Full Disk Encryption FAQs - Technical Support
Click on the links below to move to the answer.
Can I use a standardized disk image with FDE drives and still retain the encryption properties?
It should be possible to quickly deploy a standard image that holds the setup component for a Seagate Secure software application of your choice (not initialized). When the new system is ready to be assigned, depending on enterprise policies, IT or the user can run the Seagate Secure initialization. The initialization locks in the passwords and encryption keys which will be different on each system. Initializing takes a few minutes and is done by the Seagate Secure compatible software from within Windows. A special 130 MB storage zone on the FDE drive that is off-limits to imaging tools holds the pre-boot authentication (password) software.
In ATA Security mode this works like any standard disk drive and retains encryption properties.
Can I use an FDE drive on Dual or Triple Boot systems?
Whether using traditional ATA Security or Seagate Secure passwords, a working FDE system boots immediately to a password challenge screen. On success, the drive resets to normal capacity and boots to whatever OS environment is saved on the drive.
Some FDE software can set up a single sign-on into Windows XP or Vista. At this time Seagate Secure-compatible setup and configuration software is only available for Windows Vista and XP. The setup software allows backing up of the user name, password, and domain to a file and off-line media. These backup files can also be saved under a password and be software-encrypted. Some software providers have enterprise solutions that allow management of passwords and audit control.
Can some of these FDE login accounts be tied to Active Directory by default, or does it require one of the partner solutions?
The Seagate Secure spec does not make any default associations to active directory. However, some the third-party software partners are adding that value to their solutions. They may choose to support all of the 8 possible user/password combinations tied to AD or just one. These would be software vendor-specific.
Can system changes (i.e. creating new partitions and such) be done after the Seagate Secure feature set is installed?
Yes. The password challenge happens after a cold boot. From then on, all subsequent warm boots do not have the challenge. So long as powering down the system does not interrupt the procedures you have in mind, then the steps would be identical.
As an experiment, we completely deleted all partitions on an XP drive and left only the pre-boot environment on the drive. To reload Windows XP, we started the system without the CD and entered the pre-boot password. It had nothing to read on the real MBR so it stopped, at which point we just closed the XP Setup CD tray, performed a warm boot and finished a typical XP installation. When a cold boot did occur, the password challenge activated and then went to Windows.
In this example, and in any case where data is removed from the OS area, the user must be careful to consult their Seagate Secure third-party software user information. To continue to manage the FDE drive's passwords, at some point the same third-party software must be placed back on the drive. Each brand of software may have unique instructions on how to accomplish this task.
Another option is that the pre-boot password challenge can be turned off from within the configuration software. There should be a second password challenge by the configuration software before changes are accepted. These actions are software vendor-specific.
Can we make the FDE system "multi-boot" and install additional Operating Systems?
Yes. Standard ATA Security or the FDE pre-boot authentication environments are unaware of the operating system that launches after the password. However, at this time, only Windows software exists to install the Seagate Secure pre-boot environment. Therefore, after the pre-boot is setup, other operating systems can be installed.
A word about compatibility may be important here. In the transition between the small pre-boot capacity and the full user data capacity, the system BIOS is being asked to auto detect the transition. Some older SATA notebook systems missed the new size.
How do FDE drives handle anti-virus software?
Because the FDE.2 drive uses its own hardware to encrypt data, encryption activity operates out of sight of the computer, any operating system and any kind of software. Therefore, antivirus and other similar software will operate the same and unaware of the encryption activity happening at the drive level. This isolation from the operating system is one of the most significant differences between hardware and software encryption solutions.
How do FDE drives handle Operating System updates?
The strong, pre-boot password authentication controls we recommend are only executed from a "cold" start. This would apply to the ordinary turned off system and the power saving hibernation state. In those cases, you will need to enter the password to operate the hard drive. When the hard drive is "warm" and the computer is just restarting, like after typical operating system updates, the drive and system boot normally without requiring a password, just like a generic drive.
How do FDE drives work with Windows Hibernation power saving mode?
Windows Hibernation (S4) is a cold start and would force password authentication on any drive-level password. Other power saving states that keep some power to the drive would not be challenged.
Windows Standby (S3) may or may not be supported in the Seagate Secure third-party software. The user needs to check with the software company to determine whether Standby is supported. If not, the software will force Hibernate (S4) in place of Standby (S3).
