Data Encryption

Key Takeaways

• It protects industrial edge systems because AES-256 encryption runs inside the device, keeping data-at-rest safe even when a card or drive is physically removed, the host OS is compromised, or the device is deployed in an unattended, remote location.
• It keeps encryption off the host’s critical path. Because encryption and decryption run inline on a dedicated hardware engine in the controller — not on the host processor — there is no host CPU overhead, and throughput impact is negligible under normal read/write operation.
• Hardware-encrypted removable storage (microSD/SD cards and SSDs) reduces industrial data-security risk by keeping data unreadable if the card or drive is lost, stolen, or cloned, and by keeping the encryption key inside the device’s secure hardware.
• ATP SecurEncrypt delivers AES-256 hardware encryption on SecurStor-enabled flash storage — implemented as Hardware AES-256 XTS encryption on ATP’s encrypted microSD/SD cards — and is one layer of the broader ATP SecurStor security suite that also guards against unauthorized access, illegal copying, and firmware tampering.

What Is AES Encryption?

Cybercriminals are always on the prowl, looking for weak links to break and crack. How can users, especially in this increasingly connected world, have complete assurance that their data is safe, wherever it may be located?

Encryption is one of the most common ways to protect sensitive data. Encryption works by taking plain text and converting it into cipher text, which is made up of seemingly random characters. Only those who have the special key can decrypt it. AES uses symmetric key encryption, which involves the use of only one secret key to cipher and decipher information.

The Advanced Encryption Standard (AES) is the first and only publicly accessible cipher approved by the US National Security Agency (NSA) for protecting top secret information. AES was first called Rijndael after its two developers, Belgian cryptographers Vincent Rijmen and Joan Daemen.

Why AES-256 Is Practically Unbreakable

AES-256, which has a key length of 256 bits, supports the largest bit size and is practically unbreakable by brute force based on current computing power, making it the strongest encryption standard. The following table shows that possible key combinations exponentially increase with the key size.

Table 1. Key sizes and corresponding possible combinations to crack by brute force attack. (Source: EE Times)

SecurEncrypt: Rock-Solid AES-256 Encryption on ATP Flash Storage Devices

SecurStor-enabled ATP flash storage devices feature SecurEncrypt with AES-256 encryption to safeguard data against unauthorized access.

They make use of a hardware-based set of security modules and an AES engine. When the host writes data to the flash storage device, a Random Number Generator (RNG) generates the 256-bit symmetric cipher key, which is passed to the AES engine. The AES engine encrypts the plain text (source data) into cipher text (encrypted data) and sends it to the NAND flash for storage.

Inversely, if the host wants to retrieve data from the storage device, the AES engine decrypts the cipher text in the NAND flash, and then transmits data to the host as plain text. The encryption/decryption process is done at the flash level and does not require host intervention, so there is no host CPU overhead and throughput impact is negligible under normal read/write operation.

ATP SecurStor: Protection Beyond Encryption

SecurEncrypt using AES-256 encryption is one component of ATP SecurStor, a multi-level security suite that protects data with a variety of options beyond data-at-rest encryption. Customers can choose from features that can be customized according to their application-specific requirements to guard against unauthorized access, illegal copying and other security threats to ensure data, OS and firmware integrity at all times.

Why Hardware Encryption Matters for Industrial Edge Systems

Hardware encryption is the process of encrypting data with a dedicated engine inside the storage device’s controller, rather than on the host CPU. Industrial edge systems — gateways, controllers, surveillance nodes, and automation equipment — increasingly operate in unattended, physically exposed, and network-connected locations, which makes them attractive targets: an attacker may gain physical access to a device, remove its storage media, or attempt to compromise the host operating system. Hardware encryption addresses these risks by performing AES-256 encryption directly within the storage controller. The 256-bit cipher key is generated and stored inside the device, so even if the storage is removed and read on another machine, the stored data remains cipher text that is practically unbreakable by brute force. Because the encryption engine is isolated from the host, the key is not exposed to malware, a compromised OS, or memory-scraping attacks running on the edge device. And because encryption runs inline on a dedicated hardware engine in the controller rather than on the host processor, there is no host CPU overhead and throughput impact is negligible under normal operation — an important property for edge workloads that must process data in real time.

In ATP SecurEncrypt-enabled devices, the mechanism works as follows:

1. A Random Number Generator (RNG) creates the 256-bit symmetric cipher key inside the device.
2. The AES engine encrypts incoming data into cipher text before it is written to NAND flash.
3. On read, decryption happens transparently — no host intervention is required.
4. Raw NAND read-back yields only cipher text, so removed media cannot be read on another machine.

How Hardware-Encrypted Removable Storage Improves Industrial Data Security

Removable and portable storage — encrypted microSD/SD cards and SSDs — is widely used in industrial settings for firmware updates, configuration transfers, data logging, and moving data across air-gapped or isolated networks, which is precisely what makes it a common point of data leakage. Hardware-encrypted storage improves security by ensuring that all data written to the card or drive is automatically encrypted with AES-256 inside the device’s controller, with no dependence on host software or user action. (ATP’s encrypted microSD/SD cards specifically implement Hardware AES-256 XTS encryption — the block-cipher mode purpose-built for data-at-rest.) If the media is lost, stolen, or left behind, the contents stay unreadable without the key, so a misplaced card or drive does not become a data breach. The data-encryption key is generated and stored inside the device’s secure hardware rather than on the host, which protects it from extraction by malware on any machine the media is inserted into, and because raw NAND read-back yields only cipher text, the data is not recoverable by reading the flash directly. As with all ATP SecurEncrypt-enabled flash storage, encryption and decryption run inline on a dedicated hardware engine, so the security layer stays off the host CPU and does not complicate the workflow for field technicians. For the strongest posture, ATP’s encrypted microSD/SD cards and SSDs can be combined with the additional protections in ATP SecurStor — such as Multi-Layer Authentication and copy protection — to guard against unauthorized access and illegal duplication. For a primer on what encrypting an SD card actually means, see What encrypting an SD card means.