I'm not sure but it seems that Intel approach is no differ then SandForce 12xx one. It means: this is ONLY internal encryption with random generated passwords and without user defined passphrese. This solution does NOT increase security against thieves. It speeds secure erasing and add minor layer of security against controller switching (for ATA-pass overriding) and flash memory dumping. Highly rare and uncommon situations these days.
Hmmm in that case it is pretty lame - moving a disk between two controllers is even something I WANT TO BE ABLE TO DO.... it is really the data theft issue one want to address (in particular on laptops)....
/Trist
The controller switching is rather outdated hack method (mainly for platter drives) based on swapping hdd's electronic board (containing drive's controller and internal bios) to bypass some security methods. It does not concern motherboard controller, the drive's electronics only.
There are IMO much better solutions for securing mass storage these days. Much more flexible then bios-based passwords (with its 8 characters limitation - too small against brute force attacks). All of them are based on preboot authentication (and to be honest they have theirs own issues) but I highly dubt Intel implemented that. We are talking about budget drives.
Hey tristpost,
Just want to let you know that I'm working on answers for you! Everyone else should look for a 320 post sometime today. Thx!
-Scott, Intel Corporation
Requires BIOS level password setup to enable user-unique encryption.
According to
I would like to know the answer as well. Is the ATA password set in the BIOS directly linked to the key stored in the Intel 320 drive? If not, the encryption feature in the drive wouldn't really be accessable to the user.
While many bios seem to have 8 character limitations, is there any technical reason for it? As far as the ATA specs go, up to 32 characters should be fine to use.
@Atavism
AFAIK there in no technical reason for 8 chars limitation. And you are absolutely right. ATA security specification defines 32-bytes for pasphrase. Well... it seems that unofficial bios modding for adding security ATA extensions will be more common these days. This is the only way I can think of... I've lost any hope that my desktop mobo's manufacturer get rid of the essential flaws in its BIOS anytime soon. Adding security module sounds like sci-fi for me and it is unreal for most of us, unfortunately.
tristpost asked excellent question about passwords linking. This is the clue.
Intel's documentation suggests that AES keys are generated during Secure Erase procedure. And this is understandable. But the thing is: ATA password seems to be unrelated to AES encryption engine which to be honest reverse the proper implementations upside down. In truecrypt (and many soft-based solutions) for instance password is the first and based on it and random or pseudo-random generator (mouse based in truecrypt) final AES keys are obtained.
Intel's paper suggests that in 320 case AES encryption and SATA pass are separated. You can use AES (well you are forced to, but not complaining) and NOT use ATA-pass at the same time. ATA pass is optional.
These two security mechanisms are not nested. They are not nested!
When you crack ATA password AES becomes obsolete and vice-versa. They are not in logical conjunction.
Impications? Well look at the market. Dozens of manufacturers and theirs ATA pass implementations. And you can crack almost any of them. There are specialized commertial firms witch offer ATA pass removal. And all these security implementation are hardware!! ATA pass is stored in drives firmware or data firmware areas!
The only solution to secure such encryption mechanism I can think of is to encrypt (strong encrypt) generated AES keys with ata pass internally.
Otherwise sooner or later some skilled hacker will find "authorization bit" and this whole sophisticated AES will be absolutely useless.
In my opinion this is not looking like enterprice class security. If I'm wrong, feel free to prove otherwise.
I'm also interested in this, any word from Intel yet?
Looking forward to your "official" answer. Still mostly speculation in the thread....
/Trist
Hi,
another interesting question is (in my opinion) how the Intel 320-series FDE could work together with a new MacBook Pro (early 2011).
Because there's no BIOS - 'only' EFI.
I'm really looking forward to your answer! (hopefully for all questions in the thread)
/Shiek
Hi SSDelightful . We are still waiting for the answers you promised two days ago. Please respond. Thx
Another interesting question:
What about Intel's FDE and hot-swapping ATA password secured SSD Drive? Is it hot plug/hot swap possible with such security system enabled?
