At CES, Singapore-based ST Electronics was showing off a new security device that can be installed in nearly any notebook computer to protect its data from prying eyes—Digisafe DiskCrypt, a hard-disk enclosure that turns any 1.8-inch micro-SATA device into removable and fully encrypted storage. The enclosure, which is the size of a 2.5" drive, can be used as a drop-in replacement for existing drives.

Some of the biggest data breaches have happened because of lost or stolen storage. I have some personal experience in this department: I've had my personal information potentially exposed on a few occasions now, including once in 2006 by the theft of a laptop and unencrypted external drive from an employee of Department of Veterans Affairs. As a result, at-rest encryption of data has become a major issue for companies trying to prevent data breaches from laptops that grow legs, lest they run afoul of Sarbanes-Oxley, HIPAA, or other regulations.

One solution is encrypting the contents of the drive with software like Bitlocker or Mac OS X's FileVault. But even with AES encryption, software-based approaches aren't always a deterrent to a determined attacker—keys can sometimes be recovered from the PC's memory.

That's why the Trusted Computing Group, an industry standards organization focused on security standards, has been pushing self-encrypting storage as a solution. Self-encrypting drives keep the key on cryptographic firmware on the disk itself, and all of the data on the disk—even the operating system—is encrypted. Zap the crypto on the drive's firmware, and the drive is as good as erased, since it can't be recovered practically.

DiskCrypt takes a similar approach, providing firmware within the enclosure that performs pass-through encryption and decryption. It uses AES encryption, and has a NIST FIPS 140-2 level 1 certified cryptographic module—meaning that it has been certified by the feds for basic information security, but not for classified information, as it's specifically single-user. The encryption module is available in 128-bit electronic codebook (ECB) and 256-bit ECB or cipher-block chaining (CBC) versions.

Before boot, DiskCrypt requires a USB dongle to be plugged in to pass the key, and it can also be optionally configured to require the user to enter a password for two-factor authentication. The hardware can handle up to150MBps of data throughput, so once it has been activated it's completely transparent. ST Electronics' deputy director Jimmy Neo claimed the encryption module has no impact on read/write performance.

All this is pretty standard for a self-encrypted drive. The main advantage of DiskCrypt is that it can be put into nearly any existing notebook. If there's a drive failure, a need to move from hard disk to SSD—or just swap out the drive—the enclosure can be quickly opened and the storage device popped out. Separated from the encryption enclosure, the drive is practically the same as destroyed.