Disk encryption hardware

From Wikipedia, the free encyclopedia

To protect confidentiality of the data stored on a computer disk a computer security technique called disk encryption is used. This article discusses hardware which is used to implement the technique (for cryptographic aspects of the problem see disk encryption). Compared to access restrictions commonly enforced by an OS this technique allows to protect data even when the OS is not active, for example, if data is read directly from the hardware.

Hardware designed for a particular purpose can often achieve better performance than software implementations. And disk encryption hardware can be made more transparent to software than encryption done in software. As soon as the key has been initialized, the hardware should in principle be completely transparent to the OS and thus work with any OS. If the disk encryption hardware is integrated with the media itself the media may be designed for better integration. One example of such design would be through the use of physical sectors slightly larger than the logical sectors.

[edit] Common disk encryption hardware:

[edit] Criticism

Disk encryption hardware has been criticised for a number of reasons. Some hardware makes use of ciphers with 64 bit blocks such as DES and Triple DES, but because of the birthday bound such ciphers are insecure unless the amount of data encrypted is significantly smaller than 32GB. Some hardware makes use of keys as small as 40 bits, which are easily brute forced.

The hardware solutions have also been criticised for being poorly documented. Many aspects of how the encryption is done are not published by the vendor. This leaves the user with little possibility to judge the security of the product. It also increases the risk of a vendor lock-in.