Backgrounder on OPAL Drive Recovery versus Seagate Momentus Drive Recovery versus Software Encryption - w/Key Escrow discussion
Some customers are uneasy about Self Encrypting Drives (SEDs) due to a perceived lack of ability to escrow the key that protects the drive - which in their mind indicates that it would be possible to have a drive whose contents cannot be accessed.
Two questions the user might have:
1 - What can happen to an OPAL drive that will result in irrecoverable loss of access to the data?
AND
2 - Is there anything that can happen to an OPAL drive that would not have the same disastrous consequences if it happened to a software encrypted drive?
REPLY
Seagate DriveTrust SEDs do support key escrow in this sense, and SES can be used to escrow the keys.
If you crypto erase a DriveTrust drive and have "Key Escrow” turned on in SES it is theoretically possible to inject the key back into the DriveTrust SED and get the data back. As far aswe know we only ever did this once in Development and none of our customers have ever restored a MEK key.
Regardless, Seagate DriveTrust will soon be replaced by OPAL, so that doesn't help moving forward.
At this point, Opal drives do not support key escrow by design (the OPAL consortium intentionally decided not to include any interface through which the actual Key that protects the data can be obtained from the drive).
What we do save in SES is the pins or passwords for the Opal drive. Since we use 256 bit random numbers for the pins,we call these Authentication Keys (or AKs).
NOTE: If you crypto erase on Opal drive there is no way to get the data back off the drive. It is thoroughly gone.
This is actually considered the desired behaviour by mostcustomers we have queried,especially those that want to use crypto-erase as an approved method to sanitize media.
Crypto erase is one example of "what can happen to an OPAL drive that will result in irrecoverable loss of access to the data”.
Another example is media failure. Most Opal drives store the MEK / DEK wrapped with a KEK derived from the AK several places on the drive. That way if one copy of the MEK is corrupted there will be a few backup copies stored elsewhere on the drive for recovery.
However, if all copies of the MEK are corrupted then there will be irrecoverable loss of access to the data.
With software encryption, even if 80% of the drive is not readable including all copies of the DEK, one can stilluse Encase along with an emergency disk and key file from SES, and thereby recover the remaining 20%.
This is an example of something that can happen to an OPAL drive that would not have the same disastrous consequences if it happened to a software encrypted drive.