Intel® vPro™ Technology

  Section 4 of 12  

Storage Protection with Intel® Anti-Theft Technology - Data Protection (Intel® AT-d)

Approaches to DAR on Client Platforms

DAR technology for client computers generally falls into four categories, identified by where encryption is applied: 1) software-only, 2) storage devices, 3) storage controller, and 4) remote storage.

Software-Only Encryption
Central processing unit (CPU) cycles are used in software-only encryption to perform encryption operations. The DAR module must be inserted into the data storage path: this is done either above the file system, by hooking file system read and write interfaces into the DAR module; or below the file system, by intercepting device reads and writes at the driver layer, such as at the Advanced Host Controller Interface (AHCI) driver (see Figure 1).

Figure 1: Software-only encryption model
click image for larger view

Software-only encryption can be easily made to work with a variety of storage interfaces and media types, especially if configured by an operating system (OS) vendor. However, system and application errors can cause the encryption function to be bypassed or the audit trail to be omitted. Encryption overhead is borne solely by the CPU, which can affect performance for the end user.

Storage Device Encryption
Storage device encryption (see Figure 2) works by means of a hard-drive microcontroller, or by means of dedicated encryption hardware that is integrated into the drive controller. Device encryption also depends on external software to provide user authentication, key management, and all other support services. Storage device encryption is transparent to the OS and applications. In the case of storage device encryption, the overhead is not borne by the CPU, further minimizing the impact to the OS and applications. Encryption key management, audit, and access-control software is written in such a way that it assumes data are encrypted, but it cannot be certain that this is the case. Likewise, the storage device logic relies on external services and software to function properly, but it cannot be certain that this is the case.

Figure 2: Storage device encryption model
click image for larger view

Storage Controller Encryption
Storage controller encryption (see Figure 3) utilizes host controller hardware or dedicated encryption hardware to encrypt. The host controller decodes commands in the storage data stream to locate data packets that are then encrypted and repackaged before being sent to the storage device. Storage controller encryption depends on software or firmware for user authentication, encryption key management, and support services.

Figure 3: Storage controller encryption model
click image for larger view

Remote Storage Encryption
Remote storage encryption (see Figure 4) relies on storage protocol redirection over a network interface, such as Intelligent Drive Electronics Redirection (IDE-R) or Internet Small Computer System Interface (iSCSI). Any of the previously-mentioned DAR encryption techniques can be applied prior to network redirection. Data are protected by using policies and authorizations pertaining to the client—as if locally stored. Local storage may be used to cache data that are later synchronized with a remote storage device. Network security may be applied in addition to local storage encryption to protect against certain types of man in the middle (MITM) and denial of service (DOS) attacks that are unique to networks.

Figure 4: Remote storage encryption model
click image for larger view

  Section 4 of 12  

Back to Top