As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option is an information handling system (IHS). An IHS generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes. Because technology and information handling needs and requirements may vary between different applications, IHSs may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in IHSs allow for IHSs to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, global communications, etc. In addition, IHSs may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
In some cases, certain IHSs may include one or more self-encrypting drives, such as self-encrypting Hard Disk Drives (HDDs) or Solid State Drives (SSDs). Generally speaking, a self-encrypting drive includes a circuit built into the disk drive controller chip that encrypts and decrypts data to and from the drive's storage media automatically. In most applications, a self-encrypting drives encrypts/decrypts all the time, but the process is mostly transparent to users.
The encryption key used in self-encrypting drives is the Media Encryption Key (MEK). Locking and unlocking the drive, however, requires yet another key, called the Key Encryption Key (KEK), which is also used to encrypt or decrypt the MEK. If a KEK is set, the drive will power up locked until the correct KEK is given to the drive by the user.
When a locked self-encrypting drive is powered up, the IHS first sees a “shadow disk” that is much smaller than the real disk. The software in the shadow disk is read-only, and requires the KEK from the user to unlock the underlying disk and to decrypt the MEK. The shadow disk software stores a cryptographic hash of the KEK so it can recognize if the user gives the right KEK. When the user enters the KEK the shadow disk creates a hash of that passcode and compares it with the stored hash of the KEK. If the two match, the MEK is decrypted and put into the encryption/decryption circuit inside the drive. The IHS is called to start from the disk again, but now with the disk's full capacity, and the OS boots as usual.