đź”’

Self-Encrypting Drives and Security

Oct 16, 2025,

Overview

This lecture covers how self-encrypting drives (SEDs) work, differences between hardware and software full disk encryption, common vulnerabilities in SEDs, attack techniques to bypass them, and recommended mitigations.

Types of Full Disk Encryption

  • Software-based encryption is handled by the operating system and works on any hardware but has performance overhead.
  • Hardware-based encryption is handled by the drive’s own processor, offering instant, transparent encryption with no CPU impact.
  • Applications and operating systems cannot easily distinguish between hardware and software encryption.

Self-Encrypting Drives (SEDs) and Standards

  • SEDs perform encryption on the drive itself using a crypto processor.
  • ATA Security Mode was an early encryption method controlled by BIOS, difficult to manage in enterprises.
  • The Opal standard by the Trusted Computing Group (TCG) is widely used for interoperability.
  • BitLocker can manage both hardware and software encryption, using TPM and/or PINs for authentication.

SED Operation and Vulnerabilities

  • SEDs always have data encrypted at rest, using a media encryption key protected by a key encryption key.
  • After power-off, the drive resets to a locked state and loses the decryption key.
  • When powered on and unlocked, the drive stays unlocked until power is removed—even if OS crashes or reboots.
  • This persistent unlock state is mandated by the standard and can be exploited.

Attack Techniques to Bypass SEDs

  • Hot Plug Attack: Unlock the drive using the original machine, then physically move it (while powered) to an attacker’s device.
  • Sleep Mode/Hot Unplug: Put the machine to sleep, connect extension cables, wake it, then switch the drive to another system.
  • Force Restart Attack: Crash the OS after unlocking, then boot from external media to access unlocked drive.
  • Tampering Detection Bypass: Most laptops do not detect if the drive is removed and reconnected when powered/sleeping.
  • These attacks work across different brands and OSes; only some Lenovo BIOSes have extra mitigations.

Detection and Mitigation

  • Attacks often leave minimal traces, sometimes only as generic power loss or crash logs.
  • User mitigation: Power off or hibernate laptops when unattended.
  • Admin mitigation: Enable pre-boot authentication, disable sleep, and block auto restart after crashes.
  • Manufacturer mitigation: Enable tamper detection features (usually disabled by default).

Key Terms & Definitions

  • Self-Encrypting Drive (SED) — Storage device with built-in, hardware-based encryption.
  • Opal Standard — TCG encryption standard for SED interoperability.
  • BitLocker — Microsoft disk encryption tool, supports both software and hardware encryption.
  • TPM (Trusted Platform Module) — Hardware chip storing authentication keys securely.
  • Pre-Boot Authentication — Credential check before OS loads, protecting access to the decryption key.

Action Items / Next Steps

  • Run manage-bde -status to check encryption type on your system.
  • If using BitLocker or SEDs, attempt demo attacks in a safe environment for learning.
  • Harden device settings as recommended: enable pre-boot authentication, prefer hibernation over sleep, and consult IT/security teams.

Full transcript