Protect Your Drive
Security at the forefront of drive design and manufacturing.
4 Pillars of Security
To help protect your drive from unwanted intrusion and control, Western Digital has a comprehensive
process and approach to drive security that’s based on a secure enclave.
Secure manufacturing
During manufacturing, enterprise drives are protected by commands authenticated by an in-house Hardware Security Module (HSM).
These commands are:
- • Only available within the Western Digital facility
- • One-time use
- • Limited to a specific drive serial number
Secure boot
The secure boot feature verifies a drive’s firmware is from an authenticated source — every time the drive is booted up. With a multi-stage loader system, each loader stage is responsible for loading and verifying the next image before transferring control to the next image. This implements a chain-of-trust during the boot process, enabled by a secure enclave.
Secure download
The secure download feature ensures that only Western Digital signed firmware is accepted by a drive. A digital signature algorithm is used to verify the firmware signatures. To guarantee cryptographic separation, unique keys are used for different customers and security models. Additionally, secure rollback prevention and key revocation features are made available.
Secure diagnostics
When enterprise drives ship out from our manufacturing facilities, all physical and logical debug ports are disabled. Commands to enable any debug capability on the drive are authenticated by the HSM. In addition, there are documented field failure analysis capabilities that utilize the same authentication mechanism.
Third Party Audits
On top of internal validation of our security processes, we work with trusted third parties to audit
device integrity and data-at-rest protection claims. These third party audits confirm that we have sound
development practices, with strong supporting documentation and implementation.
