This discussion is locked
1 2 3 4 5 6 9 Previous Next 124 Replies Latest reply: Feb 26, 2013 10:56 AM by LS1 Go to original post RSS
  • 45. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    DesktopMan Community Member
    Currently Being Moderated
    I have a question regarding part of your response:
    "ATA Password is stored in media as a non-reversible hashed value. This answer also applies to other questions in the blog. See below."
    What sort of hash? Is it randomly salted per drive? I would have preferred that it didn't store a hash at all, instead do like TrueCrypt (and others do), encrypt the random generated key with your password (which the 320 does), then when you try to unlock the ssd it decrypts the stored key using the password and then try to decrypt known data. If the decryption fails, the password is wrong. I guess Intel didn't go this way as they don't necessarily have known data on the SSD. (They could have added some static known data somewhere on the drive that's a different discussion.)
    For those wondering if you can change your password, this is usually done by re-encrypting the key using the new password. I don't know if the 320-series supports this though, so a clarification would be great.
    Bonus question: What block mode is used with AES?
  • 46. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    Quick question - are the 320 series SSD's FDE.2 or FDE.3 compliant?

     

    And, where can I find that in Intel's printed documentation?

     

     

    Thanks!

  • 47. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    1). NEVER run software FDE on SSD.  You may however encrypt specific folder/file(s) bu tnot whole SSD, in other words don't use BitLocker, TrueCrypt os similar.  Unless you're willing to settle for a) enormous speed drop like 4-6 times especially writing  b) wear out SSD sooner (more writing).  Although I said "never" just as a side thought: FDE using BitLocker is faster on SSD drives than TrueCrypt, but again don't use any.

    Software FDE is meant for regular harddrives, not SSD.

     

    2) .  As Uncle Joe pointed out, gthere's no need for FDE anyway - because Intel320 series is already encrypting in hardware.  Unlike software FDE, hardware encryption (e.g. AES or another type) does NOt result in any measurable performance drop, it's "built-in" already.

     

    3) However a big problem:

    While many laptops' BIOS's allow to add "ATA password" (aka "harddrive password, lock, do not confuse with BIOS password which is a joke kids can crack in 15 minutes, I am talking about ATA password), most desktops don't.  My highend HP "EliteBook" 8540w/8740w allow all kinds of password, even locking up I/O ports (USB3, audio, eSATA, etc.), and that's fine, but too many laptops and almost all desktops except professional/server type desktops don't have this ATA password extension/feature in BIOS.

    Which renders any hardware encryption useless.  Thieves simple remove your SSD and plug into another computer and your data is theirs.

    Because SSD's were first meant for laptops.

     

    Now SSD manufacturers are waking up and trying to bypass BIOS to add some kind of password to work in conjunction with hardware encryption, fo rpeople whose BIOS doesn't offer one.  Intel or not, doesn't matter.  OCZ & Crucial are trying same, but I strongly prefer Intel's reliability/stability (speed is nice, but losing data makes Crucials or OCZ speed meaningless, they fail more often and even reported to occasionally corrupt data).

     

    So nothing you can do until Intel releases a new Toolbox with added password feature, until then hardware encryption means only one thing:

    if someone was to remove SSD chips from circuit board, desolder & probe or solder onto another board, their contents is encrypted/protected, BUT if someone steals whole SSD which is obviously the simplest, straightforward thing todo (why would thieves disassemble SSD & remove chips?!?  when they can steal whole SSD?), your data is theirs.

     

    As of harddrives - yes, FDE is theonly solution if there's no way to enter ATA password on some lkaptops and almost all desktops.  My HP EliteBook forunately ha sno such problem, it's got many ways to enter a password, but my MSI-motherboard based desktop doesn't, same is my HP DM1Z-2nd generation famour ultraportable that came out in March this year.  Cheaper computers don't have it, highend/professional like HP EliteBooks & lenovo Thinkpads and my old Asus have it, HP EliteBooks has even numerous ways to add passwords.

     

    So to summarize:

    1) if your BIOS has ATA/harddisk password ability, if you configure it you're totally protected with Intel320 SSD's, same with harddrives if you also add FDE (do not setup software FDE on Intel320 as it would kill it, it already has FDE built into hardware)

    2) If your BIOS doesn't allow ATApassword, there's no easy way to protect yourself until Intel releases new Toolbox

    3) if you're like me who is a professional EEengineer, you wouldn't care for BIOS.

