Drives (SED)

Introduction to Self-Encrypting Drives (SED)

Posted on April 30, 2014 by Matt Bach
Always look at the date when you read an article. Some of the content in this article is most likely out of date, as it was written on April 30, 2014. For newer information, see our more recent articles.

Table of Contents

  • Introduction
  • What is SED Encryption?
  • Downsides of SED encryption
  • What is needed for SED encryption to work?
  • Managing SED encryption passwords
  • Conclusion

Introduction

A SED (or Self-Encrypting Drive) is a type of hard drive that automatically and continuously encrypts the data on the drive without any user interaction. What may surprise many readers is that a decent potion of the drives currently in the market (including the Samsung 840 Pro SSDs we use in our systems) are, in fact, SEDs. But since manufactures do not often tout it as a major feature, it often gets lost in the large number of typically more important specifications. Even once you purchase, install, and start using one of these SED drives, the encryption is so transparent to the user that it is unlikely they would ever realize the drive is a SED.

This encryption process is done through the use of a unique and random Data Encryption Key (DEK) which the drive uses to both encrypt and decrypt the data. Whenever data is written to the drive, it first gets encrypted according to the DEK. Similarly, whenever data is read from the drive, it first gets decrypted by the same DEK before being sent to the rest of the system.

This means that all the data on the drive is encrypted at all times. One neat trick that can be done based on this is to almost instantly and completely wipe a hard drive. All you need to do is tell the SED to generate a new DEK and all the data on the drive immediately becomes gibberish (since the key needed to decrypt the data no longer exists) and is effectively unretrievable. So if you need to quickly and securely wipe a drive before either redeployment or disposal, SEDs offer a quick and very secure way to do so. This act is called a number of different names depending on the manufacturer, although it is most often referred to as doing a "Secure Erase".

What is SED Encryption?

While having the data encrypt and decrypt automatically on a hard drive is neat, it isn't really all that useful on its own since the hard drive will automatically decrypt the data on request. However, SEDs also allow you to set what is called an Authentication Key (AK) which acts as a password that locks the drive until the key is entered. If an Authentication Key is set up, the system will prompt for the key when it first powers on. While the number of attempts varies by the motherboard, if you put in the incorrect password after three or four attempts, the system will simply keep the drive locked and continue the boot process. If that happens, the drive becomes completely unusable by the system until the computer is powered off and the correct key is entered.

Password is prompted during the POST process If you enter the wrong password 3 or 4 times
in a row, the drive remains locked


In fact, even if you remove it from the original computer and plug it into a different computer the drive will still require the AK to be entered in order for the drive to unlock. However, if you you plug it into a system that does not support SED encryption, the drive will be unusable. Since the motherboard does not have the ability to enter the Authentication Key, the drive never knows to unlock itself. The result is that the drive will remaining locked with no way to unlock it. Unless you move the drive to a system that supports SED encryption, there is no way to retrieve the data on that drive.

According to Seagate, this method of encryption has been certified by both the NIST and CSE as meeting the requirements for level 2 security for cryptographic modules.

Downsides of SED encryption

When data security is a goal, it is essential to know the limitations and drawbacks of a certain technology. SEDs are a great technology, but they are no different than anything else in that they certainly have downsides. In the case of SEDs, the main downside is that once the drive has been unlocked, it remains so until the power to the drive has been cut. In other words, if you simply reboot the computer or put it into sleep, the drive remains unlocked. It is not until you completely power off the computer that it will again require the Authentication Key to be entered.

In other words, if your laptop is stolen and it was only in sleep mode then the data on the drive is completely exposed. If you have a user password set on the OS, a thief could still simply restart the machine, boot into a live environment, and have almost full access to your data. In fact, even if you have both an OS password and a BIOS password set, the data still could be accessed by moving the drive to a different computer without cutting the power. In laptops this would be tricky (but not impossible) but on a desktop is actually rather easy with the right setup.

So if you do decide to use SED encryption, our biggest advice is to get into the habit of powering off your system when it is not in use rather than simply putting it to sleep.

