5 Replies Latest reply on Nov 16, 2017 2:23 PM by Intel Corporation

    DC Series SSD - Encryption Key Management in Windows Server

    KGR

      Folks,

       

      I'm trying to understand how to leverage the hardware encryption built into the DC series SSDs for a branch server (doing all of the research now, so there are no surprises down the road).

       

      I'm looking at purchasing a DC S3520 series SSD - this is listed as a Self-Encrypting Drive (SED). I have previously worked with Samsung Evo eDrive compatible SSDs in our corporate laptops - these work well with BitLocker and work with the existing hardware SSD encryption (rather than perform software Full Disk Encryption - which is often the case with OPAL certified drives without the separate eDrive comparability).

       

      For the branch server setup, we need to have the data encrypted, so what is the Intel approved method of leveraging the existing hardware based encryption on Windows Server (2012 or 2016)? The server will have a TPM.

       

      The Intel Solid-State Drive Pro Administrator tool does have the ability to enable eDrive support, but only on drives that support this capability. The DC S3520 series specifications don't specifically mention OPAL or eDrive support (or does it???)

       

      The solution doesn't need to be BitLocker, but I'd like to know what options are there? For example, is there an Intel storage controller that can be purchased that can facilitate these SSDs for hardware based Full Disk Encryption? This may be a great solution when one wants to create a Mirrored RAID Volume that is hardware encrypted, as BitLocker won't do hardware encryption on eDrive enabled SSDs unless it can see them directly (won't work if they are in a RAID Volume - BitLocker will work - but Just in Software mode).

       

      Any help is appreciated!

       

      Regards,

       

      Kieran

        • 1. Re: DC Series SSD - Encryption Key Management in Windows Server
          Intel Corporation
          This message was posted on behalf of Intel Corporation

          Hello KGR,

          As you mentioned, the Intel® SSD DC S3520 Series is a Self-Encrypting Drive (SED). This means the drive is always encrypting the user data stored on the media. This is true for all our SSDs. If you want to set a a password protected encryption, you can use the software based solutions such as BitLocker*, MacAfee* Drive Encryption or ATA security password.

          To answer your question, we do not have an approved or preferred encryption method. You can a use any method available for Windows* Server 2012 or 2016.

          As for Full Disk Encryption (FED) using Intel® RAID Controllers, there's a Premium feature that enables this kind of encryption on the controllers. You can find more details here:

          Intel® RAID Solutions

          Best regards,
          Eugenio F.

          • 2. Re: DC Series SSD - Encryption Key Management in Windows Server
            KGR

            Hi Eugenio,

             

            Thanks for your reply.

             

            I'll have a look at the Intel RAID controllers to see the options there.

             

            Whether the drive is always encrypting the user data on the media or not is meaningless unless there is a mechanism to prevent unauthorized access to said data. The default setting is that there is no password (or similar mechanism) enabled on the SED SSD, so everything and everyone has full access to the data on the drive - therefore the encryption is effectively useless. Remove the drive and plug in into another machine, and full access is there by default.

             

            However, I do understand that having hardware encryption enabled allows other mechanisms to leverage that to actually protect the data on the SSD once enabled (e.g. BitLocker and other software products - which essentially manage the SSD encryption keys, and tying it to the TPM chip or similar).

             

            For BitLocker to work (while leveraging the native SSD hardware encryption) the SED SSD must be support eDrive - can you confirm if the DC series SSDs support the eDrive standard?

             

            For the MacAfee Drive Encryption and similar products to work (while leveraging the native SSD hardware encryption) the SED SSD must support OPAL - else it defaults to using software encryption - can you confirm if the DC series SSDs support the OPAL (1/2) standard?

             

            It's the eDrive and OPAL standard support that I an definitively trying to figure out here. If not, then the only option to leverage the native SSD encryption is the ATA security password, or the Intel RAID controllers with a premium feature license.

             

            Regards,

             

            KGR

            • 3. Re: DC Series SSD - Encryption Key Management in Windows Server
              Intel Corporation
              This message was posted on behalf of Intel Corporation

              Hello KGR,

              As far as we understand, eDrive* and Opal* are very similar:

              • Opal*: A Trusted Computing Group* (TCG) standard that defines an interface for managing a Self-Encrypting Drive (SED).

               

              • eDrive*: Microsoft* specification for a drive that complies with the TCG* Opal 2.0 and IEEE.

              Terms definitions were extracted from Intel® SSD Pro 2500 Series Guide for Microsoft eDrive* Activation [Page 5, Terminology].

               

              Even though drives in the Intel® SSD Data Center Family are SED, they aren't compliant with neither eDrive* nor Opal*. The eDrive* feature is supported on the Intel® SSD Pro 2500, Pro 5400, and Pro 6000p Series products.

               

              Encryption software like BitLocker* and MacAfee* Drive Encryption are eDrive*/Opal* compatible, however this doesn't seem to be a requirement to encrypt the drives. This can be confirmed on the software requirements as neither of these standards are listed:

               

              - BitLocker Overview - System requirements
              - McAfee Drive Encryption Product Guide [Page 15, Requirements]

               

              We've also tested these encryption programs on non eDrive*/Opal* Intel® SSDs.

               

              I hope this information will be useful for you,

               

              Best regards,
              Eugenio F.

              • 4. Re: DC Series SSD - Encryption Key Management in Windows Server
                KGR

                Hello Eugenio

                 

                Thanks for your response.

                 

                So, the Intel DC series SSDs are not compliant with either eDrive or Opal - good to know.

                 

                Microsoft, McAfee, Sophos, Symantec, Checkpoint, WinMagic etc. all have products that work with SED drives - however, the SED drives need to be Opal compliant in order to leverage the native SED encryption - the excpetions being Microsoft & Symantec, which only work with eDrive compliant drives. In the absense of Opal/eDrive compliance the above solutions default to software based encryption (OS CPU performing all the encryption calculations). With modern processors which have the AES-NI instruction set, the impact is minimal, but that's not the point really.

                 

                The legacy BIOS-based ATA method is considered unreliable due to interoperability issues between different motherboards and the requirement to use a UEFI BIOS for Server 2016 (and other modern OSs). 

                 

                I'm looking at the DC series SSD's as I'm building a branch server - I need the Power-Loss Data Protection. However, encrypting the data at rest is also important - preferably using a solution that will take advantage of the existing native disk encryption.

                 

                Can you tell me what standards are the SED component of the Intel DC series SSD compliant with, or what solution can be used to leverage the native encryption offered by those SSDs? (e.g. is it something that is only supported natively by Intel RAID controllers?).

                 

                If there is no technology available that leverages the native SED encryption on those drives, then all solutions used to provide Full Drive Encryption effectively treat the drives as if they have no encryption (and use OS provide software encryption). In that case what's the point in advertising these drives as Self Encrypting Drives?

                 

                Regards,

                 

                KGR

                • 5. Re: DC Series SSD - Encryption Key Management in Windows Server
                  Intel Corporation
                  This message was posted on behalf of Intel Corporation

                  Hello KGR,

                  Thanks for your reply.

                  Please allow us more time to investigate and gather more information on the encryption methods for Intel® DC SSD products.

                  We'll get back to you as soon as possible.

                  Best regards,
                  Eugenio F.