Seagate ST5000AS0001 ユーザーズマニュアル
Seagate Archive HDD Product Manual, Rev. C
17
4.0 About (SED) Self-Encrypting Drives
Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data, commonly known as
"protection of data at rest." These drives are compliant with the Trusted Computing Group (TCG) Opal Storage Specifications
as detailed in the following:
"protection of data at rest." These drives are compliant with the Trusted Computing Group (TCG) Opal Storage Specifications
as detailed in the following:
Trusted Computing Group (TCG) Documents (apply to Self-Encrypting Drive models only)
TCG Storage Architecture Core Specification, Version 2.0
TCG Storage Security Subsystem Class Opal Specification, Version 2.0
(see
TCG Storage Security Subsystem Class Opal Specification, Version 2.0
(see
www.trustedcomputinggroup.org
)
In case of conflict between this document and any referenced document, this document takes precedence.
The Trusted Computing Group (TCG) is an organization sponsored and operated by companies in the computer, storage and
digital communications industry. Seagate's SED models comply with the standards published by the TCG.
digital communications industry. Seagate's SED models comply with the standards published by the TCG.
To use the security features in the drive, the host must be capable of constructing and issuing the following two SATA
commands:
commands:
Trusted Send
Trusted Receive
These commands are used to convey the TCG protocol to and from the drive in their command payloads.
4.1
Data Encryption
Encrypting drives use one inline encryption engine for each drive employing AES-256 data encryption in Cipher Block Chaining
(CBC) mode to encrypt all data prior to being written on the media and to decrypt all data as it is read from the media. The
encryption engine is always in operation and cannot be disabled.
(CBC) mode to encrypt all data prior to being written on the media and to decrypt all data as it is read from the media. The
encryption engine is always in operation and cannot be disabled.
The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the drive, and is
inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when it is in volatile temporary
storage (DRAM) external to the encryption engine. A unique data encryption key is used for each of the drive's possible16 data
bands (see
inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when it is in volatile temporary
storage (DRAM) external to the encryption engine. A unique data encryption key is used for each of the drive's possible16 data
bands (see
4.2
Controlled Access
The drive has two security providers (SPs) called the "Admin SP" and the "Locking SP." These act as gatekeepers to the drive
security services. Security-related commands will not be accepted unless they also supply the correct credentials to prove the
requester is authorized to perform the command.
security services. Security-related commands will not be accepted unless they also supply the correct credentials to prove the
requester is authorized to perform the command.
4.2.1
Admin SP
The Admin SP allows the drive's owner to enable or disable firmware download operations (see
Access to the Admin SP is available using the SID (Secure ID) password or the MSID (Manufacturers Secure ID) password.
4.2.2
Locking SP
The Locking SP controls read/write access to the media and the cryptographic erase feature. Access to the Locking SP is
available using the Admin or User passwords.
available using the Admin or User passwords.