Data Recovery on Full Encryption Hard Drives

The new Western Digital drives like WDBAAF0020HBK My Book Essential 2TB External USB feature a built-in hardware-based AES encryption. These drives are sometimes called “Self Encrypting Drive”, or SED.

Surprisingly, the content written to the WD MyBook is scrambled even when the password is not set. Once the USB to SATA bridge stops working, the cipher keys are lost and data cannot be recovered despite the fact the storage by itself is working fine. Considering that in practice a failure of the encryption chip looks higher probability than the disk actually getting into wrong hands, the always-on protection looks like not a very good idea.

How came designers choose to implement the encryption in such a way?

The rationale behind this choice is a speed of changing or resetting a password. If one has a policy of “no password = no encryption”, when the password is set or changed, the entire hard drive needs to be encrypted again, taking several hours. And this even before we start looking into complex issues like something along the lines of several overlapping power failures. The same consideration also applies to password removal.

So designers choose the faster option. The master encryption key is generated once during the production and flashed into controller’s EEPROM. All the data on the disk is encrypted using this master key, all the time, regardless if the user password is set. When user requests a password to be set, the master key is encrypted using a password.

The data on the drive being already encrypted, you cannot read data not having the master key, and the master key is not available unless you have the valid password.
In this setup if the encryption module goes bad, the content of the disk is lost forever.

As a side effect, this approach eliminates the need for secure erase.