cancel
Showing results for 
Search instead for 
Did you mean: 

Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata
Esteemed Contributor III

I am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions:

1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work?

2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk?

3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice?

4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent?

5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive?

6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM?

/Trist

CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??

123 REPLIES 123

idata
Esteemed Contributor III

AFAIK, 320 is hard-encrypting, but 510 is no tlikely - 510 is about speed, not security. One might even guess, intuitively, fastest storage is not most secure since security adds overhead. In the case of semiconductor memory like SSD though overhead is tiny, but still:

510 was designed for SATAII/speed, not security, it's 320 which has internal encryption.

Easiest thing is to check 510 datasheet, 320 clearly states and is actually ADVERTISED by Intel as self-encrypting.

But I've never seen Intel advertising 510 Elmcrest as having hardware encryption.

However 510 is a good candidate for Soft Encryption - BitLocker would be fastest, probably, despite me myself pitching against soft encryption on SSD's, Intel510 is not a bad candidate for it. You will lose some performance but given it's ridiculously fast transfer rates, the penalty may not be too noticeable.

As of hard encryption - it's 320.

Just beware if your BIOS doesn't alllow to enter ATA password (some business laptops allow it, other consumer laptops and most desktops don't), then hardware encryption is completely useless. One way to help yourself is to use a number of hacks to enter ATA password without BIOS involved, but that does require you to be good with computers - else you will destroy your SSD permanently. Also these hacks are only useful if you understand and actually can set up a BootLoader which asks for a password before OS is loaded and not fighting with BIOS at same time.

All the above has been repeated many times in this Discussion, go back & read.

I am tired of repeating.

Most important fact however Chinese will copy/steal all thes epatents so Intel's innovatiuon is doomed anyway. There's already a copy of iPhone and "legal software" in China is a joke - people giggle. Not ONE engineering/design software tool in China i spaid for, it's copied. Cadence, Autodesk, AWR, Agilent, Microsoft, whatever... A company I worked for has attended some technical seminars in south CHina only to find its OWN products on dispay as something invented by chinese!?! Our government needs its butt KICKED for allowing rampant copying and petents theft.

Intel320 will be made in China without any Intel involvement one day. In some cases less than 6 months passed since a product was invented here and stolen by CHinese.

idata
Esteemed Contributor III

As of today, the Intel SSD 320 Series is our only product line that is self-encrypting.

-Scott, Intel Corporation

idata
Esteemed Contributor III

Since this thread will be picked up by search engines, perhaps my thoughts and experience will provide some perspective.

1. Like you, I find it frustrating that consumer desktop motherboards lack hard drive password support. Also, they lack TPM security chips.

2. For the past 3 years I have purchased HP business desktops and workstations for my business and family primarily for these security features, including the TPM chip and hard drive password support. Usually I purchase them used and discounted on eBay, and then upgrade them.

3. I have at least 8 HP desktops with Intel G2 SSDs running Microsoft BitLocker (software encryption). Most have 8 GB RAM and hibernate multiple times daily (significant writes). According to the Intel SSD toolbox wearout indicator, none show signs of wear. This includes a SSD with close to 2 TB of writes.

4. The encryption does bring a performance hit, but the encrypted SSDs still seem faster than the unencrypted hard drives I used previously. The Intel SSDs are quieter and probably more reliable than hard drives, as well. All of this made them a worthwhile upgrade for my purposes even though I don't have the "amazing" experience that some SSD users report.

5. The computers with Intel CPUs with the AES-NI hardware feature (such as core i5 3200) do seem faster in some regards (bootup, application launch, virus scan) so I recommend that feature if BitLocker use is planned.

6. To sum up, my experience is that the Intel G2 SSDs handle BitLocker without problems. There is a mild to moderate performance hit, as expected, depending on useage. Of course I look forward to trying the hardware encryption of the Intel 320 series when it's time to upgrade.

idata
Esteemed Contributor III

I have to admit, that I still have some problems in understanding the secureness of the offered FDE in conjunction with the ATA password. Could somebody please clarify it for me? thx! (After thinking through the whole process step for step again -- as I write this post -- and because of the helpful comments here, it is clearer now, nevertheless two small questions still remain:)

Did I get it right, that the AES encryption uses a (private) key, that lies anywhere (of course unencrypted) at the SSD? And if I set a ATA password the private AES key will get encrypted by my ATA password (as cleartext). If I change my ATA password, the AES key will get reencrypted. So the level of FDE secureness is up to the secureness of the ATA password.

Beside that my BIOS has to offer me to enter a password longer than 8 characters and that I must make up a strong password, what's about all the tools to bypass the ATA password? Simply destroy/remove it wouldn't be enough, because the private AES key is encrypted with it, fine. But in this thread it was said, that there are tools to readout a ATA password. How can this be avoided?

If I got it right, Scott aka SSDelightful from Intel support stated, that the ATA password is not revealable, because it is hashed:

SSDelightful wrote:

[...]

ATA Password is stored in media as a non-reversible hashed value. [...] 

Well, absolutely no offence, but anybody could state that. What technic is used here? SHA-2 or something like that? Maybe I read it over, but I couldn't find any information regarding this point.

And the second, more practically, question: Can I use all this features (setting, altering and deleting of the ATA password) just with a adequate BIOS? I won't need any Intel toolbox, am I right? Because I couldn't find the Intel tools for Linux so far...(btw: are there plans to release a Linux version?)

thanks for every helpfull reply!

Simon

idata
Esteemed Contributor III

Hi, I have two computers old Acer 1810tz and new sandy bridge HP 6560b. I bought intel 320series SSD 120GB for both of them.

But when I enable (and also change) the HDD password in the Acer 1810tz computer the SSD drive stops working and I have to replace the drive in the shop.

The problem is known and described here: http://www.intel.com/support/ssdc/hpssd/sb/CS-030724.htm http://www.intel.com/support/ssdc/hpssd/sb/CS-030724.htm

My question is: Is it safe to use the HDD password for encryption with the HP notebook (new sandy bridge platform)?, or should I wait for new drive firmware?