FAQ – BiTMICRO

BiTMICRO

FAQ

General Questions

How do I contact BiTMICRO®?

For all inquiries, including Sales inquiries, please fill out the form on our Contact Us page or call us at +1 888-72-FLASH
Where are we located?

USA (Headquarters)
BiTMICRO Networks, Inc.
47929 Fremont Blvd.
Fremont, CA 94538, USA
What is BiTMICRO’s DUNS number?

BiTMICRO’s Data Universal Numbering System (DUNS) number is 928791797.
What is BiTMICRO’s CAGE code?

BiTMICRO’s Commercial and Government Entity (CAGE) Code is 07SX4.
What are BiTMICRO’s NAICS codes?
BiTMICRO’s North American Industry Classification System (NAICS) codes are the following:
334 Computer and Electronic Product Manufacturing
334112 Computer Storage Device Manufacturing
541330 Engineering Services
Who is BiTMICRO?

Since 1995, BiTMICRO has been designing verified-rugged and secure storage for hostile environments. Armed with in-house developed technology, BiTMICRO designs and develops efficiently-configurable platforms capable of distributed and configurable security through its customer-driven team. As a U.S.-based technology innovator, BiTMICRO continually strives to deliver highly secure and rugged storage to markets requiring the highest standards of quality and reliability. BiTMICRO is headquartered in Fremont, California.
How do I partner with BiTMICRO?

The BiTMICRO MAXchannel Partner Program offers deal registration, joint marketing, and reseller partnerships to interested applicants. You can find more information here.

Cryptographic Key

What is a cryptographic key?
“A cryptographic key is a string of data that is used to lock or unlock cryptographic functions, including authentication, authorization and encryption. It transforms plain text into cipher text or vice versa. This key remains private and ensures secure communication.”^[¹^][²^]
“Data Encryption Key (DEK) is automatically generated by the Self-Encrypted Drive (SED) during its operation. The DEK is used to encrypt and decrypt all of the data on the drive when written and when read, respectively. The drive generates the DEK and stored it in an encrypted format in multiple locations on the drive itself. By default the SED device is unlocked, and the DEK is used to encrypt and decrypt writes and reads to the media. The data is fully secured only when the drive is provisioned and locked. Using an Authentication Key (AK) in combination with DEK to read and write data to the SED is a way of provisioning a drive.” ^[³^]
RELATED LINK(S):
https://www.techopedia.com/definition/24749/cryptographic-key
https://en.wikipedia.org/wiki/Cryptographic_key_types
http://h20331.www2.hp.com/Hpsub/downloads/Self_encrypting_drives_whitepaper.pdf
What is an SED? How does it work?
A Self-Encrypting Drive (SED) is a Storage Device that integrates encryption of user data at rest. All user data written to the Storage Device is encrypted by specialized hardware implemented inside the Storage Device controller. The data is decrypted as it is read. The encryption and decryption are performed using a Media Encryption Key (MEK) generated internally in the Storage Device.”^[¹^] Self-encrypting drives are focused on data at rest.
“All SEDs encrypt all the time from the factory onwards, performing like any other hard drive, with the encryption being completely transparent or invisible to the user.”^[²^]

