About Self-Encrypting Drives; Data Encryption; Controlled Access; Admin Sp - Seagate Nytro 5050 Product Manual

www.seagate.com

11. About self-encrypting drives

Self-encrypting drives (SEDs) offer encryption and security services for the protection of stored data, commonly
known as protection of data at rest. These drives are compliant with the Trusted Computing Group (TCG) Opal Storage
Specifications as detailed in Section.
The Trusted Computing Group (TCG) is an organization sponsored and operated by companies in the computer,
storage and digital communications industry. The Seagate SED models comply with the standards published by the
TCG.
To use the security features in the drive, the host must be capable of constructing and issuing the following two NVMe
commands:
Security Send

Security Receive

These commands are used to convey the TCG protocol to and from the drive in the appropriate command payloads.
11.1

Data encryption

Encrypting drives use one in-line encryption engine for each port, employing AES-256 data encryption in XEX-based
tweaked-codebook mode with ciphertext stealing (XTS) to encrypt all data prior to being written on the media and to
decrypt all data as it is read from the media. The encryption engines are always in operation and cannot be disabled.
The 32-byte Data Encryption Key (DEK) is a random number which is generated by the drive, never leaves the drive,
and is inaccessible to the host system. The DEK is itself encrypted when it is stored on the media and when it is in
volatile temporary storage (DRAM) external to the encryption engine. A unique data encryption key is used for each of
the drive's possible 9 data bands (see
11.2

Controlled access

The drive has two security providers (SPs) called the "Admin SP" and the "Locking SP." These act as gatekeepers to the
drive security services. Security-related commands will not be accepted unless they also supply the correct credentials
to prove the requester is authorized to perform the command.
11.2.1

Admin SP

The Admin SP allows the drive's owner to enable or disable firmware download operations (see Section 6.4). Access to
the Admin SP is available using the SID (Secure ID) password or the MSID (Manufacturers Secure ID) password.
11.2.2

Locking SP

The Locking SP controls read/write access to the media and the cryptographic erase feature. Access to the Locking SP
is available using the BandMasterX or EraseMaster passwords. Since the drive owner can define up to 9 data bands on
the drive, each data band has its own password called BandMasterX where X is the number of the data band (0
through 8).
Seagate Nytro 5050 NVMe SSD Product Manual, Rev C
Section 11.5 Data bands).
61