What is a Self-Encrypting Drive (SED)?

A self-encrypting drive, or SED, is a hard disk drive (HDD) or solid-state drive (SSD) with an encryption circuit built into it.

Encryption is an important tool when it comes to keeping your personal and private data safe. By taking the data and scrambling it, encryption renders it unreadable without an encryption key. An SED automatically encrypts data, without the need for user input, or separate encryption software. From the moment the SED is powered on, data is constantly being encrypted and decrypted, as opposed to software-based encryption solutions. Hardware-based encryption allows the user to continue with their work as normal, safe in the knowledge that their data is protected. Most of the major hard drive manufacturers such as Seagate, Toshiba and Western Digital offer SEDs, both as off-the-shelf drives and as pre-installed in a PC or laptop. What may come as a surprise is that many drives currently on the market – such as the popular Samsung 840 EVO – are actually SEDs, with the marketing instead focussing on things like speed and storage capacity.  

The encryption process in SEDs is done through a built-in cryptoprocessor, which creates a random data encryption key (DEK). When data is written to the SED, it gets encrypted with the DEK, and when data is read from the SED, the DEK decrypts it. All of the encryption and decryption takes place inside the drive, rather than the computer’s memory or processor.

Hardware-based SEDs offer a number of benefits over a software encryption setup. Firstly, SED’s have a negligible effect on performance, and you most likely won’t even notice it; as mentioned above, many people probably have SEDs and don’t know. Software-based encryption tools require a dedicated program, like BitLocker, that needs to be installed and running in order to encrypt and decrypt data. Not only does this mean there’s more work involved in keeping your data safe, but having encryption software running in the background can slow down your computer. There can be a temptation to disable encryption, potentially exposing your data to cybercriminals. With SEDs, everything is taken care of.

Secondly, SEDs are incredibly secure. Because they’re independent of the operating system, and unlike with software-based encryption, the DEK never makes its way to the RAM, and therefore cannot be accessed by hackers. When a new DEK is generated, the device’s data is rendered irretrievable, a process known as a cryptographic disk erasure, or crypto-shred. This can be a useful feature if the SED needs to be discarded and the data securely wiped.

Self-encrypting drive (SED)