RELATED LINK(S):
http://nvmexpress.org/wp-content/uploads/TCGandNVMe_Joint_White_Paper-TCG_Storage_Opal_and_NVMe_FINAL.pdf
http://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-best-kept-secret-in-hard-drive-encryption-security
What is DEK?
“Data encryption key (DEK): is a type of cryptographic key generated by an encryption engine that serves as a secured access key to encrypt and decrypt data at least once or possibly multiple times. Data is encrypted and decrypted with the help of the same DEK; therefore, a DEK must be stored for at least a specified duration for decrypting the generated cipher text.”^[1]
Encrypted data is referred to as “cipher text” and unencrypted data as “plain text”.
RELATED LINK(S):
https://www.techopedia.com/definition/5660/data-encryption-key-dek
What is KEK?
“Key encryption key (KEK): A “symmetric key wrapping key” type of encryption key that encapsulates a key material. KEK is generally used to encrypt DEK. ^[1] “It is used for encrypting other cryptographic keys.”^[2]
RELATED LINK(S):
https://info.townsendsecurity.com/definitive-guide-to-encryption-key-management-fundamentals
https://link.springer.com/referenceworkentry/10.1007%2F978-1-4419-5906-5_291
Will a Self-Encrypted Drive (SED) still be usable even if you forget the authentication key?
Yes, but not the data on the drive. The drive remains locked, and the data inaccessible and encrypted. The drive needs to be factory reset or formatted to be useable.
Opal-compliant drives require PSID to be factory reset.
RELATED LINK(S):
https://superuser.com/questions/408809/how-to-format-a-drive-encrypted-with-bitlocker
https://wiki.archlinux.org/index.php/disk_encryption
Is there a way to reset the protected SED to factory settings if it can’t be unlocked?
Theprotected SED can be reset to factory settings by using its public PSID value.
RELATED LINK(S):
https://library.netapp.com/ecmdocs/ECMP1636022/html/GUID-76C16F4E-7497-42D3-B22B-89E94279C1BF.html
https://community.spiceworks.com/topic/459297-removing-winmagic
What is AES? How does it work?
“The Advanced Encryption Standard, or AES, is a symmetric block cipher chosen by the U.S. government to protect classified information and is implemented in software and hardware to encrypt sensitive data throughout the world.”^[¹^]
“SED drives use two versions of this standard, AES128 and AES256. The numbers refer to the bit-size of the encryption key (and the block size) used by the algorithm, which must be a 128-bit (16 byte) or 256-bit (32 byte) random number. Without knowing the encryption key, this algorithm makes it virtually impossible to decipher the code and since the algorithm is in general use, the more exposure it gets to being unsuccessfully attacked and bro-ken, the higher our confidence in it.”^[²^]
“A block cipher is a method of encrypting text (to produce cipher text) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time.”^[³^]
RELATED LINK(S):
https://www.techopedia.com/definition/1763/advanced-encryption-standard-aes
https://www.seagate.com/files/staticfiles/support/docs/manual/Interface%20manuals/100515636b.pdf
http://searchsecurity.techtarget.com/definition/block-cipher
Can an administrator be set to manage users of the key?
Yes,This can be managed through Independent Software Vendor (ISV) key management tool.
RELATED LINK(S):
https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/overview-of-keymanagement-for-always-encrypted
https://www.sc.edu/about/offices_and_divisions/university_technology_services/security/sc_technologies/ses_client_v65_user_manual.pdf
Can the key be replaced

Yes, This can be managed through Independent Software Vendor (ISV) key management tool.
RELATED LINK(S):
https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/
Can the destroyed key be recycled or recovered?

No, once the key is destroyed, it cannot be recovered.
RELATED LINK(S):
https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/
How can the key be destroyed?

The key can be destroyed simply by deleting/erasing/changing the encryption key.
RELATED LINK(S):
https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/
Do I need a Key Management tool to factory reset a protected drive?

No, but you do need the drive’s PSID and an application to send commands to the storage device.
What is TCG Opal? How does it work?
OPAL is the TCG Specification for the SED function. It is an implementation profile for Storage Devices that incorporate mechanisms for managing access control to user data stored on the Storage Device, including controlling Media Encryption, Key Management, and Read/Write Lock State.
RELATED LINK(S):
https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/
https://en.wikipedia.org/wiki/Opal_Storage_Specification
http://nvmexpress.org/wp-content/uploads/TCGandNVMe_Joint_White_Paper-TCG_Storage_Opal_and_NVMe_FINAL.pdf
How can the key be generated?
“All SED devices have a built-in encryption engine that generates a Data Encryption Key (DEK). The DEK is stored in an encrypted format in multiple locations on the drive itself. By default the SED device is unlocked, and the DEK is used to encrypt and decrypt writes and reads to the media. It is not until the drive is provisioned and locked that the data is fully secured. Provisioning a drive entails creating an Authentication Key (AK) that is used in conjunction with the DEK to read and write data to the SED.”^[¹^]
RELATED LINK(S):
http://h20331.www2.hp.com/Hpsub/downloads/Self_encrypting_drives_whitepaper.pdf
https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/
Are all SSDs compatible with any kind of Key Management Software from different ISVs) like WinMagic, McAfee, Symantec, Microsoft Bitlocker, etc.?

