SSD for business, HW encryption a must

[aphelion02]

The group I work in is looking to get SSDs to upgrade our laptops. We work with confidential information so it is completely necessary to get out of the box hardware encryption that doesn't slow the performance of the drive. Basically we were envisioning a password at start up so that if we lose the laptop data doesn't fall into the wrong hands.

We were going to get the Intel 320 160gb but thats not an option now due to the 8mb firmware bug. Does anyone know any good alternatives in the same price + size range?

 

[frostedflakes]

I don't think the 8MB bug is very common. Intel 320 is still your best option IMO, along with an ATA password it should be pretty secure.

I mean your only other option for hardware AES on an SSD is SandForce, and they have far more firmware bugs and issues than Intel. And I don't think the encryption is as sophisticated as the 320's, with the SandForce someone could simply pull the drive, install it in a new system, and access the data on it. The encryption key isn't tied to the ATA password like it is for the Intel 320. Really if you do a bit more reading about how the encryption on SandForce SSDs works, it sounds pretty useless.

 

[corkyg]

What about BitLocker?

 

[aphelion02]

We are still stuck using XP. Also, we need an out of the box hardware solution, otherwise we would be forced to use our company's own SW encryption, which significantly impacts performance.

 

[Voo]

Considering that afaik neither Intel nor SF have peer reviewed their encryption or even published information about it, I don't think one should (or with all those legal requirements could) use the HW encryption for confidential data..

 

[smakme7757]

Get a nice quick SSD and lock it with Truecrypt if you only have Windows XP. The best option is a new laptop with a current Intel CPU with its AES instruction set and either bitlocker on Windows 7 enterprise or truecrypt if you must hang onto Windows XP.

I have a Corsair Force 120 (Without an Intel CPU supporting the AES instruction set) drive which is locked with Bitlocker and the performance impact isn't too bad. See here: Performance hit

I'd assume Truecrypt would be about the same. I'm planning on encrypting my new laptop that is on its way with Truecrypt and i'll benchmark that as well. I was going to get an Intel 320 with that new lappy, but i decided to wait until they release the firmware update first, then i'll get one.

 

[frostedflakes]

Yeah with AES-NI the performance hit would probably be minimal. Still seems like a waste to spend the money on a nice SSD and then bottleneck it with software encryption, though.

I have a 320 with the hardware encryption and it's great, no performance hit at all. And FWIW I've never encountered the 8MB bug on mine despite having a few unsafe shutdowns. How common is the issue?

 

[smakme7757]

How common is the issue?

It's seems to be common enough. The Intel board are full of people asking about it, so i think at this point in time it's a good idea to keep a recent backup if you have one or hold off on a purchase until a firmware update is released.

 

[Idontcare]

We are still stuck using XP. Also, we need an out of the box hardware solution, otherwise we would be forced to use our company's own SW encryption, which significantly impacts performance.

Security is paramount and yet you are stuck with XP

"we deal with top-secret military contracts, security is an absolute must, but we aren't allowed to use passwords any longer than 4 characters, and they must all be numbers..."

 

[smakme7757]

Security is paramount and yet you are stuck with XP

"we deal with top-secret military contracts, security is an absolute must, but we aren't allowed to use passwords any longer than 4 characters, and they must all be numbers..."

I was surprised at that as well. 7 beats XP hands down on the security font. UAC alone is a major step over the fundemental XP security paradigm.

Also it might be worth considering a Yubikey with Truecrypt. That wasy you need a physical token to gain access and no one knows the password.

 

[aphelion02]

Security is paramount and yet you are stuck with XP

"we deal with top-secret military contracts, security is an absolute must, but we aren't allowed to use passwords any longer than 4 characters, and they must all be numbers..."

Don't even get me started. Until this year we were still using IE6.

In any case, I've decided to just go with the Intel 320. I can't use truecrypt or any alternative SW encryption, because then I would have to justify why we can't just use the company's own SW solution instead (and that totally cripples performance). Setting a ATA PW on the Intel 320 should be acceptable.

 

[yinan]

Security is paramount and yet you are stuck with XP

"we deal with top-secret military contracts, security is an absolute must, but we aren't allowed to use passwords any longer than 4 characters, and they must all be numbers..."

The only thing I can say about this and TS contracts is what you were told is completely false. All DISA/DoD STIG guidelines state that passwords must be complex and at least 12 characters, most networks should be at least 14 and alpha numeric.

 

[FishAk]

...what you were told is completely false.

You like totally missed the sarcasm, dude, ...

That is like 2 funny!

 

[Voo]

The only thing I can say about this and TS contracts is what you were told is completely false. All DISA/DoD STIG guidelines state that passwords must be complex and at least 12 characters, most networks should be at least 14 and alpha numeric.

Which obviously reminds me of this here. I don't even want to know how many pretty trivial to hack passwords conform to the usual security requirements..

Anyways I think it is obvious to anyone else here that he was using a metaphor there

 

[Emulex]

aes-128 = 16 char's - aes-256 needs at least 32 chars - you shouldn't use anything less than aes-256 on storage. but keys are only as good as random().

i thought we were all on fips_140-2 now?