Solidigm

Telbizov · ‎08-17-2020

Dear Intel Support,

I would like to understand better the Self-Encrypting functionality of the S3710 and S4610 SSDs that I have.

In short I would like to make sure that when power is cut off contents on the drive cannot be extracted and decrypted without supplying a password from outside.

Below are my understandings and I would like you to please explicitly confirm or correct each of those:

1. Drives that have advertised to have hardware encryption AES 256 bit, which include S3710 and S4610, continuously and transparently encrypt/decrypt contents written to/read from the drive, even if no ATA password is set. The Data Encryption Key (DEK) is regenerated upon a secure erase operation and there is always some key in use.

2. By default, if no ATA command is set the data is not really protected since it will be transparently decrypted.

3. In order for us to ensure protection at rest, against theft, etc we need to set an ATA password. For example in Linux this would be hdparm --user-master u --security-set-pass thepasswordhere /dev/sdb

4. Entering an ATA password causes the drive to use it as an Authentication Key for the DEK. In other words it encrypts the DEK thus requiring the entry of the ATA password upon subsequent power off/on from outside.

5. The ATA password itself is in fact stored on the drive itself, but is converted to a one-way, irreversible hash first thus it is required to be entered from outside in order to unlock the drive.

I would appreciate if you can advise on the above.

Thank you

BrusC_Intel · ‎08-21-2020

Hello, @Telbizov.

Good day,

Thank you very much for waiting.

After reviewing your questions, this is what can be provided for each individual statement:

This is correct. Each Intel® SSD self generates a key upon use. The user can simply start using the Intel® SSD and data is encrypted with that unique key. Note that if the Intel® SSD does not have a configured security interface (e.g. TCG Opal) the encryption function of the device does NOT provide confidentiality of user data.
Correct.
Correct
Correct.
Our experts confirm that the SSD does not store the password.We cannot go into specific implementation details, however for your question, yes, password is required to be entered from outside in order to unlock the drive.

Best regards,

Bruce C.

Intel Customer Support Technician

A Contingent Worker at Intel

View solution in original post

BrusC_Intel · ‎08-18-2020

Hello, @Telbizov.

Thank you for contacting the Intel Community Support.

I received your ticket regarding encryption details, I will be glad to assist you.

The information we can provide regarding the encryption of the drives and how it works is limited, for the main part, it is as you mentioned, the drives are advertised to have AES256 encryption, but the information can be accessed without restriction if security is not configured in any way, this will depend on the user.

If you have questions regarding the encryption features or how they will be managed, the best option will depend on how you plan to set it up, for example, if this will be setup via BIOS, check with the motherboard vendor, or via software, check with the developer of the tool that will be used.

Some details regarding encryption on Intel drives can be found here: https://www.intel.com/content/www/us/en/support/articles/000036098/memory-and-storage.html

If you have any questions, please let me know.

Best regards,

Bruce C.

Intel Customer Support Technician

A Contingent Worker at Intel

Telbizov · ‎08-18-2020

Hi Bruce,

Thank you for your answer.

I read through the pointed article and it sounds like those particular models do NOT really use the ATA password as a passphrase of the AES data encryption key as I saw pointed out elsewhere ().

/ QUOTE /

If the Intel® SSD does not have a configured security interface (such as TCG Opal) the encryption function of the device does NOT provide confidentiality of user data. Under these conditions, the encryption engine in the device behaves more as a data scrambler. Without a configured security interface, data written to the device can be retrieved by anyone with access to the device. A security interface must be activated in order to provide data confidentiality on the SSD.

If you desire to set a drive password, please contact your computer manufacturer, as this may vary by vendor. In some cases, a password can be set in BIOS, and other cases in software. Note that the manufacturer instructions may require additional steps to configure the security interface properly. So be sure to follow all recommended steps.

/ QUOTE /

So my understanding that S3710 and S4610 use the ATA drive password as the passphrase to encrypt the AES Data Encryption Key was *INCORRECT* ? Can you please confirm this again?

Please also help me clarify this:

Since those disks have no OPAL interface, is there any way to encrypt the data on the drive such that it can only be accessed after a proper passphrase is supplied from outside the drive ? In other words someone who has physical access to the disk will not be able to read its contents if they are not in possession of the passphrase.

Thank you

Telbizov · ‎08-18-2020

What I was referring to is https://community.intel.com/t5/Solid-State-Drives/Data-Encryption-on-DC-S3500-DC-S3700-with-ATA-Pass...

There it is stated that

/ QUOTE /

It is important to say that the drive does encrypt its AES keys with the ATA password and ATA password is stored as non-reversible hash.

/ QUOTE /

Is that true?

BrusC_Intel · ‎08-19-2020

Hello, @Telbizov.

Good day,

Allow me to check if I can get confirmation on this, I will contact you back as soon as possible.

Best regards,

Bruce C.

Intel Customer Support Technician

A Contingent Worker at Intel

Solidigm

S3710 and S4610 SED encryption questions