Should you avoid external hard drives that boast built-in encryption?

I got thinking about this question today. Why do hard drive manufacturers add useless hardware encryption to external drives?

“Why, that should be obvious, Robbie; it’s because we are security conscious and want to protect our data from prying eyes,” you say. “And you call yourself a bald nerd!”

First of all, I don’t like your tone.

But second of all, exactly who are we protecting here?

Somewhere inside the chassis of your external hard drive, there is an integrated encryption/decryption chip. It boasts “256-bit AES Encryption”. Wow, sounds safe! So you plug in the drive to your computer, and place your private stuff on there, and feel safe. “It’s encrypted.”

Who is it safe from?

Bret Austen, General Manager of Positive E Solutions Inc., in Barrie, Ontario calls this feature a “false sense of security.” He explained to me that while his company does carry these drives, the encryption features are not a true protection for the users’ data. “That said, we do offer an encryption key solution which encrypts data in such a way that even if the drive is stolen, the data cannot be accessed since they require a literal key.” This key is one that you would keep on your keyring, and take home with you at the end of your shift. If that sounds more like what you’re hoping for, I suggest you get in touch with Mr. Austen to discuss this impressive solution.

So, back to your external hard drive. You placed your private data on it, and then you plugged it back into your computer a week later. Can you read the data? Sure you can. The hard drive is still an internal component of the chassis, which carries the built-in decryption chip. So as long as that drive is inside that chassis, you can read and write the “encrypted” data just as if it were unencrypted.

So exactly when does the encryption protect your data from prying eyes? Why it should be obvious: when the internal hard drive is removed from the external chassis.

When a thief steals your drive, are they going to sit down at your desk, pull out a Phillips screwdriver, and gently remove the internal hard drive from the chassis? Or are they going to grab the whole thing and run off with it, decryption chip and all? Similarly, if you lose the drive, will it still be readable by the finder? Sure, it will.

So when does the encryption actually take effect? When the chassis fails.

If your hard drive gets zapped from a surge, or otherwise the circuit board of the external unit gets damaged, data recovery “may not be possible,” says Phil Priest, a professional data recovery technician from PES Data Recovery in an interview with me this afternoon. “You’d have to track down a decryption chip with exactly the same key in order to access the data from the drive. We can recover the hard drive’s data, but it would be entirely garbled and unusable without the proper key,”

Data recovery may be possible in such a case. Mr. Priest goes on to say, “We had a recovery like that come in a while back. It was a Western Digital drive, and for some reason they had manufactured all the drives of the same model with the same decryption key.” He explained that the customer was fortunate in this case: the data was able to be recovered since a decryption key was readily available. However, the cost to procure the correct decryption key resulted in a notably higher cost of recovery and made expedited service impossible. Mr. Priest also warned, “if the manufacturer uses a different decryption key for each drive manufactured, there is likely no way to recover the data.”

So who is the encryption on your external drive really protecting? It would appear to me that the only person getting locked out of your data… is you.

Mr. Priest ended the conversation saying, “if your external hard drive has built-in encryption, make sure you keep a good backup.”

To protect your company data from accidental data leak or intentional data theft, please take a look at Endpoint Protector. This is the “proper” way to protect your data. www.endpointprotector.ca

Watch The Video

Please share your thoughts with a comment.

Leave a Reply

20 Comments on "Should you avoid external hard drives that boast built-in encryption?"

Notify of
avatar
Sort by:   newest | oldest | most voted
Ty Henriksen
Guest

My understanding is that this kind of thing was developed to prevent employees form grabbing hot swappable drives out of servers and running off with valuable data. Since the chasis is bolted into a server rack (or at worst a NAS box) and these can be more difficult to pry loose form the premises (without being noticed, anyway) it provides some light protection for data on drives that fail.

OK, so I might even consider this paranoid by my own standards if I hadn’t received an earful of complaining form a “friend” who tried exactly that at work. He just faked a drive going down, dropped in a replacement blank  and smuggled the drive home only to find out he couldn’t get everybody’s pay history off of it as he thought he would. Don’t ask me why he couldn’t get info off the drive while it was plugged in.

 

I agree that there doesn’t seem to be much reason for this tech for standalone external drives but it might just be a case of it being cheaper to manufacture 10,000 controller chips with this tech than making 9,000 without it and 1000 with it.

Elyas
Guest

There is no software that can bspays the encryption.You can crack the encryption, but that can take weeks, months and sometimes years to crack it.Just live with what you have got. Was this answer helpful?

Captain Obvious
Guest

Hey you Bald Nerd.

If you have material you don’t want the police to see, you set a password and what actually happens is the encryption key is “sealed” by the password. What this means is that you do not supply the password the encryption key cannot be obtained so the Hardware Encryption does a very effective job when used properly and not by Bald Nerds.

This is why you can change the password and not have to decrypt/re-encrypt the drive. When you change the password (or turn it off) it simply “re-seals” the encryption key with the new password.

So what you need to say is that Self Encrypting HDDs are a danger for people who have no use for encryption. However for people that DO have a legitimate use for the encryption, they are super strong.

Grow some hair, a brain might follow.

Drowling
Guest

Hey Captain Obvious,

Most people included in the target audience of these types of ‘over the counter’ external HDDs are not that interested in encryption for a specific purpose but are just regular joes that think they are getting a better deal with this ‘safety stuff’ over a ordinary unprotected HDD.

A person that actively seeks to protect the data from the police (?) is probably not stupid enough to go for a cheap unreliable mass-produced piece of crap who use encryption mostly as a selling point.

In that context, these types of protection does a disservice to their customers and only provide business to data recovery companies when the device breaks (which they inevitably do).

Perhaps you yourself could use less hair and more stuff under it.

