Intel vPro Expert Center Blog

Previous Next
Click to view Todd Christ's profile
7

Encryption Technology as we know it today had it's beginnings over 4000 years ago stemming back to Egyptian hieroglyphs and cipher codes and Intel is working on delivering a hardware based data encryption technology to make it a simpler task for desktop users to secure data. Intel's Encryption Technology (codename Danbury) is due to be released with the next generation vPro "Eaglelake" chipset in 2008. As you can see in the image, the next generation of vPro technology will contain 45nm CPU, the Eaglelake Chipset, Danbury Technology, and Intel GbE network components.

http://img515.imageshack.us/img515/3885/inteldanbury1gf9.jpg

Most likely, if you've heard about Intel Danbury Technology it was during IDF 2007 and some software vendors (Credant & Wave Systems) have already announced their partnership as well for the "to be released" technology.

Intel's Director of Business Client Architecture, Steve Grobman gave an audio cast at IDF, very informative, and if you missed it you can listen here. Steve was also recently interviewed in this article Intel adds Encryption to vPro which elaborates a bit more on the technology. Danbury Technology will help IT Administrators deal with challenges in data encryption on the desktop.

While I can't divulge too much information I'd like to bring some of the key 'look ahead' points in Danbury Technology:

  1. Danbury Technology can work in standalone mode or in conjunction with Intel Active Management Technology (iAMT) as they both share the Management Engine "common services" architecture for networking, security, and provisioning tools and applications.
  2. Expect increased performance in a hardware based encryption solution versus existing software encryption technologies
  3. Danbury Technology is OS agnostic - no OS drivers will be needed for data encryption
  4. Both in-band and out of band remote solutions will work with PBA (Pre Boot Authentication)
  5. Full drive encryption is available for SATA and e-SATA drives, including Intel Matrix Storage Technology

So why does Danbury Technology matter to IT/IS administrators? Why would a company want to encrypt their desktop data? If you don't know the answers to those questions - I suggest you checkout Credant Resource Center (login required) or Wave Systems Trusted Computing Primer

As more items become available for public consumption, I hope to spread the word through the vPro Expert Center Blog section... so keep reading!

Tags: danbury_technology, danbury, vpro, encryption, security, desktop, 45nm
Average User Rating
(1 rating)


Add a comment Leave a comment on this blog post.
Feb 8, 2008 4:14 PM Reply Guest Andreas Kuhn

Would you mind giving us some in-depth information about the role of the Trusted Platform Module (TPM) within the "Danbury" framework and within AMT 3.0 ?

Feb 11, 2008 11:36 AM Reply Click to view Todd Christ's profile Todd Christ in response to: Andreas Kuhn

Hi Andreas - Danbury won't have interaction with a TPM, but rather utilize an integrated mechanism to control security access.

Danbury will become part of the AMT 5.0 stack and much like other AMT releases - AMT 5.0 will be backward compatible with previous versions of AMT - but the older versions will not be scaleable to the newer platforms.

Feb 16, 2008 8:32 AM Reply Guest Ronnie in response to: Todd Christ

In ressponse to Mr Kuhn's question you stated "Danbury won't have interaction with a TPM, but rather utilize an integrated mechanism to control security access." What do you mean by "integrated mechanism" & can you give an example?

Feb 18, 2008 11:38 PM Reply Guest Andreas Kuhn in response to: Todd Christ

Mr. Todd,

Thank you for the response. I have a couple of follow-up questions:

1. Upon shut-down where is(are) the "Danbury" encryption key(s) stored. Since you said that "Danbury" has no interaction with the TPM I am at a loss.

2. The TPM is integrated into Intel's chip-set. What is the TPM's role in this platform in general?

Feb 20, 2008 5:27 PM Reply Click to view Todd Christ's profile Todd Christ in response to: Andreas Kuhn

Andreas/Ronnie - there are several keys/tokens managed by Danbury Technology. They are stored in various locations; most notably the hard drive(s), encrypted in firmware and by the encryption software vendor.

A TPM can be used on a Danbury Enabled platform for everyday TPM usage, just like today's model of trusted computing, i.e. fingerprint scanners, power-on passwords, etc. The TPM is not used for the Danbury key storage.

Jul 22, 2008 6:26 AM Reply Guest Jonathan Lazar

How does this stack up to FDE HDDs like from Fujitsu, Seagate, Hitachi, etc? I see that currently Secude (http://secude.com) and Wave (wave.com) are already supporting this and it is targeted at laptops, not desktops.

Jul 23, 2008 2:18 PM Reply Click to view snrichar's profile snrichar in response to: Jonathan Lazar

Intel(r) Anti-Theft Technology (Intel(r) AT, previous codenamed Danbury) brings a new approach to FDE. Intel AT brings platform hardware and firmware that provides the same advantages that other hardware based approaches, like encrypting HDDs offer, but adds to that the ability to scale out to multiple drives that leverage the same hardware crypto engnine. This means there is no dependence on a particular drive vendor or drive model as you add or replace drives in a system.

In addition, through tight integration with Intel(r) AMT, Intel AT offers the ability for an authenticated admin to access the disk remotely for management purposes, even if the OS is down. This means a machine can, for example, be deployed with FDE, yet still have patches remtotely applied that require multiple reboots - without the user having to authenticate locally. Patches can also be pushed to machines that are powered down at night (no need to leave a local user logged in and the FDE in an "unlocked" state). This is a major improvement on most of today's solutions, in that local authentication does not need to be disabled to facilitate remote management as is done with some of today's products. Instead, you have full local user authentication and the ability to remotely manage - manageability AND security.

Intel AT will be coming to both desktops and notebooks, as many enterprises want to apply encryption policy across all PCs regardless of form factor. While laptops is a major driver for the need for FDE, desktops still provide real risk and should also be protected.

Intel is working with leading security and system management software vendors to deliver solutions that meet the complete set of enterprise needs. Wave, McAfee/SafeBoot and Credant are among are announced partenrs for this technology.