Full Disk Encryption FAQs - PreSales

Frequently asked questions on Seagate Full Disk Encryption from the point of view of Presales.

See Document ID: 205983 for Technical Support FAQs. 

Click on the links below to move to the answer.

Are Seagate FDE drives FIPS-2 compliant?
The drive has been qualified for use in National Security Systems while operating with DriveTrust Technology for the protection of sensitive but unclassified information in national security system solutions, and is acceptable for use with other approved assurance mechanisms in classified national security systems.  The Momentus FDE.2 drive has not been issued a FIPS 140-2 certificate, but according to FIPS standard, "cryptographic modules that have been approved for classified use may be used in lieu of modules that have been validated against this standard."

The NSA qualification letter states that this product is "acceptable for use within national security systems."

Can I put an FDE drive into any SATA system?
These drives are SATA interface with standard system compatibility.  There are some Seagate Secure commands that may require a BIOS compatibility review.   All Momentus FDE drives are always encrypting data and there is no way to disable that activity. Each drive has its own encryption key, so no two systems save the same data.

Momentus FDE drives can be described having three password modes:  OFF, standard ATA security, and Seagate Secure security.  When passwords are OFF, the drive family can run on any OS, system and BIOS.  When passwords are managed using standard ATA security, any notebook BIOS with password controls is compatible.  In this case, the password challenge looks exactly the same as a non-FDE drive.  These two password modes are also valid for non-Windows applications.  

The Seagate Secure pre-boot authentication password requires the system BIOS to issue a warm boot reset after the password is accepted.  While this BIOS reset is simple and common, we have seen a few early SATA laptop systems that did not support the command.  For this reason, we recommend pre-qualification compatibility testing or certified systems partner products.

Security Mode Pre-qualification Compatibly
Testing Recommended?
Standard ATA
(system BIOS managed)
Seagate Secure
(client or enterprise managed)

At this time, Seagate offers the Momentus 5400 FDE.2 family of laptop drives in capacities from 80 to 160GB.  

At this time, Seagate Secure security commands are supported by third party software vendors under Windows Vista and XP and on a growing list of specific certified systems.  

Can I turn encryption off on an FDE drive?
No.  Seagate FDE drives always encrypt data through a unique encryption key… always.  Since no two FDE drives have the same encryption keys, no two FDE drives write the same data patterns to the media given the same data to save.  Passwords, on the other hand, can be activated and deactivated.  When passwords are turned off, the drive behaves just like an ordinary drive.

Can I use an FDE drive in a Mac?
Hardware encryption on the drive occurs no matter what OS runs.  Seagate Momentus FDE.2 drives are born encrypting and each drive writes uniquely encrypted data.  Along with encryption, FDE drives support two types of Security Command Set modes: Traditional ATA Security and the Seagate Secure commands developed by Seagate.  Either of these modes controls the passwords to authenticate access to the drive.  Passwords can also be kept off.

Newer Mac systems use the Extensible Firmware Interface (EFI) in lieu of a BIOS.  The traditional ATA Security set passwords are system managed and depend on BIOS which means that the newer Apple notebook systems cannot set or use traditional ATA Security passwords.  The Seagate Secure passwords are managed by client software.  This means that this technology can be adapted, eventually, to the Apple Mac.

The Seagate Secure command set relies on third-party developers and applications.  Several software vendors are offering diverse solutions for this pre-boot authentication process.  

Can I use software encryption on an FDE drive?
Yes, any other kind of software encryption technology may be deployed on an FDE drive.  The very strong Seagate Secure pre-boot authentication feature controls all initial access to the drive.  After that password challenge is satisfied, the drive boots like a typical drive.  You can employ any other type of encryption or security software because they are activated after the FDE pre-boot authentication controls.  Theoretically, you could use a BIOS System password, hard drive password, partition (software encryption) passwords, operating system login password, and folder encryption all on the same system.

One thing to remember is that software encryption may cause the system to slow down.

Can you use the FDE drives in an external eSATA enclosure and still use the encryption capability?
In theory, the answer is yes.  Seagate FDE drives and the underlying technology would lend themselves to the type of device envisioned here.  However, at this time there are no eSATA solutions available to purchase.   

In a related design, Seagate has also manufactured (but no longer manufactures) a line of external drive under the Maxtor brand called "BlackArmor".  It uses a Seagate Full Disk Encryption hard drive within a USB enclosure.  In addition, it has software to support the Seagate Secure features available in the drive.  See here the Maxtor BlackArmor User Guide

Do I need software to make a Momentus FDE drive work?
Momentus FDE supports two security modes – ATA Security mode, which requires no software to work and a higher level of security called Seagate Secure (DriveTrust), which does require third-party software – both of which offer full disk encryption.