John Hazzleton
Guest

Hi

Read your blog re this issue, and viewed the video – I had this problem with a Western Digital (My Book) external hard drive – My questions are… if I want to buy an UNencrypted external hard drive (I am in the UK) , are these available? If so, can you recommend/advise of any?  Also, can the original WD drive be reformatted WITHOUT the encryption chip? As I understand it, the problem occurred because the drive casing or connection port had become damaged. (By the way, I managed to find someone to retrieve my data but have no clue how he did it !!)

chagol
Guest

I have some experience with a few wd external drives (my passport & wd my book) and they need to have the passwords typed in (previously set by me) every time to access the data (otherwise they simply provide sea of random encrypted bytes).

So, what is all about…?? Please explain..

Thank you very much

Aldo
Guest

The point of the article is that encryption in current WD external hard drives operates even if you set no password via WD software.
Meaning that it is not possible to switch off encryption.
Most users do not set a password anyway. In which case, if the drive is stolen, the thief will be able to access the data.
In your case , you don’t run this risk, as you set the password.
But you still have something in common with less cautious users.
If the drive stops working due to a problem with the enclosure hardware but the drive itself is fine, as it is most commonly the case, your data should be recoverable by prying the enclosure open, taking the drive out and fitting it in a dock, desktop or a generic external enclosure.

But not with WD. If your enclosures fail and they are the recent models, your password will not be enough to read the data unless you find another enclosure, exactly the same model, and fit the old drive in. Otherwise, you need the few data recovery companies WD provides with the chip keys, be prepared to pay though your nose though, after all you have lost your data and they know it.

I am sure you have a backup for your important data, but if the fail happens between writing new files and backing them up..

Cliff
Guest

So one would have to wonder why, say in the case of WD, there would be an option to install encryption with a password.  So does this mean that they are misleading their customers by implying that not checking this option has the drive not being encrypted by the chip?  This would not make me happy, as I just bought one.  Of course, having very good surge protection would make this concern a lot less, but it is one of the main purposes of an external hard drive to back up data.  It’s a bit silly to have to have a backup of the backup.

What does WD tech support have to say about this?

Bill Dietrich
Guest

Sorry, I just don’t understand this article.  Who uses encryption without having to type in the password each time you boot the system ?  I thought all hardware-encrypted drives required that.

david
Guest

i got this issue too, i dislike hardware encrytion, because i got a fail case with WD essensial 3TB…what a bad experience…next one must be ext drive without encription

since i need the data more than the harddrive itself, i tried open the cassing myself , and found that the usb-sata chip is broken…

i tried connect to my sata port, and though the disk is detected, it was unformatted

tried to scan with hdtune, all sector is fine…it just the data is lost…

try all recovery software just useless…

finally i have to find the same model WD essensial 3TB case…and my data is found…

now i blacklist all WD essensial for use…now using docking for ext drive

 

btw, can you give us info about list of extenal drive with/without hardware encription??

it could help us a lot.

Thx

Shauna
Guest

Interesting point, but I did not see any mentions of Authentication methods.  With the DataLocker ( http://www.datalocker.com ) hardware encrypted external hard drives,  the key and CSP (Critical Security Parameter) is protected by the physical enclosure through passcode authentication (RFID Tag/NFC 2-factor available). In addition, the key is stored in a reserved sector of the hard disk drive that is inaccessible to operators.  In the event that the hard drive enclosure/chassis fails, the encrypted data can be accessed again by swapping the internal HDD into a new DataLocker enclosure.  The data can only be decrypted if the correct passcode has been entered.
In a situation where the thief tries to guess the password, the DataLocker drive will self-destruct and zeroize all CSPs if a certain amount of consecutive failed authentication attempts are made. The probability that a brute force attack, given one minute of time, will succeed is 9 in 5,000,000, which is less than the required probability of one in 100,000.

DataLocker drives are portable,  secure and 100% independent of the host computer.  And with the DL-Link feature of the DL3, devices can be linked to specific computers for added security.

Jay
Guest

The encryption algorithm and encryption keys are not the weak link for encrypted storage products ;  its the authentication. Even 1024 Bit encryption is worthless if the password is set to 123456. Software encrypted products are much easier to brute force attack than hardware encrypted devices such as our product DataLocker.

http://datalocker.com/product-category/encrypted-storage/   (Confession, I work for DataLocker)

Most all encrypted hard drives and flash drives use a hash of a password to create a key (KEK or Key Encrypting Key)  which is used to encrypted a randomly generated AES Data Encryption Key (DEK). For software based encryption you can run a password generator to brute force the password that unlocks the encryption keys since this resides in memory or on the hard drive itself. For products such as ours, you have to physically enter the password plus the keys are stored in secure flash memory.

In addition, asic based hardware encryption runs much faster than software based encryption..

 

 

Jerry
Guest

Interesting that no one seems to remember the basis of public key encryption.  Data is encrypted and decrypted using a combination of a public key (in this case on the encryption chip) and private key (which the user sets when they set up the drive.)  No one can steal your encrypted drive, plug it into a computer and read your data unless they have your private key.  Your data is safe.  In the event (highly unlikely) that you get a power surge that fries the encryption chip and doesn’t also fry your drive, the company should be able to send you a new enclosure with the same public key.  So you add your private key and your data is available.

If you have an encrypted drive that works as soon as you plug it into your computer, you probably have an app on the computer that provides the private key automatically.  There is your security weak link.  Not the drive.  Make sure you set up the drive so that the key has to be entered every time you connect.  This applies to software as well as hardware encryption.

Eyasu Kifle
Guest

It is interesting that you mention the problem of failing chassis and hardware encryption, I work for a company that produces rugged external drives with FIPS 140-2 level software encryption.

You can see a comparison of our products here:
http://www.olixir.com/products/external-hard-drives/

wpDiscuz