No. You should always refer to the ISVs’ compatibility matrix.
What is FDE? How does it work?
“Full-disk encryption (FDE) is encryption done at the hardware level. FDE works by automatically encrypting data on a hard drive into a form that can be only understood by the one who has the key to decrypt the encrypted data.”^[^1]
RELATED LINK(S):
http://whatis.techtarget.com/definition/full-disk-encryption-FDE
Can you send ATA security commands to drives mounted on a USB enclosure?
This depends on the USB to SATA bridge (tailgate) support, this is however not recommended. “The Secure Erase command disconnects the drive from the system and offloads all erase commands to the drive controller. The drive controller will not communicate with the host system until the erase command has been completed. The drive must be left alone for the duration of the erasure. SATA/PATA ports have no problem doing this (they’re designed with it in mind), the ATA-USB bridge used by external enclosures is not. If the hard disk controller stops responding (which it will during the erase command) the USB host controller will not be expecting the device to timeout and disconnect. The host controller may attempt to disconnect or reset the bridge device, which can interfere with the hard disk controller while it is performing the secure erase. This can cause undefined behaviour on the drive, including unrecoverable failure.”^[^1]

RELATED LINK(S):
http://www.tomshardware.co.uk/answers/id-1984547/secure-erase-external-usb-hard-drive.html
https://wiki.archlinux.org/index.php/Securely_wipe_disk
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
What is Key Management or Cryptographic Key Management (CKM)?

Key management refers to managing cryptographic keys (e.g. DEK and KEK) within a cryptosystem. It deals with generating, exchanging, storing, using and replacing keys as needed at the user level.
RELATED LINK(S):
https://en.wikipedia.org/wiki/Key_management
Does Key Management need to be enabled or is it enabled by default?

No. Key management refers to managing cryptographic keys (DEK and KEK) within a cryptosystem. It deals with generating, exchanging, storing, using and replacing keys as needed at the user level.
RELATED LINK(S):
https://en.wikipedia.org/wiki/Key_management
Do Self-Encrypting Drives (SED’s) require an AES engine?
Not necessarily an AES engine but a specialized hardware implemented inside the Storage Device controller that encrypts/decrypts data. AES is just one of those algorithms that are being used by the said hardware controller.
RELATED LINK(S):
https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
https://www.snia.org/sites/default/orig/DSI2015/presentations/Security/MichaelWillett_Encrypted%20Storage_final.pdf
Is Key Management supported on all SSDs?

No. You should always refer to the ISVs’ compatibility matrix.
Does Key Management work on all types of Operating System?

No. You should always refer to the ISVs’ compatibility matrix.
What are the common tools for sending ATA security commands?
Linux uses HDPARM and SMARTMON tools. Windows uses the STB Suite, customized scripts or batch scripts.
RELATED LINK(S):
https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
http://www.stbsuite.com/support/virtual-training-center/issuing-ata-commands
What level of security does a Software and Hardware encryption provide?
“Software can be corrupted or negated; hardware cannot. Software runs under an operating system that is vulnerable to viruses and other attacks. An operating system, by definition, provides open access to applications and thus exposes these access points to improper use. Hardware-based security can more effectively restrict access from the outside, especially to unauthorized use. Additionally, dedicated hardware can have superior performance compared to software.”^[¹^]
RELATED LINK(S):
https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/
https://www.kingston.com/en/usb/encrypted_security/hardware_vs_software
http://h20331.www2.hp.com/Hpsub/downloads/Self_encrypting_drives_whitepaper.pdf
What are the requirements for key management?
Basic requirements for managing SED’s are encryption methods (i.e. AES), management software (i.e. securedoc, McAfee, Cryptomill,etc..) and supported environments.
RELATED LINK(S):
https://www.winmagic.com/products/features/sed-self-encrypting-hard-drives
https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/