The Seagate Secure feature set includes a robust pre-boot password authentication environment and hierarchical levels of passwords.  For a complete review of Seagate Secure (formerly known as DriveTrust) please see our white papers (on Drive Trust, on Drive Trust Overview).  Without special software, Seagate FDE drives also support traditional ATA passwords.  All manufacturers of laptop computers support ATA Security passwords.

In addition, passwords can be turned off all together and the drive will appear to operate just like a typical drive, albeit encrypting all data to the disks.  In fact, this last state is how the operating system and applications or images are loaded on the drive.

Does an FDE drive just cut off access to the drive?  
Every Momentus FDE.2 drive always saves AES-level encrypted data to the physical media.  Each drive has a unique encryption key, which means no two drives save the same data patterns given the same data.  When a FDE drive is new, out of the box, the password controls are disabled.  In this scenario, the drive can receive the Windows OS and user applications (including the Seagate Secure password applications) and boot just like an ordinary drive.  As stated before, no two FDE drives are saving the same bit patterns to the physical media.  Once the system is fully built, the next phase is to activate the password controls using specific third-party software (like that from Secude or Wave Systems).  Once the Seagate Secure passwords are activated, then the user data sectors are inaccessible by firmware restriction until the password challenge is met.  After the passwords are accepted, then the drive boots and runs like an ordinary drive (albeit saving AES encrypted data to the physical media).

It is entirely possible to use software encryption in addition to hardware FDE.  Many people may still want to encrypt folders or files as special cases.  With software encryption, booting to a CD and running data erasure software can erase the data on an ordinary drive.  With Seagate's FDE Seagate Secure technology, the data sectors are simply unavailable until after the password challenge.

Here are a couple of additional documents that may have new information for you: 

--DriveTrust™ Technology: A Technical Overview
--Seagate First Hard Drive Maker to Win NIST Certification for Encrypting Hard Drive

Does FDE work with fingerprint readers?
For the past decade, drive-level security options for notebook computers have been limited to one user password managed by the system BIOS and a couple of other commands like locking passwords, etc.  While very simple, they are industry standards nonetheless.  With FDE and the Seagate Secure security command set, Seagate has proposed standards that are under review by the Trusted Computing Group and ATA standards committee.  As open standards, third-party software providers will invest time and energy in developing applications that support the enhanced Seagate Secure commands (4 user passwords, hidden pre-boot authentication storage space, encryption key change and erase, and more).

The pre-boot Seagate Secure password application is given a space of about 130 MB to store its code.  Depending on the software vendor's product, biometric enhancements can be added to supplement the Seagate Secure password challenge.  

Some secure laptop system BIOS implementations now support multifactor authentication using devices like fingerprint readers.  Each brand of system or software has unique and interesting options that are best described by the manufacturer. 

Does Seagate bundle software to manage the Seagate Secure feature set on Momentus FDE drives?
Seagate does not offer any software with FDE drives to manage passwords or other security features.  Seagate relies on third-party software vendors to supply several different solutions for client and enterprise architectures and for different operating systems.  Several software vendors are offering diverse solutions for this pre-boot authentication process.  

You can use the Seagate SeaTools diagnostic software to test a FDE drive.  You can use the Seagate DiscWizard application to migrate the Windows OS and data to a new FDE drive. 

If FDE series of hard drives depend on computer BIOS for the preboot authentication, can they support EFI-based systems (such as Intel Macbooks or some EFI-only servers)?
Apart from the host system, the FDE disk commands are system- and OS-unaware, but they do depend on third-party software solutions to provide a user interface.  As of today, the first software solutions implementing Seagate Secure technology are written for Windows XP, Vista and the traditional PC BIOS.  Other than development time, there is nothing standing in the way of support for other platforms like Mac, Linux, embedded OS, with or without BIOS or EFI, etc.

Since the firmware on Seagate FDE drives also supports the traditional ATA security commands, compatibility is equivalent to non-FDE disk drives using regular ATA passwords, with the added benefit that Seagate Momentus FDE drives are always encrypting - each unit using a unique encryption key, regardless of the two available password methods.  Traditional ATA security passwords depend on traditional BIOS to manage the password transaction.  At this time, Apple Mac systems with EFI (Extensible Firmware Interface) in lieu of BIOS do not support traditional ATA security passwords.

New software and certified systems are steadily coming online. 