    I hack/modify my SSD's & harddrives to ADD ATA PASSWORD WITHOUT ANY BIOS!  I use heavy-duty lowlevel disk firmware hacktools which I won't be disclosing here b/c if you use them improperly & "brick" your drive you may blam eme or even Intel's Discussion Forum.  I am ding some defense/govenment work so I aboslutely must be protected.

    Too bad most desktops BIOS's & many laptps manufacturers assume we're dumb and cannot use ATA passwords properly.  So it's not in many BIOS's despite being part of ATA Standard since 1997!!  I had it even in mid 1990's on ancient IBM Thinkpad, I now have it in HP EliteBooks bu tnot everyone so lucky.  If you buy a basic consumer laptop or 95% of desktops, they don't offer ATA password, though at least 3 Intel's motherboards do offer it  - on SATA port0  Those with "Q67" chipset (business, not consumer).

  • 48. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    DesktopMan Community Member
    Currently Being Moderated

    I'm not sure if you're a troll or just misinformed, but I'll bite.

     

    1. This paragraph contains grand statements without any references to actual facts:

     

    Speed: Some SSDs rely on compression to speed up writes, which will slow the SSD down if using encryption as encrypted data is random data which do not compress. This is not relevant on Intel SSDs as they do not compress data. Let's challenge your 4-6 times claim anyway with an SSD that *does* rely on compression:

    http://www.anandtech.com/show/3667/oczs-agility-2-reviewed-the-first-sf1200-with-mp-firmware/6

    As you can see the absolute worst case in this scenario is 57%. That's hardly 5-6 times, and it's not even applicable to Intel SSDs.

     

    The actual software encryption speed also affects encrypting harddrives, so I don't think it's relevant to this discussion, but I'll mention it anyway for completeness sake: Most recent Intel CPUs have hardware AES encryption, removing this bottleneck. Even with software encryption my 2.4 ghz core 2 laptop (which is pretty old at this point) does 160MB/sec aes in TrueCrypt. This would slow down an SSD in certain workloads.

     

    As for wearing out the SSD faster, this again only applies to SSDs that use data deduplication. I couldn't find hard info on Intel on this, but I believe they do not use it. Even if it did, wearing out an SSD is mostly a myth anyway for workstation workloads, which are mostly reads.

     

    2. There is if you prefer using encryption that's well documented and well tested. There are many unanswered questions regarding Intel's implementation in this thread, and I'll likely not use it before those are put to rest.

     

    3. Yes this is a problem on many motherboards, desktop and mobile alike. I think you're misunderstanding what you need on motherboards that do not support ATA passwords though. A new toolbox with "ata password features" wouldn't help at all, how would you boot the OS if you can't unlock the drive? What you need is a bootloader that asks for the ATA password and unlocks the SSD, then boots the OS, not unlike the TrueCrypt bootloader. MHDD might be able to do this: http://hddguru.com/software/2005.10.02-MHDD/

     

    This will likely be my last post in this thread as there's really not constructive discussion going and for some reason it seems to attract a lot of trolls.

  • 49. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    AYA Community Member
    Currently Being Moderated

    Guest wrote:

     

    1). NEVER run software FDE on SSD.  You may however encrypt specific folder/file(s) bu tnot whole SSD, in other words don't use BitLocker, TrueCrypt os similar.  Unless you're willing to settle for a) enormous speed drop like 4-6 times especially writing  b) wear out SSD sooner (more writing).  Although I said "never" just as a side thought: FDE using BitLocker is faster on SSD drives than TrueCrypt, but again don't use any. Software FDE is meant for regular harddrives, not SSD.

     

    You may be a great "professional EEengineer", but I prefer to beleive Microsoft's SSD FAQ:

    http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx

     

    Is Bitlocker’s encryption process optimized to work on SSDs?

    Yes, on NTFS. When Bitlocker is first configured on a partition, the  entire partition is read, encrypted and written back out. As this is  done, the NTFS file system will issue Trim commands to help the SSD  optimize its behavior.

     

    We do encourage users concerned about their data privacy and protection to enable Bitlocker on their drives, including SSDs.

     

    Yes, a some performance degradation will be, but no any problems with wear out.

     

    ps: sorry if my English are not good.

  • 50. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    You can use hdparm utility in linux to unlock ATA-passsword protected drive (ssd included).

    Just boot from a pendrive with one of those micro-small linux distributions (ttyLinux, tinycore, microcore, DSL) and issue:

    hdparm --user-master u --security-unlock <pas> /dev/<your_drive>

    inside your script which asks for password first...

    and then, reboot. Security state of the disk is preserved during the warm reboot.