How do I backup an FDE drive?
Unlike software encryption, with FDE there is no way to read the drive's data in the raw, encrypted state. The data always passes through the drive's encryption engine when it reads or writes. Furthermore, Seagate FDE drives cannot turn off the encryption/decryption activity. Consequently, whenever data is read for file backup purposes, even raw image device backups, it will already be decrypted when it arrives at the backup destination. General purpose backup software and off-site backup companies would support drives with FDE technology.
How do I recover a lost password or back up the keys on FDE drives?
The third-party software for managing the Seagate Secure FDE passwords will have password back up options and emergency boot procedures. The manufacturers of the software can best describe the specifics.
The specification allows for the encryption keys to be managed. You should check with the third party developer of the software to determine if encryption key backup and restore is available. Similarly, most software available today issues the command to generate a new encryption key. This causes the data on the drive to be immediately useless. This is sometimes called cryptographic erase.
How do I setup an FDE drive?
Every Seagate FDE drive is built to encrypt all data, all of the time, right out of the box. Each drive has a unique encryption key, which results in every drive, given the same data to write, saving uniquely different data patterns to the media. This encryption process is transparent to the user and to the operating system. Therefore, an FDE drive without any passwords controlling access, behaves like a non-FDE drive. It is the activation of passwords through either ATA Security or the richer Seagate Secure feature set that protects the drive from unauthorized access.
A new FDE drive loads the operating system and any other applications just like a non-FDE drive. Third-party FDE drive management software which implements the Seagate Secure password controls is loaded after the initial OS and applications are setup. In lieu of third-party software, traditional ATA Security passwords can be used to protect the drive from unauthorized access.
When the owner is ready to activate password authentication, the FDE drive management software will control the boot process and access to the data on the drive. Great care should be taken to follow all password back up options and recommendations to create emergency back up disks. Seagate does not have data recovery services for FDE drives with lost passwords.
What happens if the password is forgotten or lost for an FDE drive?
The third party software that manages the passwords for FDE drives have options to create emergency boot diskettes and password back up files when passwords are lost or forgotten. Depending on the software vendor, the emergency tools may be stored on simple floppy diskettes, USB flash drives or even enterprise-wide hardware management databases controlled by IT executives.
Once FDE passwords are employed to lock the drive, only one of those passwords will unlock the drive. There are no "back doors" on FDE drives. If the passwords are absolutely lost, then the drive and its data are inaccessible. Therefore, great care should be taken to follow all password back up options and recommendations to create emergency back up disks. Seagate does not have data recovery services for FDE drives with lost passwords.
Laptop FDE drives require a password to reset the encryption keys – also called cryptographic erase. Seagate BlackArmor USB external storage (with FDE drives) have the ability to do a cryptographic erase using a drive-unique master ID password.
What is FDE cryptographic erase?
Each FDE drive has a unique encryption key, through which the data is processed real time as it is saved to the media. Each FDE drive saves different bit patterns to the media given the same original data, while non-FDE drives save the same bit patterns to the media. The cryptographic key is also used to decrypt the data. If the encryption key is changed in any way, all data on the drive becomes useless bits. The only way to read the data again would be to restore the originating encryption key.
Often, disk drives are redeployed to new systems or users. Disc drives with sensitive or confidential data are erased by overwriting the entire media. A thorough data erasure process can take many hours to accomplish. FDE drives have the unique ability to render all data useless in an instant by changing the encryption key. Third party software is required to change the encryption key on an FDE drive. When a drive's encryption key is changed intentionally to wipe out the data, it is called cryptographic erase.
Third-party software is required to change an FDE drive's encryption key. Some secure laptop manufacturers are adding FDE support to their system BIOS options. A few are planning to offer secure erase through the BIOS (quick cryptographic key change) and the drive supports this.
Will 'ghost' style drive copying tool work with FDE drives?
Yes, you could either disable the password challenge or warm boot to the ghosting software CD after the Seagate Secure password challenge. If the CD were booted first from a cold start, all that would ghost is the 130MB capacity allocated to the pre-boot software. Because the pre-boot portion exists outside of the range of user sectors, that small image cannot be written to a second FDE drive.