03-26-2011 08:14 AM
I am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions:
1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work?
2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk?
3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice?
4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent?
5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive?
6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM?
/Trist
CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??
06-17-2011 11:32 AM
Thank you Desktop Man! I appreciate you taking the time to reply.
Just to be clear and I apologize for this. What I meant by BIOS master and user passwords was the BIOS Hard Drive master and user passwords. My laptop has those settings (the field is 32 characters long if that makes any difference).
You mentioned, "The BIOS does not have any say in how the password if stored on the ATA device..."
Does this mean that if a computer supports the BIOS hard drive master and user passwords, there is no guarantee that the entered BIOS hard drive passwords will be stored on the SSD hashed and used to encrypt the SSD's encryption keys? If yes, would you know who determines this? Is it the computer manufacturer or the Intel SSD?
Again, thank you for the info.
06-17-2011 11:42 AM
Ah yes then you should be good. Just to be sure you could try setting the ATA password and move the SSD to another machine. It should not be accessible without the password.
The intel SSD decides how to store / hash the password and how it relies to the encryption key, so the BIOS is not a weak point in that regard. You're guaranteed that the ATA password is used in whatever way Intel has decided to use it as long as the BIOS sends it to the drive using the ATA specification. This can be verified with the method above. Note that this doesn't guarantee that Intel's hash and/or storage of the password and key is secure. You'll have to trust them on that.
06-17-2011 12:22 PM
Wow, that was fast! Thank you again, DesktopMan. I appreciate the info!
Do you use any reliable tools to verify the security settings on the SSD like what security level it is at (High, Max), if security is enabled, frozen/unfrozen state, etc? Also, info on what those settings should be would be very helpful.
I assume the drive is always encrypting, so I don't have to worry about that. Is this correct? If not, is there any tool to verify if encryption is on or off?
Best regards.
06-17-2011 12:34 PM
There really is only one security level on the Intel 320-series SSDs, either the ATA password is set or it's not. As you say they are always encrypting, even out of the box.
Note that every Intel SSD ship with an encryption key set during production (random on each drive according to Intel),but you can generate a new one in the Intel SSD toolbox. I'm not sure if they allow you to do this without losing the data, I haven't tried. There are techniques to allow this, but I doubt they've implemented that.
06-17-2011 02:19 PM
"Do you use any reliable tools to verify the security settings on the SSD like what security level it is at (High, Max), if security is enabled, frozen/unfrozen state, etc? Also, info on what those settings should be would be very helpful."
Linux -> hdparm
In High Security Mode both user and master pass can fully unlock the drive.
In Max Security Mode only user pass can fully unlock drive. Master pass can unlock the drive only to perform Secure Erase.