A second downside to SED encryption is that it will only work in simple disk configurations. You can have multiple drives in one system with SED encryption enabled and even use software RAID, but doing something like hardware-level RAID is simply not supported.

What is needed for SED encryption to work?

Something we discovered when we decided to start offering SED encryption on our systems is that full support for SED is actually very poor. There are plenty of hard drive and SSD models that support SED encryption (although finding those models can be difficult), but full support for SED also requires a compatible motherboard.

Some features of SED (like the automatic encryption and decryption of data and Secure Erase) will work regardless of the motherboard. But if you want to use SED encryption by setting an Authentication Key, you need a motherboard that supports doing so. 
 
What we have found is that many laptops (including all the laptops in our Traverse and Traverse Pro lines) have the ability to use an Authentication Key without any need for a custom BIOS. However, they often lack the ability to set the AK though the BIOS. Of course, this doesn't mean that every laptop will support SED encryption, but in our experience laptops in general are much more likely to support it than desktop or server motherboards.
 
While talking with Asus, Super Micro, and Samsung, we have discovered that most desktop and server motherboards do fully support SEDs, but the ability to use an Authentication Key is expressly disabled. The reason for this appears to be that manufactures are afraid that a user may accidentally lock their hard drive and not remember what they used for the Authentication Key. So rather than risk having an angry customer that accidentally locked their drives, they leave that specific feature of SEDs disabled. However, since the feature is there and simply disabled, we have had success with getting custom BIOS files from the manufacturer that unlocked the ability to use Authentication Keys.

Managing SED encryption passwords

On a motherboard that fully supports SED encryption, there is a chance that there is an option in the BIOS setup to set, change, or remove the SED Authentication Key on your SED drive. However, we have found that many motherboards that support SED do not have this capability built into the BIOS. In those cases, you could use software like Winmagic to manage the SED encryption key, or you can go through a series of steps using a Linux live environment to manage the SED Authentication Key without the need for paid software.

If you have a computer purchased from Puget Systems, the System's Tools Disc that is included with your computer includes an Ubuntu live environment that has everything you need. To start this process, insert the Tools Disc into your computer and restart the system. When you see text similar to "Press any key to boot from DVD", press the space bar to boot to the Tools Disc. Once the main menu comes up, select "Live Linux Environment (Safe Graphics)" and hit enter. If you do not have a system purchased from Puget Systems, you can follow the directions from Ubuntu on how to create a LiveCD that should include everything you will need.

Once your system has booted into the Linux live environment, there are three combinations of steps you must go through in order to either set, remove, or change the SED encryption password.

  • No matter what you want to do, you must first locate the drive that you want to manage the SED encryption password on and unfreeze it.
  • Next, if you want to change the SED encryption password or remove SED encryption entirely, you need to disable SED encryption.
  • Finally, you need to enable SED encryption with a new password if you are either changing the SED encryption password or setting a new SED encryption password.
Locating and unfreezing the drive  
Step 1:
Open a terminal from the unity toolbar or with the hotkey combination "ctrl+T".

Step 2:
Enable root privileges by entering the command 'su'. You will be prompted for a password. If you are using a Puget Systems Tools Disc, enter "Password1".

 

Step 3:
Enter the command "lsblk" which will output a list of the drives that are in the system. Locate the name of the drive (sda, sdb, etc.) that you want to change the encryption password or disable SED encryption on.
Step 4:
Enter the command "hdparm -I /dev/X" where X is the drive name (sda, sdb, etc.) to check the current status of the drive. Be sure to use "-I" which is an uppercase i, not a one or lowercase L. Check to make sure that there is a line that says "enabled". If that line instead says "not enabled", then SED encryption is not currently enabled on that drive. Either SED encryption was never configured, or you are using the incorrect hard drive name (sda, sdb, etc.) 
Step 5:
Typically, the drive will be marked as frozen (indicated by a line that says "frozen") and will need to be unfrozen before continuing. To unfreeze the drive, put the system to sleep by clicking on the gear icon at the top-right of the screen and selecting "Suspend". After ~10 seconds, hit the power button to wake the system up. It is not uncommon for a system to not resume properly when using a live environment, and if this happens, contact Puget System's Support department to receive guidance tailored for your specific system before proceeding.
Step 6:
Repeat the "hdparm -I /dev/X" command to verify that the drive is now marked as "not frozen". If it is still frozen, you will need to physically disconnect the drive for a few seconds while the system is in the live environment then repeat the command. However, before doing so we recommend contacting Puget System's Support department to receive guidance tailored for your specific system before doing so.

