As you mentioned, the Intel® SSD DC S3520 Series is a Self-Encrypting Drive (SED). This means the drive is always encrypting the user data stored on the media. This is true for all our SSDs. If you want to set a a password protected encryption, you can use the software based solutions such as BitLocker*, MacAfee* Drive Encryption or ATA security password.
To answer your question, we do not have an approved or preferred encryption method. You can a use any method available for Windows* Server 2012 or 2016.
As for Full Disk Encryption (FED) using Intel® RAID Controllers, there's a Premium feature that enables this kind of encryption on the controllers. You can find more details here:
- Intel® RAID Solutions
Thanks for your reply.
I'll have a look at the Intel RAID controllers to see the options there.
Whether the drive is always encrypting the user data on the media or not is meaningless unless there is a mechanism to prevent unauthorized access to said data. The default setting is that there is no password (or similar mechanism) enabled on the SED SSD, so everything and everyone has full access to the data on the drive - therefore the encryption is effectively useless. Remove the drive and plug in into another machine, and full access is there by default.
However, I do understand that having hardware encryption enabled allows other mechanisms to leverage that to actually protect the data on the SSD once enabled (e.g. BitLocker and other software products - which essentially manage the SSD encryption keys, and tying it to the TPM chip or similar).
For BitLocker to work (while leveraging the native SSD hardware encryption) the SED SSD must be support eDrive - can you confirm if the DC series SSDs support the eDrive standard?
For the MacAfee Drive Encryption and similar products to work (while leveraging the native SSD hardware encryption) the SED SSD must support OPAL - else it defaults to using software encryption - can you confirm if the DC series SSDs support the OPAL (1/2) standard?
It's the eDrive and OPAL standard support that I an definitively trying to figure out here. If not, then the only option to leverage the native SSD encryption is the ATA security password, or the Intel RAID controllers with a premium feature license.
As far as we understand, eDrive* and Opal* are very similar:
- Opal*: A Trusted Computing Group* (TCG) standard that defines an interface for managing a Self-Encrypting Drive (SED).
- eDrive*: Microsoft* specification for a drive that complies with the TCG* Opal 2.0 and IEEE.
Terms definitions were extracted from Intel® SSD Pro 2500 Series Guide for Microsoft eDrive* Activation [Page 5, Terminology].
Even though drives in the Intel® SSD Data Center Family are SED, they aren't compliant with neither eDrive* nor Opal*. The eDrive* feature is supported on the Intel® SSD Pro 2500, Pro 5400, and Pro 6000p Series products.
Encryption software like BitLocker* and MacAfee* Drive Encryption are eDrive*/Opal* compatible, however this doesn't seem to be a requirement to encrypt the drives. This can be confirmed on the software requirements as neither of these standards are listed:
We've also tested these encryption programs on non eDrive*/Opal* Intel® SSDs.
I hope this information will be useful for you,
Thanks for your response.
So, the Intel DC series SSDs are not compliant with either eDrive or Opal - good to know.
Microsoft, McAfee, Sophos, Symantec, Checkpoint, WinMagic etc. all have products that work with SED drives - however, the SED drives need to be Opal compliant in order to leverage the native SED encryption - the excpetions being Microsoft & Symantec, which only work with eDrive compliant drives. In the absense of Opal/eDrive compliance the above solutions default to software based encryption (OS CPU performing all the encryption calculations). With modern processors which have the AES-NI instruction set, the impact is minimal, but that's not the point really.
The legacy BIOS-based ATA method is considered unreliable due to interoperability issues between different motherboards and the requirement to use a UEFI BIOS for Server 2016 (and other modern OSs).
I'm looking at the DC series SSD's as I'm building a branch server - I need the Power-Loss Data Protection. However, encrypting the data at rest is also important - preferably using a solution that will take advantage of the existing native disk encryption.
Can you tell me what standards are the SED component of the Intel DC series SSD compliant with, or what solution can be used to leverage the native encryption offered by those SSDs? (e.g. is it something that is only supported natively by Intel RAID controllers?).
If there is no technology available that leverages the native SED encryption on those drives, then all solutions used to provide Full Drive Encryption effectively treat the drives as if they have no encryption (and use OS provide software encryption). In that case what's the point in advertising these drives as Self Encrypting Drives?
Thanks for your reply.
Please allow us more time to investigate and gather more information on the encryption methods for Intel® DC SSD products.
We'll get back to you as soon as possible.