03-26-2011 08:14 AM
I am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions:
1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work?
2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk?
3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice?
4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent?
5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive?
6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM?
/Trist
CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??
06-20-2011 09:31 PM
Hi SSDelightful, you mentioned about if HDD password, it will lock the drive and cannot recovery, so can we claim warranty replacement from Intel?
12-17-2011 08:21 PM
[quote]I have Asrock Z68 Extreme4 and cannot boot if password protected intel SSD is connected to any of the SATA ports of the chipset ATA controller. The board locks in endless boot loop. I have to hotplug the drive to make the whole thing work. If the drive is password unlocked or security disabled motherboard boots without any problem.
UEFI in Asrock's case do not work with password protected drives!
Will try Asus P8Z68 Pro next week.[/quote]
Pit you never posted your results from the Asus P8Z68 PRO. Were you able to use the Intel SSD drive with that board? Asrock is a subsidiary of Asus so I'm thinking no but I'm curious. I also have that board and I am considering purchasing an Intel 320 SSD once my questions are answered.
06-29-2011 08:24 AM
Hi,
thanks for all the information given here - but I'm hanging at some question:
If I've installed my OS on a 320 without HDD-Pass all data is encrypted, ok. Now I want to enable a password. Is it possible to enable the HDD-Pass in this situation without loosing all data? afaik I'm not able to CHANGE the HDD-Pass later on, but can i SET it without loosing data?
If I want to CHANGE it later on, in my understanding I've to do a full backup, secure erase the device and set a new pass, am I right?
I imagine, the same is true if I want to DISABLE the pass?
What happens, if I enable the pass and start hanging in a reboot loop as somenone wrote here? Same answers as the two questions above?
I read about the different kind (master, user or so) kinds of passes. In my Bios there's onle one pass per HDD. Does this have any security impact?
How does the process of secure erasing and deleting the existing HDD-Pass (I don't mean the aes-keys, I've understood this process) work (aim: getting a "factory state" ssd without hdd-pass)? Giving the right pass in the bios, booting from a different drive, doing secure erase with intel ssd toolbox? What is the thing with disconnecting and connecting the drive (secure lock?), is this needed? How can I enable/disable the "secure erase lock" (my words)?
Very specfic question: Does anyone now if HDD-pass works fine with a dell T3500 workstation (Intel ICH10R, possibility to set HDD-Pass in bios exists for every drive)?
I'm really happy for any hint!
Thanks,
marte
10-08-2011 03:54 AM
Hello,
This is my first Post on the mailing list. My name is Jean-Michel Pouré and I am the director of GOOZE, a security company offering smartcards and security tokens.
For our work, we need to secure store some valuable information on servers disconnected from the network. Presently, we are using GNU/Linux with lvm encryption. I bought an Intel 320 SSD with 40 GB of RAM to do some testing under Windows 7 (a system we have nearly 0% trust into) and try to find a solution for customers.
I think we could easily defeat Intel 320 SSD AES encruption, here is how:
1) Our motherboards are ASUS. The system is Windows7. We installed ASUS Flash update, which is a Windows program.
2) We set up user and admin password in BIOS. The only way to boot and/or access BIOS is to enter a password.
So far, so good, is your system protected? No, here is how:
3) We booted into recovery and flashed the BIOS using ASUS Flash update, with option "reset BIOS to default". You could also buy an ASUS motherboard and transfer the SSD (which we did not do). Or remove the battery from the motherboard (which we did not do).
4) After reboot, we could access BIOS without admin password. We simply changed the user password and it installed the new password into the Intel SSD!
5) We rebooted with the newly user created password.
Intel 320 SSD are not secure product, as in most BIOSes the password is not protected by a passphrase.
Under Windows 7, the solution is to use an extra security software level, like using truecrypt with smartcards.
Check this tutorial for example: http://www.gooze.eu/howto/truecrypt-smartcards-and-security-tokens-howto http://www.gooze.eu/howto/truecrypt-smartcards-and-security-tokens-howto
We welcome any information allowing us to secure the SSD completely, even changing motherboards.
We are now testing a more complicated setup:
* Windows system partition encrypted using truecrypt passphrase, from boot.
* Home partitions encrypted using truecrupt and security tokens.
Kind regards,
Jean-Michel Pouré
10-08-2011 05:16 AM
From your post it seems you only set the BIOS password. This will not set an encryption passphrase in the SSD, you would have to set an ATA password for that.