Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes.
Trusted Platform Module (TPM) is a secure cryptoprocessor embedded in the motherboard that can be used to authenticate a hardware device.
These implementations can wrap the decryption key using the TPM, thus tying the hard disk drive (HDD) to a particular device.
The TPM can impose a limit on decryption attempts per unit time, making brute-forcing harder.
Hardware-based full disk encryption within the storage device are called self-encrypting drives and have no impact on performance whatsoever.
The Trusted Computing Group Opal Storage Specification provides industry accepted standardization for self-encrypting drives.
External hardware is considerably faster than the software-based solutions, although CPU versions may still have a performance impact[clarification needed], and the media encryption keys are not as well protected.
It is important in all cases that the authentication credentials are usually a major potential weakness since the symmetric cryptography is usually strong.
[clarification needed] Secure and safe recovery mechanisms are essential to the large-scale deployment of any disk encryption solutions in an enterprise.
[7] Even a Trusted Platform Module (TPM) is not effective against the attack, as the operating system needs to hold the decryption keys in memory in order to access the disk.
All software-based encryption systems are vulnerable to various side channel attacks such as acoustic cryptanalysis and hardware keyloggers.
In contrast, self-encrypting drives are not vulnerable to these attacks since the hardware encryption key never leaves the disk controller.
Solutions for storing the external key include: All these possibilities have varying degrees of security; however, most are better than an unencrypted disk.