San Jose, Calif. -- The ad hoc Trusted Computing Group released a specification for securing storage devices for industry review last week. The spec is expected to become the foundation for secure disk drives that will become widespread over the next three years.
The draft standard defines a way for storage devices to create and protect keys that prevent unauthorized users from accessing data on the device. It enables so-called full-drive encryption, protecting data on any lost storage device as well as a fast-erase capability for users who want to repurpose a storage device. Users can also leverage the spec to add additional cryptographic protections to any system.
Seagate is already shipping hard disks with so-called full-drive encryption. Hitachi Global Storage Technologies has announced a similar product, which also mainly targets business notebooks.
"We'll have to change a few bits in the interface to meet the spec, but [the revised products] will be functionally the same," said Michael Willett, a director of research at Seagate and co-chair of the TCG group's storage committee, which drafted the spec.
Willett said he expects that most drive makers will begin to roll compliant products within six months, once the version 0.9 of the spec that was released last week becomes officially ratified as version 1.0.
"This spec applies to all storage devices," Willett said. "All the hard-drive makers have taken part but so have makers of tape, optical and flash drives."
Hard-drive makers see disk security as a new layer of value they can roll into their devices quickly. The effort, which began as a research project three years ago, is eventually expected to become a standard feature on all drives.
"I expect within about three years all drives will have this capability. That's the road map we are working to internally," said one drive maker who asked to remain anonymous.
Unlike many security specs from the TCG, the storage standard does not require use of a standalone trusted platform module, a chip that generates and securely stores cryptographic keys. Such TPMs are now routinely used on business desktops, notebooks and some servers.
The TCG estimates that as many as 100 million computers will ship with a TPM chip this year. A TCG spec for cell phone security actually requires two TPMs, one for protecting carrier data and another for protecting user data.
Instead of a TPM, the storage spec relies on an existing storage controller to generate and manage keys, which are securely saved on extra space traditionally available on the storage device.
Currently, drive makers are using custom ASICs that implement 128- or 256-bit Advanced Encryption Standard security. Within three years, however, that function is expected to be integrated into the hard-disk controller.
Although AES has been adopted for initial products, the spec can use any form of encryption. It is likely that it will first be used for notebook drives, followed by drives for servers and eventually for all systems.
The TCG security protocols can tie into systems software features such as the MS-CAPI security applications programming interface used by Windows.
A separate TCG subgroup is now developing a spec for how to handle password and key-management functions on servers that might contain a large number of keys. That spec should be completed in about six months, said Willett.