Data security is a growing requirement for businesses of all sizes today. While many companies have invested heavily in methods to thwart network-based attacks and other virtual threats, few effective safeguards have been readily available to protect against potentially costly exposures of proprietary data resulting from a hard drive being physically stolen, misplaced, retired, or redeployed. Self-encrypting drives (SEDs) can satisfy this need by providing the ultimate in security for data-at-rest and can help reduce IT drive retirement costs in the data center. When combined with the compatible RAID controllers, the 6Gbps SAS SED drives in IBM System x servers deliver superb performance per watt with a cost-effective, secure solution for businesses of all sizes. Self-encrypting drives are also an excellent choice if you need to comply with government or industry rules regarding data privacy and encryption.
Data security is a growing requirement for businesses of all sizes today. While many companies have invested heavily in methods to thwart network-based attacks and other virtual threats, few effective safeguards have been readily available to protect against potentially costly exposures of proprietary data resulting from a hard drive being physically stolen, misplaced, retired, or redeployed.
Self-encrypting drives (SEDs) provide the ultimate in security for data-at-rest and help reduce IT drive retirement costs in the data center. When combined with the compatible RAID controllers, such as the IBM ServeRAID M5015, M5014, and M1015 SAS/SATA Controllers with the appropriate Advanced Feature Key, the 6Gbps SAS SED drives in IBM System x servers deliver superb performance per watt with a cost-effective, secure solution for businesses of all sizes. Self-encrypting drives are also an excellent choice if you need to comply with government or industry rules regarding data privacy and encryption.
These drives are the industry’s top-performing secure hard drives, capable of ensuring protection of data-at-rest against theft or when drives leave your control; reducing IT drive retirement costs and delivering more transactional performance density at the lowest power for environmentally friendly enterprise storage systems.
Figure 1. The IBM 146GB 15K SED Drive
Did You Know?
The 128-bit AES security that self-encrypting drives provide can reduce drive retirement expenses while still protecting data and is one of the easiest, most cost-effective security measures you can implement.
Part number information
Table 1. Ordering part numbers and feature codes
|Description||Part number||Feature code|
|IBM 146GB 15K 6Gbps SAS 2.5" SFF Slim-HS SED disk drive||44W2294||5412|
|IBM 300GB 10K 6Gbps SAS 2.5" SFF Slim-HS SED disk drive||44W2264||5413|
The part numbers for each disk drive include the following items:
- One IBM 2.5" SED hard disk drive
- Product publication
Features and Benefits
Self-encrypting drives (SEDs) provide benefits in three main ways:
- By encrypting data on-the-fly at the drive level with no performance impact
- By providing instant secure erasure (cryptographic erasure, thereby making the data no longer readable)
- By enabling auto-locking to secure active data if a drive is misplaced or stolen from a system while in use
The following sections describe the benefits in more details.
It is vital that a company keep its data secure. With the threat of data loss due to physical theft or improper inventory practices, it is important that the data be encrypted. However, challenges with performance, scalability, and complexity have led IT departments to push back against security policies that require the use of encryption. In addition, encryption has been viewed as risky by those unfamiliar with key management, a process for ensuring a company can always decrypt its own data. Self-encrypting drives comprehensively resolve these issues, making encryption both easy and affordable.
When the self-encrypting drive is in normal use, its owner need not maintain authentication keys (otherwise known as credentials or passwords) in order to access the data on the drive. The self-encrypting drive will encrypt data being written to the drive and decrypt data being read from it, all without requiring an authentication key from the owner.
Drive retirement and disposal
When hard drives are retired and moved outside the physically protected data center into the hands of others, the data on those drives is put at significant risk. IT departments retire drives for a variety of reasons, including:
- Returning drives for warranty, repair, or expired lease agreements
- Removal and disposal of drives
- Repurposing drives for other storage duties
Nearly all drives eventually leave the data center and their owner's control. IBM estimates that 50,000 drives are retired from data centers daily. Corporate data resides on such drives, and when most leave the data center, the data they contain is still readable. Even data that has been striped across many drives in a RAID array is vulnerable to data theft because just a typical single stripe in today’s high-capacity arrays is large enough to expose, for example, hundreds of names and social security numbers.
In an effort to avoid data breaches and the ensuing customer notifications required by data privacy laws, companies use different methods to erase the data on retired drives before they leave the premises and potentially fall into the wrong hands. Current retirement practices that are designed to make data unreadable rely on significant human involvement in the process, and are thus subject to both technical and human failure.
