Technical Advisory 964-1

This Technical Advisory describes an issue which may or may not affect the customer’s product

Intel Technical Advisory TA-0964-1

5200 NE Elam Young Parkway

Hillsboro, OR 97124

October 8, 2010

Potential Data loss when using Disk Encryption RAID Controllers or

Controllers/Modules when attached Self Encrypting Drives contain

data and a AXXRPFKDE Activation Key is Added and/or Encryption is

enabled.

Information in this document is provided in connection with Intel products. No license, express or implied, by estoppel or otherwise,

to any intellectual property rights is granted by this document. Except as provided in Intel's Terms and Conditions of Sale for such

products, Intel assumes no liability whatsoever, and Intel disclaims any express or implied warranty, relating to sale and/or use of

Intel products including liability or warranties relating to fitness for a particular purpose, merchantability, or infringement of any

patent, copyright or other intellectual property right. Intel products are not intended for use in medical, life saving, or life sustaining

applications. Intel may make changes to specifications and product descriptions at any time, without notice. The Intel products

described herein may contain design defects or errors known as errata which may cause the product to deviate from published

specifications. Current characterized errata are available on request.

Products Affected

• RS2BL080DE

• RS2PI008DE

• RS2BL080

• RS2BL040

• RS2PI008

• RS2MB044

• RS2SG244

• RS2WG160

• RS2MH080

Description

This affects customers that do not encrypt their self encrypting hard drives prior to Operating System

installation or Data Storage use. Data may become unavailable when an unsecured logical volume is secured

after initial creation and data is deployed onto the disk. This is dependent on the configuration of the data

bands on the SED(s) that make up the volume before it is secured.

Root Cause

SED Drives may support many data bands. Each band itself has a unique password and encryption key. Most

drives available today come with 2 bands; Band 0 is the global band and always encompasses the entire drive

per the TCG spec, and Band 1 is configured as a user band with no Logical Block Addressing (LBA) range

specified. Even when bands are unsecured (original factory setting), each write provided to the band is

encrypted using the band’s specific key to encrypt the data as it is written to the disk. When (MR) MegaRAID

secures a Virtual Drive (VD), MR resets the user band (band 1) to the full LBA range. Any subsequent read

PAGE 1
This Technical Advisory describes an issue which may or may not affect the customer’s product Intel Technical Advisory TA-0964-1 5200 NE Elam Young Parkway Hillsboro, OR 97124 October 8, 2010 Potential Data loss when using Disk Encryption RAID Controllers or Controllers/Modules when attached Self Encrypting Drives contain data and a AXXRPFKDE Activation Key is Added and/or Encryption is enabled. Information in this document is provided in connection with Intel products.
PAGE 2
request will be decrypted using the band 1 key. This means that any data written to disk while Band 0 owned the LBA range is now unreadable. Subsequent securing/un-securing of the SED will always operate within band 1 . So, any data written to disk while blocks were owned by band 0 is no longer readable after LBA range is transferred to band 1. The data is not overwritten when the band ownership changed, but there is no way for the user to change the band association back to band 0 at this time.