Encryption Keys: The Cliff Notes Version, Part 4

In my prior three posts, I provided an overview of encryption key fundamentals and the various encryption key mode strategies that can be implemented in a Mercury secure SSD. If you did not read those, stop everything and go back to them now! Or, stay here, keep reading and you’ll find a simple, easy-to-use process flow diagram to guide you to the best key management mode for your application.

It is important to note, these are only general guidelines. If you have questions or doubts, consult with a security implementation expert. In this entry, I will also share our new key management mode for secure boot which is under development and releasing soon.

The first question to ask when getting started: will the data be stored on an end user device for a CSfC-approved implementation? If so, the key management mode options are limited to either Mode 1 or Mode 6. If the program is a black key program, Mode 6 is required.

If your data storage implementation is not intended for the CSfC program, answering these questions below will help in your decision:

  1. Is data recovery after key purge required? The answer to this question determines whether you need a self-generated key (Mode 1) or a user-generated key (Modes 2 through 6).
  2. Is the program a black key program? If so, Modes 5 and 6 are appropriate. Mode 6 includes an ATA password authentication, which is recommended unless there is a specific justification to avoid doing so.
  3. If not a black key program, is automatic key purge beneficial or required for the mission? Session keys provide automatic key purge when power is removed from the device.
  4. Is the added security layer of an ATA password required for the specific security implementation? If unsure of the answer to this question, it is best to err on the side of caution and implement an ATA password.

Read More

Data Security CSfC

Military-Grade SSDs Part 4: How Many Licks Does it Take to Get to the Center of a Tootsie Pop: One, Two…

What is the NSA hiding from us???  Hopefully all classified, secret and top secret data!

As part of their recent initiative to leverage commercial technologies in a sophisticated layered approach, the NSA is enabling an alternative to traditional Type 1 security solutions for the protection of data up to the Top Secret level. By adopting these agile commercial innovations, the Commercial Solutions for Classified (CSfC) Program will save time and money for classified programs in all branches of government — from benign data centers to forward-deployed systems in harsh, unsecure environments. While I discuss the CSfC program in this blog post, the CSfC program’s website is the ultimate authority for up to date information.

Read More

Military-Grade Solid State Drives

Military-Grade Secure Solid State Drives Part 3: Diamonds are Forever; Encryption Keys Last Longer

Have you ever forgotten your password for your work laptop and had to go to your IT guy for help to reset it? Imagine if it was that easy when the data on the hard drive was classified or top secret.

Commercial SSDs use basic ATA password to access drive data. Military and government applications require higher security and therefore basic ATA passwords must be strengthened and sophisticated key management techniques employed.  Self-encrypting drives allow for up to 32 character passwords while Mercury drives 64 characters. One technique is to condition the password.  By this you can create a unique suffix to the end of a password that changes with each log-in, making the password impossible to hack.
Read More

AES256bit encryption

Military-Grade Secure Solid State Drives Part 2: Encryption Decoded

In my introduction to military grade SSDs I conjured an image from a familiar movie of a data recorder destroyed by internal combustion to remove evidence of high value data. While the end result is the same, the implementation of self-destruct in the real world can be a bit different than in Hollywood.  In military-grade solid state drives, self-destruction of data or a data storage device happens through sophisticated non-thermal events. Advanced algorithms are used to erase encryption keys, non-volatile NAND flash memory, and controller firmware.  Other mechanisms can be employed to wipe the drive by high powered magnetic exposure. In these scenarios the data and device will be rendered useless with no chance of reverse engineering, but no flames or bodily harm will ensue. Read More