cancel
Showing results for 
Search instead for 
Did you mean: 

Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata
Esteemed Contributor III

I am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions:

1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work?

2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk?

3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice?

4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent?

5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive?

6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM?

/Trist

CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??

123 REPLIES 123

idata
Esteemed Contributor III

Hey folks,

Hope the following responses help with your questions:

1. Intel® SSD 320 Series drives are always encrypting the user data stored on the media, whether or not an ATA Password is set. In order to control access to your data or lock your SSD you do need to enable an ATA Password.

Background:

The encryption keys are securely held within the SSD device, hidden and encrypted using standard security techniques. These keys cannot be read by the user. All Intel SSD 320 Series drives do this. No user intervention is needed to enable data encryption on the NAND devices within the SSD.

If you were to remove a NAND component from the SSD, all data contained within the component is encrypted and keys are securely encrypted and hidden, therefore it is extremely low probability that any data could be recovered. Executing a SECURE ERASE function, such as that found in the Intel® SSD Toolbox, will cause the Intel SSD 320 Series drives to generate a new internal encryption key.

The ATA Password security interface is used to control the SSD's internal access to the encryption keys, and therefore the user's access to their data through the SATA interface. In order to lock access to the user data you do need to enable an ATA Password.

2. Support for ATA Passwords within BIOS or other means are system implementation specific. Most commercially available notebook / netbook systems include ATA Password functionality within their BIOS. The ATA Password is often referred to as an "HDD Password" in system BIOS. If the system allows, it is recommended that both "User" and "Master" passwords are configured for maximum security. Consult your system manufacturer's documentation, or contact your system manufacturer for support.

The Intel® Desktop Board DQ67SW, DQ67OW, and DQ67EP support the ATA Password functionality, called "HDD Password". On these boards, the HDD password support works in all SATA modes (IDE, RAID, or AHCI). The HDD password will only be applied to the drive on SATA port 0.

Note: The ATA Password is not a standard BIOS system password, as a standard BIOS system passwords control access to the specific platform / BIOS, not the SSD. Consult your system manufacturer's documentation, or contact your system manufacturer for support.

3. The ATA Password standards, and therefore Intel SSD 320 Series drives, allow for up to 32 byte passwords and contain no specific password "strength" requirements. 32 bytes enables users to create passwords with significant security "strength". It has been noted that some systems support ATA Passwords which are significantly shorter than 32 characters in length, and contain no password "strength" requirements. The utilization of the ATA Password security interface in system BIOS is system implementation specific. Consult your system manufacturer's documentation, or contact your system manufacturer for support.

4. In order to provide the absolute best security possible, there are no available password recovery solutions. If you lose or forget your ATA User Password and Master Password, your SSD will remain locked without access to read, write, or erase any data within the device. In this case, your SSD and your data are lost, and cannot be recovered by Intel.

5. ATA Password support in RAID or multi-drive installations are host system BIOS implementation specific. Consult your system manufacturer's documentation, or contact your system manufacturer for support.

idata
Esteemed Contributor III

Thanks. One major question: Where and how is stored that ATA password? There are utilities and tools how to read ATA password, and remove it. If you do this (can do this) the data if I understand this right is readable again. Is that true? I understand the "ironing" thing when memory chips are removed, thats great. But what about these utilities that can be used on "non FDE" drives?

idata
Esteemed Contributor III

Thanks for your response! I think you have cast some new light on the topic. I'm second Jan's questions concerning linking between AES keys and ATA keys but I have a few additional ones. They seem to be a little too specific but they touching very practical issues. Issues you as a producer and guarantor will have to cope with.

1. Point 4.3.2 of Intel Toolbox User Guide (ver 2.0) states that before any Secure Erase procedure the user has to remove all ATA passwords set on particular ssd device. To do that one has to unplug and replug SATA cable while SSD Toolbox is running which effectively unlocks the SSD. As far as I can understand this is not true for 320 and you can't strip the device's ATA passwords so easily? Am I right?

Because otherwise it contradicts your statment: "If you lose or forget your ATA User Password and Master Password, your SSD will remain locked without access to read, write, or erase any data...." Note that point 4.3.2 say nothing about knowing Master and User passwords.

2. You said: "If you were to remove a NAND component from the SSD, all data contained within the component is encrypted and keys are securely encrypted and hidden, therefore it is extremely low probability that any data could be recovered.".

Are you sure that all data contained within is encrypted? What about so called "negative cylinders" or firmware area where vital data for drive functioning is being stored (along with ATA passwords - usually)? Are they encrypted as well?

Are ATA passwords (not AES keys) encrypted, hashed or secured in any other way within the device?

3. Let's assume that User had set his own ATA User Password and Master Password and then he forgot both of them. Now he's returning the drive as broken. Does his warranty still valid? I can understand that ATA locked device is unreadible, unwritable and unerasable. But is it unservicable?

4. Using Intel Toolbox for Secure Erase requires running additional (external) operating system. Sometimes this in not possible. In case of conventional platter-based drives there are some tools which allow to invoke Secure Erase from bootable medium (cd/dvd or pendrive). To be specific they send ErasePrepare and following SecureErase ata commands from linux or dos-based enviroment. Could these tools (i.e MHDD) be used to trigger Secure Erase procedure on intel's ssds?

5. It is worth to notice that according to ATA Security Mode Specification the ATA Master Password is always being set. Even if the user has not set it manually (never) every drive leaving the factory has to have one. The question is very important: In case of intel 320 ssds is the ATA Master Password device specific or the same across all devices? If the second, is intel aware of how insecure it is considering the fact that most users will use their drives in High (not Maximum) Security Mode. In this mode you can fully unlock (for read and write) the device with Master Password. What if the default one leaks someday? Does intel plan to provide a tool for changing Master Password if bios does not support this feature (and most doesn't)?

Thanks in advance.

idata
Esteemed Contributor III

Mr Intel,

The Cryptographic Devil is always in the details (so to speak) so you will have to elaborate further than to refer to "standard security techniques."

Unless encryption is properly implemented, attacking an encrypted device becomes an exercise in hacking electronics rather than attacking a cipher and there are numerous examples of this (e.g. Sony).

Now to the question:

Is the ATA password, maybe together with something else (e.g. a random salt) used to encrypt the AES encryption key stored on the SSD?

When the 320 SSD is powered off, is the AES encryption key always stored in an encrypted form and is that encryption dependent on the ATA password?