Security at the forefront of drive design and manufacturing.
To help protect your drive from unwanted intrusion and control, Western Digital has a comprehensive process and approach to drive security that’s based on a secure enclave.
During manufacturing, enterprise drives are protected by commands authenticated by an in-house Hardware Security Module (HSM).
These commands are:
• Only available within the Western Digital facility
• One-time use
• Limited to a specific drive serial number
The secure boot feature verifies a drive’s firmware is from an authenticated source—every time the drive is booted up. With a multi-stage loader system, each loader stage is responsible for loading and verifying the next image before transferring control to the next image. This implements a chain-of-trust during the boot process, enabled by a secure enclave.
The secure download feature ensures that only Western Digital signed firmware is accepted by a drive. A digital signature algorithm is used to verify the firmware signatures. To guarantee cryptographic separation, unique keys are used for different customers and security models. Additionally, secure rollback prevention and key revocation features are made available.
When enterprise drives ship out from our manufacturing facilities, all physical and logical debug ports are disabled. Commands to enable any debug capability on the drive are authenticated by the HSM. In addition, there are documented field failure analysis capabilities that utilize the same authentication mechanism.
On top of internal validation of our security processes, we work with trusted third parties to audit device integrity and data-at-rest protection claims. These third party audits confirm that we have sound development practices, with strong supporting documentation and implementation.
References to certain features or services do not imply that they will be made available in all countries or an all products.