The drawbacks of today’s drive retirement practices include the following:
- Overwriting drive data is expensive, tying up valuable system resources for days. No notification of completion is generated by the drive, and overwriting won’t cover reallocated sectors, leaving that data exposed.
- Methods that include degaussing or physically shredding a drive are expensive. It is difficult to ensure the degauss strength is optimized for the drive type, potentially leaving readable data on the drive. Physically shredding the drive is environmentally hazardous, and neither practice allows the drive to be returned for warranty or expired lease.
- Some companies have concluded the only way to securely retire drives is to keep them in their control, storing them indefinitely in warehouses. But this is not truly secure because a large volume of drives coupled with human involvement inevitably leads to some drives being lost or stolen.
- Professional disposal services is an expensive option and includes the cost of reconciling the services as well as internal reports and auditing. Transporting of the drives also has the potential of putting the data at risk.
Self-encyrpting drives eliminate the need to overwrite, destroy, or store retired drives. When the drive is to be retired, it can be cryptographically erased, a process that is nearly instantaneous regardless of the capacity of the drive.
Instant secure erase
The self-encrypting drive provides instant data encryption key destruction via cryptographic erasure. When it is time to retire or repurpose the drive, the owner sends a command to the drive to perform a cryptographic erasure. Cryptographic erasure simply replaces the encryption key inside the encrypted drive, making it impossible to ever decrypt the data encrypted with the deleted key.
Self-encrypting drives reduce IT operating expenses by reducing asset control challenges and disposal costs. Data security with self-encrypting drives helps ensure compliance with privacy regulations without hindering IT efficiency. So called "Safe Harbor" clauses in government regulations allow companies to not have to notify customers of occurrences of data theft if that data was encrypted and therefore unreadable. Furthermore, self-encrypting drives simplify decommissioning and preserve hardware value for returns and repurposing by:
- Eliminating the need to overwrite or destroy the drive
- Securing warranty returns and expired lease returns
- Enabling drives to be repurposed securely
Insider theft or misplacement is a growing concern for businesses of all sizes; in addition, managers of branch offices and small businesses without strong physical security face greater vulnerability to external theft. Self-encrypting drives include a feature called auto-lock mode to help secure active data against theft.
Using a self-encrypting drive when auto-lock mode is enabled simply requires securing the drive with an authentication key. When secured in this manner, the drive’s data encryption key is locked whenever the drive is powered down. In other words, the moment the self-encrypting drive is switched off or unplugged, it automatically locks down the drive’s data.
When the self-encrypting drive is then powered back on, it requires authentication before being able to unlock its encryption key and read any data on the drive, thus protecting against misplacement and theft.
While using self-encrypting drives just for the instant secure erase is an extremely efficient and effective means to help securely retire a drive, using self-encrypting drives in auto-lock mode provides even more advantages. From the moment the drive or system is removed from the data center (with or without authorization), the drive is locked. No advance thought or action is required from the data center administrator to protect the data. This helps prevent a breach should the drive be mishandled and helps secure the data against the threat of insider or outside theft.
Lower acquisition costs through standardization
These self-encrypting drives adhere to the Trusted Computing Group Enterprise Security Subsystem Class (TCG Enterprise SSC) specification, and this standardization promises lower acquisition cost. The world’s top six hard drive vendors collaborated to develop the final enterprise specification published by the Trusted Computing Group (TCG). This specification, created to be the standard for developing and managing self-encrypting drives, enables SEDs from different vendors to be interoperable. Such interoperability helps ensure greater market competition and lower prices for solution builders and end users alike. Historically, the hard drive industry has repeatedly shown that industry-wide standards increase volume, which in turn lowers costs. These economies of scale help ensure incremental logic in the ASICs remains a small portion of drive material costs.
Performance and power consumption
The hardware encryption engine on the drives matches the SAS port’s maximum speed and encrypts all data with no performance degradation. This performance scales linearly and automatically, with each drive added to the system. No CPU cycles from the host are necessary and I/Os occur without interruption.
