cancel
Showing results for 
Search instead for 
Did you mean: 

Intel 320-series SSD and FDE (Full Disk Encryption) questions...

idata
Esteemed Contributor III

I am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions:

1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work?

2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk?

3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice?

4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent?

5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive?

6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM?

/Trist

CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??

123 REPLIES 123

idata
Esteemed Contributor III

SSDelightful wrote:

4. In order to provide the absolute best security possible, there are no available password recovery solutions. If you lose or forget your ATA User Password and Master Password, your SSD will remain locked without access to read, write, or erase any data within the device. In this case, your SSD and your data are lost, and cannot be recovered by Intel.

This partially only answers the question I posed... /thread/23113 http://communities.intel.com/thread/23113

How do we acquire the Master Password? I'm pretty certain that most of us do not change this and unless I'm mistaken, this would enable us to unlock the drive even if the User Password has been lost or damaged. Presumably, this is something that should be included with each drive, or provided upon request from Intel Tech Support.

FWIW: this is becoming a key issue for my company. I love Intel products, but Intel's implementation of the ATA Password functionality and accompanying toolset does little more to protect the data than the competition, but the implementation + toolset does creates a significant risk of the total loss of the investment in the locked drive. Like me, I doubt any of the original posters of these threads are thieves, but instead simply trying to recoup their investment.

/message/126101 http://communities.intel.com/message/126101

/message/108267 http://communities.intel.com/message/108267/message/129571 http://communities.intel.com/message/129571/message/116558 http://communities.intel.com/message/116558

idata
Esteemed Contributor III

The Master password is random generated during the Secure Erase procedure. Security ATA Extension requires this password to be set. User can change it of course but one can execute SE even without it using intel SSD Toolbox. That's an equivalent of using MP in Max Security Mode. Unless you want to have two passwords to unlock the same drive Master Password is not needed in intel's implementation.

I wouldn't trust a solution (especially in safety critical tasks) which has not got any widely recognizable security certificate. AFAIK intel 320 hasn't (yet).

idata
Esteemed Contributor III

The Master password is random generated during the Secure Erase procedure. Security ATA Extension requires this password to be set. User can change it of course but one can execute SE even without it using intel SSD Toolbox. That's an equivalent of using MP in Max Security Mode. Unless you want to have two passwords to unlock the same drive Master Password is not needed in intel's implementation.

I wouldn't trust a solution (especially in safety critical tasks) which has not got any widely recognizable security certificate. AFAIK intel 320 hasn't (yet).

Excellent points, of course, which further support my ("Guest") comment above.

The Master PW is set by Intel at time the drive ships -- even if only randomly generated. Like the drive's serial # , it would be effortless for Intel to record this and release it only to a registered/verified owner. Frankly, if my bank will accept a few security responses from me to access my bank account over a phone, the same measures could be provided by Intel, but are (apparently) not. The Intel SSD drive ships ready to use, so unless (and until) a user performs a Secure Erase, the Master PW remains the same. This is the case with the drive of ours that I discussed and have. Again, neither I, nor likely the other OP's of the threads I quoted above are thieves, but are instead victims of a Intel's implementation of the ATA Password functionality.

Lawful users of licensed/purchased products should bear the responsibility for data loss, but there's no reason for us to lose the value of our SSD investments, at least as long as other competitors provide products without this risk.

AZapa1
New Contributor

Please please please explain why Intel stores ATA password hashed???? Ok, I can admit that Intel 320 stores AES key in controller and do not encrypt this AES key with ATA password. It's the only way to deal with ATA standard "reset-user-password-with-master-password" scenario, it wouldn't be possible to reset user password with master password if FDE AES key was encrypted by this user password. And ok, Intel claims that controller chip satisfy FIPS 140 standard so no one could recover this AES key from it. But in this case why Intel stores ATA password hashed in SSD controller?? This two statement set me to think.... and one of them definitely should be wrong.

idata
Esteemed Contributor III

I have read through this thread. It is pretty interesting. Even more interesting is what isn't answered. The ATA password is stored as a hash on the drive. What hash? Are you storing as an md5 hash? This is really the question that matters. SSDelightful's last reply was about eight months ago but hopefully he can chime in here.

What I would like to do is what has been described where you can use hdparm to set the passwords. Set them as random characters and then you should have a layer of security where those passwords are needed for decryption on each boot. Is that correct? Is it that we cannot choose the AES key or that we cannot choose the key that encrypts the AES key?