 

Disable the current SED encryption  
Step 1:
After following the steps to locate and unfreeze the drive, run the command "hdparm –security-disable PASSWORD /dev/X" where PASSWORD is the current SED password and X is the drive name (sda, sdb, etc) to remove the current SED encryption. If you wish to leave SED disabled, then the process is complete. If you want to reset SED with a new password, continue to the next section.

 

Enable SED encryption with a new password
Step 1:

After following the steps to locate and unfreeze the drive then to disable SED encryption, next enter the command "hdparm –user-master u –security-set-pass 'PASSWORD' /dev/X" where PASSWORD is the password you want to use and X is the drive name (sda, sdb, etc.) to re-enable SED encryption with a new password.
 
Note: We recommend enclosing the password within single quotes as certain special characters and spaces can cause an error if single quotes are not used.
Step 2:
Enter the command "hdparm -I /dev/X" again and look for the line "enabled" (instead of "not enabled") to ensure that SED is enabled. At this point you should completely power off your system (not a standard reboot) to ensure that the SED password is set properly.

 

Conclusion

After working with SED encryption and seeing how well it works, we are actually very surprised at how little support it has on modern motherboards. In fact, many motherboard manufacturers actively disable SED encryption and require a custom BIOS in order to make it active. Other motherboards, however, do support SED encryption although the ability to manage the password is not available from the BIOS. In those cases, you can still use SED encryption but you need to go though an unwieldy process involving a Linux live environment.

Overall, we have found that SED encryption is great as long as you do your homework and know that it will work on your system. Self-encrypting drives have their downsides (largely that it only requires the password to be entered when the machine is first turned on), but it is easy to use and effective for a very wide range of applications. If you are interested in encrypting your data, we highly recommend checking out SED encryption before considering options like Bitlocker or other software-based encryption.

Do you use hard drive encryption in your computer, either SED encryption or something else? Let us know about your experience in the comments below!

Tags: encryption, SED, self-encrypting drive

Who is Puget Systems?

Puget Systems builds custom PCs tailored for your workflow

Extensive in-house testing
making you more productive and giving you more performance for your dollar

Reliable workstations
with fewer crashes and blue screens means more time working, less time waiting on your computer

Support that understands
your complex workflows and can get you back up and running ASAP

Proven track record
check out our customer testimonials and Reseller Ratings

Get Started

Browse Our Workstations

Fractal Design Define 7 Chassis with Puget Systems Logo

Select your workflow:

Content Creation
Engineering
Scientific Computing
More

Latest Articles

  • Puget Systems Hardware Trends of 2022
  • Guide To Removing Instapak Foam
  • Basic Guide to Identify and Remove Malware
  • Should I Upgrade My Gpu
  • Case Study with Lost Boys Interactive
View All

Post navigation

 Qualification: LSI 9341-8i & 9361-8i RAID ControllersVideo Card Failure Rates by Generation 
Puget Systems Logo
Build Your Own PC Site Map FAQ
facebook instagram linkedin rss twitter youtube

Optimized Solutions

  • Adobe Premiere
  • Adobe Photoshop
  • Solidworks
  • Autodesk AutoCAD
  • Machine Learning

Workstations

  • Content Creation
  • Engineering
  • Scientific PCs
  • More

Support

  • Online Guides
  • Request Support
  • Remote Help

Publications

  • All News
  • Puget Blog
  • HPC Blog
  • Hardware Articles
  • Case Studies

Policies

  • Warranty & Return
  • Terms and Conditions
  • Privacy Policy
  • Delivery Times
  • Accessibility

About Us

  • Testimonials
  • Careers
  • About Us
  • Contact Us

© Copyright 2023 - Puget Systems, All Rights Reserved.