03-26-2011 08:14 AM
I am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions:
1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work?
2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk?
3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice?
4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent?
5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive?
6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM?
/Trist
CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??
04-07-2011 11:50 AM
Thanks for the responce to my original question - looks like we can use these drives with reasonable security (we are not in defence industry etc) at least for the machines with support for BIOS HDD.
Do any reader of this thread know if there exists any other solution for FDE SSDs for portables without BIOS HDD password support?
/Trist
04-07-2011 12:54 PM
I know about Samsung and Sharp (1.8"). I have no more information about them, but they are exactly selling them as a self-encrypting drives. But who knows, what theyi mean by that.
I hope that Intel will clear this, c'mon it is a serious company...
04-08-2011 09:34 AM
At the 2010 Storage Developers Conference Mr. Dmitry Obuhkov of Sandforce gave a presentation entitled "The Seven Myths of SED" (SED; Self Encrypting Drives). The links for this presentation are very lengthy: Google Obuhkov Sandforce. Myth number two was "ATA security is enough". He stated that "ATA Security + Encryption, This might be enough for simple use cases." The implication is that an ATA password provides only a modest amount of data protection.
Samsung recently released a new version of their encrypted SSD. Significantly, they are not relying on ATA Passwords. They state "The Samsung SSD supports a variety of management software. SSD's self-encryption and management software work together as essential parts of a fully managed hardware-based encryption solution."
If you require that data stored on your drive being completely protected it appears that third party software is going to be needed in order to restrict access to your disk. Intel's contention that data is secure because AES cannot be broken is absurd when you consider the insecurities inherent in ATA passwords.
It is up to the user, as always, to determine how much security is good enough. ATA passwords may or may not work for you. For now, I personally am staying with an HDD and Truecrypt.
Lew
04-08-2011 05:29 PM
All,
We've put some time into satisfactorily answering your questions. Thank you for your interest; hopefully these help. The questions are bulleted and the answers are in bold underlined text. Have a great weekend!
-Scott, Intel Corporation
ATA Password is stored in media as a non-reversible hashed value. This answer also applies to other questions in the blog. See below.
Unplugging the drive does not unlock the drive, it just removes ATA SECURITY FREEZE LOCK. In order to secure erase the drive, the SECURITY FREEZE LOCK needs to be removed and after that, drive needs to be unlocked using a master/user password.
All data contained(this includes user and system) within the components is encrypted.
See answer to this in a previous question.
Warranty is not valid since SSD works per specification. It is not serviceable by Intel.
Any tool that issues an ATA SECURITY ERASE UNIT command (Secure Erase) as normal or enhanced mode will be able to secure erase an Intel SSD. However, user must provide the correct password (User or Master) within the SECURITY ERASE UNIT command to unlock the drive before doing secure erase.
Intel will ship the drive with random keys. User has the responsibility to enable security state and set their own passwords themselves to get the benefit of the security features. Third party tools such as HDAT2, HDPARM can be used to set master/user password if user system does not have the capability to set them.
Yes, ATA password is used to encrypt the encryption keys stores on the SSD.
Yes, even during power off data is kept in encrypted form. On the other question regarding dependency on ATA password please refer to earlier answers.
04-09-2011 02:52 AM
Thank you very much for explanation. Just two things, if I may:
1) is this applied also in 510 SSDs?
2) you said that ATA password is used to encrypt the encryption key. That means, that you cannot change the ATA password after it is set for the first time, right? Because if you do, the encryption key will be different and cannot decrypt the data stored on chips.
Thanks