cancel
Showing results for 
Search instead for 
Did you mean: 

Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata
Esteemed Contributor III

I am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions:

1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work?

2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk?

3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice?

4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent?

5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive?

6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM?

/Trist

CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??

123 REPLIES 123

idata
Esteemed Contributor III

But are you sure ATA password isn't stored in plain text? Are you sure it is properly hashed with FIPS certificated algorithm?

Besides, the security system in which one side has all the keys and user is only authorizing himself for access is always less secure than the security system in which the key is decomposited - scattered across two sides: user and hardware. And no side has all the secrets. The hacking history has proved above many, many times.

I believe there is a way to set a user and master passwords outside bios. Unless the device is not frozen. I suspect is up to bios implementation if it properly freezes the disk after the password was beeing entered. If no, it should be possible to set a master password or user password in Max security mode even if bios doesn't support the feature with some tool run inside OS. At least in some cases.

I wouldn't be surprised if intel blocks High Security mode altogether. Leaving the device in permanent Max security mode and blocking the chance of changing Master password. This alone insures intel that no device is being warranty returned in "I forgot the password" state.

Well at least I hope, that there is no service backdoor for all those Max security devices with changed Master passwords. Theoretically such devices are unservicable. They are locked and you can't secure erase them. Dead end.

idata
Esteemed Contributor III

I am absolutely with you guys. I am trying to figure how this REALLY works for a couple of weeks and it is a huge gray area. On the other side you can see how good is for example BDE drivers from Hitachi using Trusted Platform Module.

I abolutely don't want to have only ATA password secure notebook. I want to use as you proper security like on Hitachi (seagate) drives. Somebody from Intel really should answer this question properly.

BTW I have searched the OCZ forums support, and it is the same as here. Nobody knows.

I cannot understand why this is not claryfied exactly. Anyway I have red somewhere that this AES on SSDs are protecting only from ironing the memory modules to another board. So about the access it does nothing.

idata
Esteemed Contributor III

Believe it or not but this is the only place in the internet where this topic is even discused. Can't find any place, at least in the context of 320 series. It seems, people do not care. No demand no supply. The same applies to the reviewers. Saying some fancy words like AES or FIPS in marketing brochure is enough, it seems. Most of addressees find saying obviousness (like that AES128 is FIPS certified) as The proof and look no farther (i.e using certified algorithm does not make the device certified). I've seen that kind of marketing in the past. Obviously it is not reassuring for me. And for you, guys?

idata
Esteemed Contributor III

The way I think/hope it works and the way I think other FDE drives protected by ATA passwords work such as the Seagate Momentus FDE drives, is that the ATA password is used internally encrypt the original AES encryption key.

So without the ATA password it shouldn't be possible to retrieve/decrypt the AES encryption key. If no ATA password is set then the AES encryption key isn't encrypted. If the ATA password is changed then the AES key is decrypted and then re-encrypted with the new ATA password.

Protecting the whole drive with a key derived from the ATA password isn't practical because everytime the password changed the whole drive would need to be decrypted and re-encrypted with the new key.

Anyway these are just my assumptions. Intel should confirm ASAP how the drive works before more businesses start using it thinking their confidential information is safely stored in the drives.

A simple yes that's how it works, or no, they're completely unrelated would be enough.

idata
Esteemed Contributor III

It is discussed on many places, but not the 320 of course because it is new. Some people are saying that OCZ Vertex 3 PRO can do it, but it is not released yet so we don't know either.

Anyway I have found this Samsung SSD with FDE label:

http://discountechnology.com/Samsung-FDE-MMDPE56G5DXP-0VB-MLC-SSD-SATA-Hard-Drive http://discountechnology.com/Samsung-FDE-MMDPE56G5DXP-0VB-MLC-SSD-SATA-Hard-Drive

review

http://www.samsung.com/global/business/semiconductor/products/SSD/downloads/SamsungSSD_Encryption_Be... http://www.samsung.com/global/business/semiconductor/products/SSD/downloads/SamsungSSD_Encryption_Be...

BUT it is from 2009 and it seems a bit old and slow.

I also found that Seagate offers 2,5" Enterprise FDE discs, but oh my god the smallest is 400 GB so I think this is for some ultra-servers and not for usable for any notebook at all.

I haven't bought the Intel 320 yet, because I want to figure this FDE think before purchase. I just want FDE on my drive! The only ata password is just not enaugh. It is not that super easy to bypass it, but it can be done and this is just not acceptable.