FAQ

General Questions

How can I contact BiTMICRO®?

Have a question? Please call +1 888-72-FLASH or fill out the form on our Contact Us page. We will contact you shortly!

Where are we located?

USA (Headquarters)

BiTMICRO Networks, Inc.
47929 Fremont Blvd.
Fremont, CA 94538, USA

DUNS: 928791797
CAGE: 07SX4
NAICS:
334112 Computer Storage Device Manufacturing
334 Computer and Electronic Product Manufacturing
541330 Engineering Services

Who is BiTMICRO?

BiTMICRO Networks, Inc., a leader in enterprise flash storage for mission-critical computing, is advancing business performance, productivity, and reliability with innovative solid state drive (SSD) solutions. Solving real-world challenges, BiTMICRO has been developing patented ASIC designs and embedded firmware and software technology since it’s founding in 1995. Built upon an established history in ruggedized military and mission-critical IT surroundings, BiTMICRO actively develops, deploys, and supports versatile storage solutions and is best known for exceeding the extreme performance and data integrity required for enterprise, industrial, and military environments.

BiTMICRO is committed to exceeding the performance, productivity, and reliability standards of solid state storage. Solving real-world challenges by developing and supporting scalable enterprise-class solutions, BiTMICRO provides innovative products with the highest standards in concert with exceptional customer service.

 

Is BiTMICRO open to partnerships?

Yes! The BiTMICRO MAXchannel Partner Program offers deal registration, joint marketing, and reseller partnerships to interested applicants. You can find more information here.

 

Cryptographic Key

What is a Cryptographic Key?

“A cryptographic key is a string of data that is used to lock or unlock cryptographic functions, including authentication, authorization and encryption. It transforms plain text into cipher text or vice versa. This key remains private and ensures secure communication.”[1][2]

“Data Encryption Key (DEK) is automatically generated by SED during its operation. The DEK is used to encrypt and decrypt all of the data on the drive when written and when read, respectively. The drive generates the DEK and stored it in an encrypted format in multiple locations on the drive itself. By default the SED device is unlocked, and the DEK is used to encrypt and decrypt writes and reads to the media. The data is fully secured only when the drive is provisioned and locked. Using an Authentication Key (AK) in combination with DEK to read and write data to the SED is a way of provisioning a drive.” [3]

RELATED LINK(S):

  1. https://www.techopedia.com/definition/24749/cryptographic-key
  2. https://en.wikipedia.org/wiki/Cryptographic_key_types
  3. http://h20331.www2.hp.com/Hpsub/downloads/Self_encrypting_drives_whitepaper.pdf

What is a DEK?

“Data encryption key (DEK): is a type of cryptographic key generated by an encryption engine that serves as a secured access key to encrypt and decrypt data at least once or possibly multiple times. Data is encrypted and decrypted with the help of the same DEK; therefore, a DEK must be stored for at least a specified duration for decrypting the generated cipher text.”[1]

Encrypted data is referred to as “cipher text” and unencrypted data as “plain text”.

RELATED LINK(S):

  1. https://www.techopedia.com/definition/5660/data-encryption-key-dek

How does Key Management work?

Key management refers to managing cryptographic keys (DEK and KEK) within a cryptosystem. It deals with generating, exchanging, storing, using and replacing keys as needed at the user level.

RELATED LINK(S):

https://en.wikipedia.org/wiki/Key_management

What is AES? How does it work?

“The Advanced Encryption Standard, or AES, is a symmetric block cipher chosen by the U.S. government to protect classified information and is implemented in software and hardware to encrypt sensitive data throughout the world.”[1]

“SED drives use two versions of this standard, AES128 and AES256. The numbers refer to the bit-size of the encryption key (and the block size) used by the algorithm, which must be a 128-bit (16 byte) or 256-bit (32 byte) random number. Without knowing the encryption key, this algorithm makes it virtually impossible to decipher the code and since the algorithm is in general use, the more exposure it gets to being unsuccessfully attacked and bro-ken, the higher our confidence in it.”[2]

“A block cipher is a method of encrypting text (to produce cipher text) in which a cryptographic key and algorithm are applied to a block of data (for example, 64 contiguous bits) at once as a group rather than to one bit at a time.”[3]

RELATED LINK(S):

  1. https://www.techopedia.com/definition/1763/advanced-encryption-standard-aes
  2. https://www.seagate.com/files/staticfiles/support/docs/manual/Interface%20manuals/100515636b.pdf
  3. http://searchsecurity.techtarget.com/definition/block-cipher

What is an SED? How does it work?

“A Self-Encrypting Drive (SED) is a Storage Device that integrates encryption of user data at rest. All user data written to the Storage Device is encrypted by specialized hardware implemented inside the Storage Device controller. The data is decrypted as it is read. The encryption and decryption are performed using a Media Encryption Key (MEK) generated internally in the Storage Device.”[1] Self-encrypting drives are focused on data at rest.

“All SEDs encrypt all the time from the factory onwards, performing like any other hard drive, with the encryption being completely transparent or invisible to the user.”[2]

 

RELATED LINK(S):

  1. http://nvmexpress.org/wp-content/uploads/TCGandNVMe_Joint_White_Paper-TCG_Storage_Opal_and_NVMe_FINAL.pdf
  2. http://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-best-kept-secret-in-hard-drive-encryption-security

Do I need a Key Management tool to factory reset a protected drive?

No, but you do need the drive’s PSID and an application to send commands to the storage device.

What is TCG Opal? How does it work?

OPAL is the TCG Specification for the SED function. It is an implementation profile for Storage Devices that incorporate mechanisms for managing access control to user data stored on the Storage Device, including controlling Media Encryption, Key Management, and Read/Write Lock State.

