SSD full disk encryption

[enriquecano]

Hi,

Does somebody know if I can use truecrypt full disk encryption in a SSD? I am looking to buy a ocz vertex 3 but I am concerned about the performance and/or long term reliability issues that could arise from using truecrypt.
A hardware encryption that allows password protect the whole disk would be ok as well. Are there any SSDs out there that support this? I heard that OCZ supported AES encryption but I can't find any information in their web site.

Thanks,

Enrique

 

[WyomingKnott]

TrueCrypt points out that any device that implements wear leveling, such as an SSD, is vulnerable to attack. http://www.truecrypt.org/docs/?s=wear-leveling

Long-term reliability or performance should be the same as any similar amount of write activity, but this year-old benchmark showed a marked reduction in performance over an SSD not software-encrypted: http://www.media-addicted.de/ssd-and-truecrypt-durability-and-performance-issues/744/

Is Samsung still making the hardware-encrypted device tested here: http://www.samsung.com/global/business/semiconductor/products/SSD/downloads/SamsungSSD_Encryption_Benchmarks_201011.pdf ?

Edit: I looked on Samsung's site, and all the self-encrypting drives I found are external. This leaves open the question of whether the encryption is done by the drive or the enclosure.

Here's one from Kingston: http://www.kingston.com/ukroot/ssd/pdf_files/SSDnowV+100E_Datasheet_1010.pdf

 

[JohnnyLucky]

Intel is advertising that their new 320 series solid state drives have default 128 bit AES encryption. There is similar advertising for SandForce based ssd's. However, the encryption is being called into question.

Here is a link to one of several similar articles about the Intel 320 encryption:

http://nickfurneaux.blogspot.com/2011/03/intel-ssds-have-default-aes-encryption.html

Haven't looked at the encryption for SandForce based ssd's yet.

 

[groberts101]

encryption software will generally slow an SSD down a bit(at least the 2 controllers I've seen truecrypt used on so far). Using them on a Sandforce based drive would be a BIG no-no as ALL data on the drive would effectively be in a compressed state and therefore eliminate the possibility of the Sandforce controller using it's compression algorithms to promote top speeds.

Many have tried it and have been less than happy with the results from the 10+ posts I've seen who had issue.

 

[enriquecano]

Thanks a lot guys!!

I'll stay away from sandforce controllers while I continue to use truecrypt. Maybe I'll wait to buy an SSD until vendors implement (and explain) better their full disk encryption features.

 

[Bricktop]

From what I can gather, Samsung is the way to go for SSD encryption. The 470 (PM810) received FIPS 140-2 certification, and the algorithms used are in that report (AES-256 and SHA-256). It also does a Firmware check, to ensure it hasn't been tampered with. Unfortunately, the 830 drives don't offer encryption in the retail market. The 830 has encryption in certain OEM drives like the new 830 mSATA drives.

From the little that Intel is willing to offer about their 320 drives, the fact that they claim the password hash is saved in the drive (never save passwords in any form when dealing with encryption), and that the hash algorithm is unknown leaves a lot of people unsettled about the security really offered by the drive.

Sandforce drives have reportedly run into a HUGE security issue where updating the firmware essentially wipes the passwords, but makes the information on the drive available to anyone with physical access to the computer. This essentially proved that the passwords played no role in encrypting the drive and they are completely open to compromise.

I've done a little searching, and the reliablity and security offered via ATA passwords (used in the decryption process) is very concerning. First, many BIOS don't offer it. Second, most of the ones that do, only offer up to an 8 character password (not very secure). Some BIOS implementations alter the password before sending it to the HDD/SSD, meaning that if you remove the drive from that computer and put it into another computer it won't work, even if you enter the same password. This means that if your motherboard or laptop breaks you lose all of your data, and in the case of Intel's 320, your SSD becomes a brick("unservicable," as Intel would put it). There appears to be no standardization for ATA password implementation in the BIOS. Since many consumer grade SSD/HDD self-encrypting-drives (SED) rely so heavily on it, you would think there would be a better standard. Check your BIOS manual before even purchasing a SED.

Encryption on SSDs seems to be primarily for the purpose of secure erasing the drive in a timely and reliable fashion and less about providing an active security measure to the customer.

Based on a days worth of research on the internet (we know how reliable that is), the only SSD I would feel at all comfortable using to protect information would be the Samsung 470. That is my 2 cents.

 

[ratsa]

Does Crucial use Sandforce?

 

[protheman]

I wonder now that some time has passed and new ssd's which are supposed to be SED have come out if the above situations have changed.

For example, is performance still harmed when using truecrypt or similar programs on say a Samsung 840 Pro?

And is the ATA password still as unsecure?
Iis the ATA password = bricked drive (or loss of data) still valid with the 840 Pro?

 

[protheman]

anyone?

 

[lexluthermiester]

Things have changed in the pasted few years. I currently have been for some time using TrueCrypt on a pair of Samsung 128gb 810 SSD's in a hardware raid zero in a full drive encryption config, no performance issues, no data leak problems, perfect reliability. It would seem that FDE has no effect on SSD longevity and seems to improve it as data is only changed when it's actually written to and is never zero'd out[TRIM'd] because even the empty space is encrypted and contains data. It can depend on the hardware used and the SSD controller, but all modern SSD's are compatible with FDE now. Your mileage may vary, but it is generally considered safe if your main concern is data security.

 

[protheman]

So all i have to do to enable fde is to install truecrypt, then proceed to encrypt the system drive(840 evo) with it and that is it?
If thats all then its easy!