Intel® Total Storage Encryption (Intel® TSE)

Intel^® Total Storage Encryption provides a security measure for a PCIe-NVMe device by encrypting the data in the device using the Intel inline encryption.

The Intel^® Total Storage Encryption, which is enabled over BIOS configuration, ensures that the data in the storage device and through external PCIe buses are encrypted and exist in plaintext only inside the Intel processor.

The Intel^® Total Storage Encryption encrypts the data using the AES XTS algorithm with a 256-bit data encryption key and 256-bit tweak key when the data is written to the storage from system memory and decrypted when read from the storage to the system memory.

The software can wrap the 256-bit keys using Platform Bind Key BLOB (PBNDKB) instruction and get the key handle wrapped by a platform-specific wrapping key. Once the software obtains the handle, the software can delete the original keys from memory. The software can also program the 256-bit keys using either the key handles or plaintext keys through the Platform Config (PCONFIG) instruction.

The Intel^® Total Storage Encryption driver or the UEFI Inline Cryptographic Interface Protocol programs the keys over the PBNDKB/PCONFIG instructions and creates the Intel^® Total Storage Encryption table in the system memory so that the Intel^® Total Storage Encryption HW can look up the table to identify the Key ID with tweak value based on the physical address accessed through the storage driver of the PCIe-NVMe device. BitLocker could use the Intel^® Total Storage Encryption as security enhancement through BitLocker Drive Encryption configuration besides OS managed software encryption using AES-NI instruction sets.