The 146GB 15K 2.5" SED drive has the following performance and energy saving features:
- 115% improvement in system-level performance over 3.5-inch 15K drives
- Second-generation 2.5-inch 15K enterprise drive with field-proven reliability
- Seagate PowerTrim technology dynamically reduces power up to 70% over comparable 3.5-inch 15K drives
- IOPS/Watt are 2.5 times better than comparable 3.5-inch Tier 1 drives
- 70% smaller size than 3.5-inch drives reduces overall system cooling costs
- Supports 6 Gbps transfer rates and SAS 2.0 feature set, providing the next generation of signal and data integrity features
The 300GB 10K 2.5" SED drive has the following performance and energy saving features:
- 60% improvement in system-level performance over 3.5-inch 15K drives
- Third-generation 2.5-inch 10K-RPM enterprise drive with proven reliability
- Seagate PowerTrim technology dynamically reduces power
- 75% power savings over comparable 3.5-inch 300 GB capacity drives
- 70% smaller size over 3.5-inch drives reduces overall system cooling costs
- 40% reduction in $/IOPS over comparable 3.5-inch drives
- Supports 6 Gbps transfer rates and SAS 2.0 feature set, providing the next generation of signal and data integrity features
Technical specifications for the drives are presented in Table 2.
Table 2. Specifications
|Specification||146GB 15K 2.5" SED drive||300GB 10K 2.5" SED drive|
|Interface||6 Gbps SAS 2.0||6 Gbps SAS 2.0|
|Form factor||2.5-inch SFF||2.5-inch SFF|
|Cache||16 MB||16 MB|
|Capacity||146 GB||300 GB|
|Encryption||Drive level AES 128-bit||Drive level AES 128-bit|
|Areal density (average)||237.1 Gbits/inch2||252 Gbits/inch2|
|Spindle speed||15,000 rpm||10,000 rpm|
|Average latency||2.0 msec||3.0 msec|
|Random read seek time||3.2 msec||4.2 msec|
|Random write seek time||3.5 msec||4.6 msec|
|MTBF||1,600,000 hours||1,600,000 hours|
|Annualized failure rate (AFR)||0.55%||0.55%|
|Current at +12V (max / typical)||1.12 Amps / 0.35 Amps||2.05 Amps / 0.40 Amps|
|Current at +5V (max / typical)||0.45 Amps / 0.39 Amps||0.72 Amps / 0.43 Amps|
|Power Idle||4.1 W||3.5 W|
The drives have the following physical specifications:
- Height: 15 mm (0.59 inches)
- Width: 70 mm (2.76 inches)
- Length: 100 mm (3.96 inches)
- Weight (typical): 227 grams (0.50 pounds)
The drives are supported in the following environment:
- Temperature Operating: 5 to 55°C
- Temperature Nonoperating: –40 to 70°C
- Shock, Operating - 2 ms: 60 Gs
- Shock, Nonoperating - 2 ms: 300 Gs
- Acoustics Idle (sound power): 146GB 10K drive: 3.3 bels; 300GB 15K drive: 3.1 bels
- Vibration, Operating: <400 Hz: 0.5 Gs
- Vibration, Nonoperating: <500 Hz: 2.4 Gs
One-year, customer replaceable unit (CRU), limited warranty.
Supported RAID controllers
The self-encrypting drives require a supported RAID controller as listed in Table 3.
Table 3. Support RAID controllers
|RAID controller||Part number||Support SEDs|
|ServeRAID M5015 SAS/SATA Controller||46M0829||Yes*|
|ServeRAID M5014 SAS/SATA Controller||46M0916||Yes*|
|ServeRAID M1015 SAS/SATA Controller||46M0831||Yes†|
|ServeRAID-MR10k SAS/SATA Controller||43W4280||No|
|ServeRAID-MR10i SAS/SATA Controller||43W4296||No|
|ServeRAID-MR10M SAS/SATA Controller||44E8825||No|
|ServeRAID-BR10i SAS/SATA Controller||44E8689||No|
|IBM 6Gb SSD Host Bus Adapter||7838-AC1 fc 3876||No|
|IBM 3Gb SAS HBA Controller v2||44E8700||No|
|IBM 6Gb SAS HBA||46M0907||No|
† For SED support, the ServeRAID M1015 requires the ServeRAID M1000 Series Advanced Feature Key, part 46M0832.
The ServeRAID M5014 and M5015 controllers offer internal RAID 0, 1, 5, 10, and 50; the optional M5000 Series Advanced Feature Key (part number 46M0930, feature 5106) upgrade would be required for SED support as well as offering additional RAID 6 and 60 functionality.
The ServeRAID M1015 controller provides internal RAID 0, 1, and 10; the optional ServeRAID M1000 (part number 46M0832, feature 9749) Series Advanced Feature Key upgrade would be required for SED support and also provides additional RAID 5 and 50 capabilities.