    Not the most elegant solution as it requires additional restart but you can automate it mostly thanks to grub's fallback function.

    And it could be fast. Small, good configured linux can boot in 5 seconds.

    One can live with that.

  • 51. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    SUCCESS!

    I TRIGGERED YOU PEOPLE TO POST EXTREMELY VALUABLE INFORMATION.  UP UNTIL I TROLLED SEVERAL POSTS AGO PEOPLE WERE GOING IN CIRCLES, BUT NOW, DESPITE MY EXISTING SUBSTANTIAL KNOWNELEDGE, YOU ADDED SEVERAL FACTS TO REMOVE SEVERAL HEADACHES I WAS PUZZLED BY!  Things stored on my computers are related to bleeding-edge latest fiberoptic links, solidstatepower Microwave amplifers, missile/warhead telemetry, etc.  it's secure at work, LoJack, kingston chains, etc. besides passwords/cryptography; but at home - I could only trust this HP EliteBook which has more passwords in hardware than there're bugs in Amazon jungles.  Problem is it all works for magnetic storage and I had doubts about SSD's, so first - I decided can only allow Intel320 or Sandforce-based stuff (hard encrypting) & IronKeys.  No classified info at home, but still I am paranoid enough to start worrying the moment I started using SSD's.  Next, is somethign worse - desktop mobo MSI + another laptop (ultraportable HP DM1Z - famous new product came out this Mrach2011), none of these babies have even simple ATA password in BIOS, none.  So hard encrypting SSD is meaningless, whether it's Intel or non-Intel/Sandforce, meaningless without a password if thieves steal it - you're finished.  No need to desolder chips.

    So I was pondering if soft encryption is a non-no for SSD & only works fine on harddisks, does that mean I am locked out from SSD's for anything other than tiny 32GB boot drive or some useless cr*p b/c protection is impossible.

     

    But according to your [claim],

    I "CAN" USE SOFT ENCRYPTION WITH BOOTLOADER IF "ATApassword" IS NOT OFFERED BY BIOS, OR ALTERNATIVELY I COULD CONTINUE USING MY DANGERIUS HACKTOOLS (dangerous b/c I accept a possibility of one day locking up a modern SSD and unable to unlock since thing slike atapwd, mhdd, diskparm... whatever are very dated and were mostly tested for magnetic storage).

     

    So I squeezed something from you people worth of SAVING.

    I saved this thread as a reference.

    Thanks - it even relieved me from contact Intel, HP, Crucial & others tech support with as many messages as I planned.  I will still ask them stuff, but less due to your responses here.  My cat is attempting to eat Microsoft mouse and I shall depart.

  • 52. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    Actually taking part of my praises back.

    That Microsoft's TechNet/MSDN article is dated by May2009.  This unlike for harddisks, is potentially horribly obsolete.  The author could not possibly know what we know in 2011 - SSD's did not evolve, they've revolutionized since 2 years ago.  Therefore some of Sinofsky's discussion might be based on obsolete & even incorrect facts.

     

    Experiements have shown software Encryption is problematic for SSD's, Intel or not, compression or not, random or intercorrelated data - it is still something at least Enterprise market will not be happy with.  Besides enterprise/corporate users, regular people like me - we ABSOLUTELY need protection.

    So it comes back again to Hardware encryption being the proper solution BUT without some password it's meaningless.

    The only meaning of hard encryption is if someone steals password-protected SSD, that person cannot remove flashmemory chips & solder onto another idential PCBboard & steal all your data - b/c it's enrypted and would be exceedingly difficult to decrypt, possibly not worth the effort.

    However WITHOUT a password all the above is garbage.  Thief simply steals your whole SSD & no need to remove flashmemory chips.  Just plug into another SATA port/computer and you're a victim.  The lack of Password makes hardware encryotion a waste of advertising space by manufacturers, I am lucky to own HP EliteBook whose BIOS offers ATA password, but I am not lucky to own everything else (desktop MSI/built for CAD/design work & HP DM1Z blockbuster) that doesn't offer it in BIOS and hackign to setup a passwor d- you know, life is short and I am very unhappy to play these password games everytime I depart from office longterm or travel.

     

    It should be easily setup thru Intel SSD Toolbox maybe?  But it's not there, nor is it in any other SSD maker yet - OCZ (crap is least reliable), Crucial (medium reliable), or Intel (most reliable).