If someone tries to change the FDE drive password, will the data on the drive will be deleted?
Users can change passwords through their configuration software as often as they want.  The data on the drive is not affected by password changes.  Changing passwords does not cause a loss of data (unless the password is forgotten and no backup exists).  The enterprise versions of the configuration software may restrict password changes for reasons of audit control.

Between the two security modes on the drive, traditional ATA security and the Seagate Secure mode, there are significant differences regarding passwords.  Seagate Secure and traditional ATA password modes are mutually exclusive. One cannot activate both types of passwords at the same time.

Every FDE drive using Seagate Secure technology can set up to four User and four Administrative drive passwords.  Administrative passwords will unlock the drive and can reset User passwords.  Users are able to change their own password, unless disabled by enterprise management software.  

With traditional ATA security passwords, there is one User and one Master password.  The User passwords can have two levels: High and Maximum.  Master passwords can unlock and change high level User passwords.  Master passwords can only issue a Secure Erase command to a maximum level set User password.

The encryption key, however, is a 128-bit AES random number set differently on every drive.  No two drives will have the same encryption key.  All encrypt and decrypt activity moves through the key.  Changing the encryption key is what makes the data irretrievable, which occurs on a secure erase.  

We've been looking at the Momentus FDE drives as delivered by Dell with the Wave Embassy suite back-end.  Will these drives work with other vendors' software-based back-end solutions, or will we only be able to use the Wave system?
Wave will have a definitive answer as to the extent of their security features set and the high-level OS enterprise services they use.  While the drive ultimately unlocks with a correct password, there is no limitation to the software tools that may take the user password input (or fingerprint or SmartCard enhancements) and subsequently hash it before presenting it to the FDE drive.

As to the drive's behavior, the Seagate Secure password is required after any cold restart - at power-on from off or hibernation.  Protecting "data at rest" is the key point.  The drive firmware, protected storage zones on the drive's media and secure interface communications protocols are designed to the highest levels of trusted computing standards.  If the password challenge is not satisfied, the system BIOS will not ever see the first boot record on the drive.  If the laptop system is lost, or the password is lost (or unknown) the drive is useless.

After the initial password challenge is met, the drive behaves the same as an ordinary drive.  Wave is installing the client pre-boot authentication software and managing the passwords (either locally or through the enterprise) that are needed before the first master boot record of the OS even loads.  The actual decryption and encryption of data is happening on the fly in the disk drive.  

What is the difference between Seagate Secure and DriveTrust?
We use the term Seagate Secure as a marketing title for the many features available in Seagate's Momentus FDE.2 hard drive with real time, hardware encryption.  These include the encryption activity, key management and a unique and very important password-controlled boot management system.  At the beginning of our first-generation products, Seagate used the term DriveTrust for the same feature set.  Several datasheets and white papers were produced during this time using DriveTrust terminology.  Seagate Secure has replaced DriveTrust and so each should be considered as equivalent terms.

What is the end user experience with an FDE drive?
New, out of the box, FDE drives boot the same way as generic disk drives, allowing partitioning, formatting and OS installation - including complex multi-OS boot selectors.  It is possible for a FDE drive to operate with security turned off for its entire use.  Simple ATA Security drive passwords can be set in the system BIOS setup. These plain passwords operate the same on FDE drives as they do on ordinary drives.

Along with Full Disk Encryption, Seagate also introduces a robust set of password authentication features and disk access commands, collectively branded as Seagate Secure.  One of these features can be described as a pre-boot authentication.  Seagate Secure passwords are used instead of standard ATA Security passwords.

After the system is built and fully configured, the next phase is to install some third-party software that manages the disk drive through the Seagate Secure feature set.  Most of these applications provide an separate initialization step to enable the Seagate Secure features and backup passwords.  The first step loads password-control software to a hidden pre-boot partition (which is pre-sized at the factory to 130MB).  The next step sets the user and/or manager passwords (up to 4 each are possible in the spec).  The final step activates the pre-boot partition and password control.

From a cold boot, the system BIOS sees no more storage than the space defined in the Seagate Secure pre-boot partition.  No drive diagnostic or forensic-level tool can see anything more than these sectors or outside of these bounds.  Only the password authentication software is stored in this partition.  No user data exists at this location, not even the main master boot record.  After the password challenge is successful, the software instructs the drive to hide away the pre-boot sectors and un-hide the user data sectors (full capacity).  The disk drive does a kind of warm device reset that presents the real master boot record to the BIOS.  From this point on, including any warm reboots, the disk drive behaves the same as an ordinary drive.

