Secure Manufacturing

During manufacturing, enterprise drives are protected by commands authenticated by an in-house Hardware Security Module (HSM).

These commands are:
• Only available within the Western Digital facility
• One-time use
• Limited to a specific drive serial number

Secure Boot

The secure boot feature verifies a drive’s firmware is from an authenticated source—every time the drive is booted up. With a multi-stage loader system, each loader stage is responsible for loading and verifying the next image before transferring control to the next image. This implements a chain-of-trust during the boot process, enabled by a secure enclave.

Secure Download

The secure download feature ensures that only Western Digital signed firmware is accepted by a drive. A digital signature algorithm is used to verify the firmware signatures. To guarantee cryptographic separation, unique keys are used for different customers and security models. Additionally, secure rollback prevention and key revocation features are made available.

Secure Diagnostics

When enterprise drives ship out from our manufacturing facilities, all physical and logical debug ports are disabled. Commands to enable any debug capability on the drive are authenticated by the HSM. In addition, there are documented field failure analysis capabilities that utilize the same authentication mechanism.