Figure 2 shows the ServeRAID M5000 Series Advanced Feature Key attached to the ServeRAID M5015 controller.
Figure 2. ServeRAID M5000 Series Advanced Feature Key
The self-encrypting drives and supported RAID controllers can be installed in the System x servers identified in Table 4.
Table 4. Supported servers
See the IBM ServerProven Web site for the latest information about the adapters supported by each System x server type: http://ibm.com/servers/eserver/serverproven/compat/us/.
Supported operating systems
The self-encrypting drives operate transparently to end users, storage systems, applications, databases, and the operating systems. The SafeStore feature in the ServeRAID controllers uses simple and intuitive configuration menus that are imbedded in the Storage Manager volume management interface.
The self-encrypting drives and supported RAID controllers support the following operating systems:
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003/2003 R2, Datacenter Edition
- Microsoft Windows Server 2003/2003 R2, Datacenter x64 Edition
- Microsoft Windows Server 2003/2003 R2, Enterprise Edition
- Microsoft Windows Server 2003/2003 R2, Enterprise x64 Edition
- Microsoft Windows Server 2003/2003 R2, Standard Edition
- Microsoft Windows Server 2003/2003 R2, Standard x64 Edition
- Microsoft Windows Server 2008/2008 R2, Datacenter x64 Edition
- Microsoft Windows Server 2008/2008 R2, Datacenter x86 Edition
- Microsoft Windows Server 2008/2008 R2, Enterprise x64 Edition
- Microsoft Windows Server 2008/2008 R2, Enterprise x86 Edition
- Microsoft Windows Server 2008/2008 R2, Standard x64 Edition
- Microsoft Windows Server 2008/2008 R2, Standard x86 Edition
- Microsoft Windows Server 2008/2008 R2, Web x64 Edition
- Microsoft Windows Server 2008/2008 R2, Web x86 Edition
- Microsoft Windows Small Business Server 2003/2003 R2 Premium Edition
- Microsoft Windows Small Business Server 2003/2003 R2 Standard Edition
- Microsoft Windows Storage Server 2003/2003 R2, Enterprise Edition x64
- Microsoft Windows Storage Server 2003/2003 R2, Standard Edition
- Microsoft Windows Storage Server 2003/2003 R2, Standard Edition x64
- Microsoft Windows Storage Server 2003/2003 R2, Workgroup Edition x64
- Red Hat Enterprise Linux 4 AS for AMD64/EM64T
- Red Hat Enterprise Linux 4 AS for x86
- Red Hat Enterprise Linux 5 Server Edition
- Red Hat Enterprise Linux 5 Server Edition with Xen
- Red Hat Enterprise Linux 5 Server with Xen x64 Edition
- Red Hat Enterprise Linux 5 Server x64 Edition
- SUSE LINUX Enterprise Server 10 for AMD64/EM64T
- SUSE LINUX Enterprise Server 10 for x86
- SUSE LINUX Enterprise Server 10 with Xen for AMD64/EM64T
- SUSE LINUX Enterprise Server 10 with Xen for x86
- SUSE LINUX Enterprise Server 11 for AMD64/EM64T
- SUSE LINUX Enterprise Server 11 for x86
- SUSE LINUX Enterprise Server 11 with Xen for AMD64/EM64T
See the IBM ServerProven Web site for the latest information about the specific versions and service packs supported: http://ibm.com/servers/eserver/serverproven/compat/us/. Click System x servers, then Disk controllers to see the support matrix. Click the check mark that is associated with the System x server in question to see the details of the operating system support.
For more information refer to the following documents:
- IBM US Announcement Letter:
- IBM Redbooks at-a-glance guide for ServeRAID M5015 and M5014 SAS/SATA Controllers
- IBM Redbooks at-a-glance guide for ServeRAID M1015 SAS/SATA Controller
- ServeRAID M5015 and M5014 SAS/SATA Controllers User's Guide
- System x RAID products home page:
- IBM ServeRAID software matrix:
- IBM System x Configuration and Options Guide:
This material has not been submitted to any formal IBM test and is published AS IS. It has not been the subject of rigorous review. IBM assumes no responsibility for its accuracy or completeness. The use of this information or the implementation of any of these techniques is a client responsibility and depends upon the client's ability to evaluate and integrate them into the client's operational environment.