    SO bottom line:

    we still cannot tryust SSD's most important data    YOU MAY WONDER SO WHAT?  Only use SSD for non-critical data?  But problem is there's NO WAY to ensure your sensitive/secret data never ends up on SSD even if you intentionally write it to only to harddisks (documents) and reserve SSD only for OS/boot/etc.  What are you going to spend time to make sure no "debris" is spilled out onto SSD?  Impossible.  Even as you view this webpage, some caching/temporary files storing is happening in background and if you're working oin secret stuff, stealing your SSD supposedly not holding documents will still reveal stuff about you may not want others to know.  And one last thing:

    I am not going to bother "relocating" Users, pagelie, etc. crap from Boot/primary SSSD onto harddisk b/c it's an invitation to future problems (e.g. new software installation failures, losses/corruption, etc.).

     

    Stupid.

    Someone please give us ability to enter PASSWORD!  Else AES128bit or 1024bit encryption - is all meaningless!

  • 53. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    Sinofky's last name (man who wrote that Microsoft blog), rhymes with mine.  So I know he is insane.

    Besides that blog is dated by may2009!  2 years ago.

    Cannot trust it, 100%.  What did they know 2 years ago?

    Hardware encrypting SSD's were not even on the market,  and number of customers using SSD's was like the number of people using cellphones in 1991.

  • 54. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    i am very krazy.

  • 55. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Wiggly Community Member
    Currently Being Moderated

    Thanks alot for that clarification, but does it also apply to the 510 series? I was considering a few Vertex 3 for corporate laptops, but as OCZ fail to clarify this crucial detail I will go with the 320 instead (or 510 if it has the same ATA password and controller AES link). Software FDE is really hard for the regular employee to grasp and error prone; just using Windows backup with Truecrypt requires a "hack", Ultimate Editions for BitLocker is not quite cost effective.

  • 56. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    AFAIK, 320 is hard-encrypting, but 510 is no tlikely - 510 is about speed, not security.  One might even guess, intuitively, fastest storage is not most secure since security adds overhead.  In the case of semiconductor memory like SSD though overhead is tiny, but still:

    510 was designed for SATAII/speed, not security, it's 320 which has internal encryption.

    Easiest thing is to check 510 datasheet, 320 clearly states and is actually ADVERTISED by Intel as self-encrypting.

    But I've never seen Intel advertising 510 Elmcrest as having hardware encryption.

    However 510 is a good candidate for Soft Encryption - BitLocker would be fastest, probably, despite me myself pitching against soft encryption on SSD's, Intel510 is not a bad candidate for it.  You will lose some performance but given it's ridiculously fast transfer rates, the penalty may not be too noticeable.

     

    As of hard encryption - it's 320.

    Just beware if your BIOS doesn't alllow to enter ATA password (some business laptops allow it, other consumer laptops and most desktops don't), then hardware encryption is completely useless.  One way to help yourself is to use a number of hacks to enter ATA password without BIOS involved, but that does require you to be good with computers - else you will destroy your SSD permanently.  Also these hacks are only useful if you understand and actually can set up a BootLoader which asks for a password before OS is loaded and not fighting with BIOS at same time.

     

    All the above has been repeated many times in this Discussion, go back & read.

    I am tired of repeating.

    Most important fact however Chinese will copy/steal all thes epatents so Intel's innovatiuon is doomed anyway.  There's already a copy of iPhone and "legal software" in China is a joke - people giggle.  Not ONE engineering/design software tool in China i spaid for, it's copied.  Cadence, Autodesk, AWR, Agilent, Microsoft, whatever...  A company I worked for has attended some technical seminars in south CHina only to find its OWN products on dispay as something invented by chinese!?!  Our government needs its **** KICKED for allowing rampant copying and petents theft.

    Intel320 will be made in China without any Intel involvement one day.  In some cases less than 6 months passed since a product was invented here and stolen by CHinese.

  • 57. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    prowest Community Member
    Currently Being Moderated

    thank you. thannks for posting the chart!

  • 58. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    SSDelightful Community Member
    Currently Being Moderated

    As of today, the Intel SSD 320 Series is our only product line that is self-encrypting.

    -Scott, Intel Corporation

  • 59. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...
    Currently Being Moderated

    if you have a mac, like me, you cannot take advantage of this feature.  Apple has left out the ATA security password feature in its EFI implementation.  There is nothing that can be done unless Apple issues a firmware update adding support for this feature. Yay apple.

1 2 3 4 5 6 9 Previous Next

More Like This

  • Retrieving data ...

Legend

  • Correct Answers - 4 points
  • Helpful Answers - 2 points