Seagate has developed a specification that is supported by a growing number of independent security software vendors.  The actual user interface is left to them and defined by how they write the software.  At the simplest level, the software can issue a straightforward password challenge.  It could also support multifactor authentication  biometric enhancements like a fingerprint reader or device enhancements like a SmartCard reader.  The Seagate Secure specification gives the software providers room to be as creative as they want.  The 130MB partition space allows them to consider using a robust pre-boot OS like Linux to run their application with broad graphical and device support.

What other security measures can I use with FDE drives?
FDE drives with Seagate Secure technology are all about controlling access to the drive in the first place, through strong password authentication.  This is called protecting data at rest.  If the laptop is ever stolen, unlike software encryption, no diagnostic or forensic software will even see the scrambled, encrypted data, much less the decrypted confidential data.

Encryption can be layered just like passwords can be layered (we are all familiar with needing two or three passwords to finally read our email.)  It is always possible to utilize selective software encryption on FDE drives.  You could further encrypt (with software) a specific folder or zip files.  You could divide a disk drive into multiple drive letters (called partitioning) and encrypt with software one of the logical drives.

If your laptop, setup using FDE drives and Seagate Secure boot passwords, is lost or stolen, your confidential client data is simply nonexistent to the new "owner" of the laptop.  This is because the disk drive's own control software doesn't begin the boot process without the proper authentication.  In fact, the FDE drive itself is useless as well because it cannot be wiped clean and reloaded with a fresh install of the operating system without the ATA Security or Seagate Secure passwords.

Where can I find a specification and data sheet on the Maxtor BlackArmor, specifically detailing the encryption standard used,  its adherence to any government encryption standards?
The Maxtor BlackArmor external USB drive and the Seagate Momentus FDE SATA drive are very closely associated.  The Momentus FDE.2 is used by BlackArmor.  Therefore the encryption standard is AES-128.  The Security News and Events page on our website has several press releases, but does not include these two which have useful information.  The NIST certification speaks to this adherence question.

--Lock It Up With Maxtor® BlackArmor™, Hardware Encrypted Storage Provides Government Grade Security for Consumers
--Seagate First Hard Drive Maker to Win NIST Certification for Encrypting Hard Drive

The BlackArmor drive uses "pre-boot" password authentication before either physical or logical access is given to the areas of the drive that contains user data.  Prior to password authentication, only 130MB of non-data space is visible to the USB drivers and Windows operating system.  

This "pre-boot" space:

  • contains the traveler application - the GUI and software to manage the password challenge 
  • is read-only and cannot contain user data 
  • is inaccessible after password authentication

In closing, if the BlackArmor drive is ever lost, the user data is protected by both firmware-restricted access to the data area and by the AES encryption of all data everywhere on the device.  Since every drive uses a unique encryption key, no two drives, given the same data to save, write the same data patterns.

Who makes the software to manage the Seagate Secure feature set on Momentus FDE drives?
Software companies other than Seagate manufacture the tools that can control FDE drives.  The FDE disk drive is designed to restrict access to the data regions of the media until valid password authentication is accomplished. Besides simple passwords, there are multifactor authentication biometric devices such as fingerprint readers that could be used as part of the authentication strategy.  Theoretically, somebody might want multiple levels of control with passwords and fingerprints - maybe even more controls.  Some software is designed for a single system drive, while others are an enterprise-wide architecture to control many systems.

Several software vendors are offering diverse solutions for this pre-boot authentication process. 

Would there be any problems with making the FDE drive a secondary drive for all of our sensitive data or would the FDE drive have to be the primary drive with the operating system on it?
At this time, the password challenge that allows access to a Momentus FDE internal drive is issued at boot time, by the boot device.  The software tools that manage the pre-boot password are for the boot drive only.

The Seagate Secure specifications anticipate the mounting or hot-plugging of additional internal devices (with subsequent password challenges) but the third-party tools and software device drivers are not yet developed.  Another possibility may be that multiple FDE drives could be supported by one initial password challenge.  Again, we have not seen any third-party support for this type of configuration.

On the other hand, we have a related technology using FDE drives that may be of interest to you.  Under our Maxtor Solutions brand, we have just begun shipping the BlackArmor product:  It uses the Seagate Full Disk Encryption hard drive within a USB enclosure.  In addition, it has software to support the Seagate Secure features available in the drive.  See here the Maxtor BlackArmor User Guide.

How do I purchase an FDE drive?
At this time, Seagate FDE drives are available only through select distributors and certified systems partners. If you are interested in qualifying FDE drive with your systems see the Authorized Distributors section for your contact.