RELATED LINK(S):

How can the key be generated?

“All SED devices have a built-in encryption engine that generates a Data Encryption Key (DEK). The DEK is stored in an encrypted format in multiple locations on the drive itself. By default the SED device is unlocked, and the DEK is used to encrypt and decrypt writes and reads to the media. It is not until the drive is provisioned and locked that the data is fully secured. Provisioning a drive entails creating an Authentication Key (AK) that is used in conjunction with the DEK to read and write data to the SED.”[1]

RELATED LINK(S):

  1. http://h20331.www2.hp.com/Hpsub/downloads/Self_encrypting_drives_whitepaper.pdf
  2. https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/

Are all SSD’s compatible with any kind of Key Management Software from different ISV’s) like WinMagic, McAfee, Symantec, Microsoft Bitlocker, etc.?

No. You should always refer to the ISVs compatibility matrix.

What is FDE? How does it work?

“Full-disk encryption (FDE) is encryption done at the hardware level. FDE works by automatically encrypting data on a hard drive into a form that can be only understood by the one who has the key to decrypt the encrypted data.”[1]

RELATED LINK(S):

  1. http://whatis.techtarget.com/definition/full-disk-encryption-FDE

Can you send ATA security commands to drives mounted on a USB enclosure?

This depends on the USB to SATA bridge (tailgate) support, this is however not recommended. “The Secure Erase command disconnects the drive from the system and offloads all erase commands to the drive controller. The drive controller will not communicate with the host system until the erase command has been completed. The drive must be left alone for the duration of the erasure. SATA/PATA ports have no problem doing this (they’re designed with it in mind), the ATA-USB bridge used by external enclosures is not. If the hard disk controller stops responding (which it will during the erase command) the USB host controller will not be expecting the device to timeout and disconnect. The host controller may attempt to disconnect or reset the bridge device, which can interfere with the hard disk controller while it is performing the secure erase. This can cause undefined behaviour on the drive, including unrecoverable failure.”[1]

 

RELATED LINK(S):

  1. http://www.tomshardware.co.uk/answers/id-1984547/secure-erase-external-usb-hard-drive.html
  2. https://wiki.archlinux.org/index.php/Securely_wipe_disk
  3. https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Does Key Management need to be enabled or is it enabled by default?

No. Key management refers to managing cryptographic keys (DEK and KEK) within a cryptosystem. It deals with generating, exchanging, storing, using and replacing keys as needed at the user level.

RELATED LINK(S):

https://en.wikipedia.org/wiki/Key_management

What is Key Management or Cryptographic Key Management (CKM)?

Key management refers to managing cryptographic keys (DEK and KEK) within a cryptosystem. It deals with generating, exchanging, storing, using and replacing keys as needed at the user level.

RELATED LINK(S):

https://en.wikipedia.org/wiki/Key_management

What is UEFI? How does it work?

Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on.

RELATED LINK(S):

How to determine if the UEFI machine supports SED (OPAL) encryption.

Unified Extensible Firmware Interface (UEFI) is a specification for a software program that works as an interpreter between the computer firmware and the operating system. UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on.”[1]

Some advantages of UEFI are:

  • Support for higher drive capacities (larger than 2TB)
  • Speed and performance
  • Security

RELATED LINK(S):

  1. http://whatis.techtarget.com/definition/Unified-Extensible-Firmware-Interface-UEFI

Is Key Management supported on all SSD’s?

No. You should always refer to the ISVs compatibility matrix.

Does Key Management work on all types of Operating System?

No. You should always refer to the ISVs compatibility matrix.

What level of security does a Software and Hardware encryption provide?

“Software can be corrupted or negated; hardware cannot. Software runs under an operating system that is vulnerable to viruses and other attacks. An operating system, by definition, provides open access to applications and thus exposes these access points to improper use. Hardware-based security can more effectively restrict access from the outside, especially to unauthorized use. Additionally, dedicated hardware can have superior performance compared to software.”[1]

RELATED LINK(S):

  1. https://trustedcomputinggroup.org/commonly-asked-questions-answers-self-encrypting-drives/

What is ATA Key Management? How does it differ from TCG Opal

OPAL is the TCG Specification for the SED function. It is an implementation profile for Storage Devices that incorporate mechanisms for managing access control to user data stored on the Storage Device, including controlling Media Encryption, Key Management, and Read/Write Lock State.

ATA Key management is part of the ATA specification and provides a password system that limits access to data from (serial) ATA devices such as solid state drives or SSDs.

RELATED LINK(S):

How is Key Management related to AES, SED, FDE, UEFI and TCG OPAL

“AES, SED, FDE,UEFI and TCG OPAL are major components for an effective implementation of data security. Key management takes place within the disk controller and encryption keys are usually 128 or 256 bit Advanced Encryption Standard (AES). SEDs adhering to the TCG OPAL 2.0 standard specification (almost all modern SEDs) implement key management via an Authentication Key (AK), and a 2nd-level Data Encryption Key (DEK). The DEK is the key against which the data is actually encrypted/decrypted. The AK is the user-facing 1st-level password/passphrase which decrypts the DEK (which in-turn decrypts the data).”[1]

 

RELATED LINK(S):

  1. https://wiki.archlinux.org/index.php/Self-Encrypting_Drives#Key_management_technical_implementation
  2. https://www.ibm.com/developerworks/community/blogs/5things/entry/5_things_to_know_about_managing_encryption_keys_for_self_encrypting_drives_in_lenovo_system_x_servers?lang=en
  3. https://www.winmagic.com/products/features/sed-self-encrypting-hard-drives