This spec, which builds on previously released storage security use cases, will provide the architecture for implementing trust and security services directly on storage devices and is now being made available to the industry for review, according to TCG.

Seagate's Michael Willett, who is a member of the TCG storage work group, says that under the new spec, drive encryption and decryption are performed (in hardware) on the drive behind the SCSI or ATA read/write interface, transparent to the user. In other words, when implemented, the encrypt/decrypt function is always on.

While a trusted storage drive will be able to interact with drives that already encrypt the disk, Willett says having both software and hardware encryption might be redundant.

"They work together, but why do both? Why not use the function directly on the drive in hardware, co-located with the data?" he said in an e-mail.

The group emphasizes that while it is still in draft form, the specification is very close to completion and can be used by various storage and application vendors to begin designing products around now.

While no specific date was given, the group says it expects a finalized specification will be published in the near future.

TCG said the storage specification was developed by more than 60 of the group's 175 member companies and supports security services for a variety of storage devices such as hard drives, flash, tape, and optical devices.

Seagate's encrypting Momentus 5400 FDE.2 hard drive, for example, uses some of the early work in trusted storage, as do Lenovo's latest ThinkPad notebooks.

In fact, the latter computers make use of what is known as a TPM, or trusted platform module, which is a small microcontroller that stores the keys needed to unencrypt data.

After a user authenticates him or herself with a password, smart card, biometric reader, the TPM authorizes the decryption and use of data or applications that have been previously encrypted.

To allow access to the data, however, the TPM needs to interact with a trusted storage device, which can be a flash card or traditional hard drive. In either case, the 'root of trust' is either the server or PC in which the storage controller chip is housed, Willett explained to ExtremeTech's Mark Hachman in a previous interview.

For now, security functions in the specification include cryptography, public key cryptography, digital signature, hashing functions, random number generation (RNG), and secure storage.

More information about the spec can be found here.