• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

SSD:s with Full Disk Encryption (FDE) - How does it work?

F

Fjodor2001

Diamond Member
Hi,

Some SSDs have support for hardware based Full Disk Encryption (FDE). Typically AES-128/256 bit encryption is used then.

But how does it actually work? And how are the encryption keys managed?

I have some specific questions regarding this for different possible scenarios:

1. If the key is stored in a hardware Trusted Platform Module (TPM), then what happens if the TPM hardware is damaged? Is there any way to recover the data from the SSD (e.g. by placing the SSD in another computer)? Isn't the TPM key unique, so placing the SSD in another computer with another TPM will not help?

2. Can the key be entered once in the BIOS as a setting, and then the BIOS uses it automatically when booting the SSD with FDE? In that case does that require some special BIOS that supports drives with FDE (e.g. so the BIOS can send some special command to the FDE drive, informing it of what key to use?)?

3. Can the key be entered manually by the user when the computer boots up? In that case will the BIOS or some special software handle that (i.e. detect that the SSD uses FDE and prompt the user for a password)?

4. Does it differ between various SSDs with hardware FDE support which of the options 1-3 are supported? Or is FDE standardized, so it is for example just a set of SATA commands that can be sent to the drive to inform it of what key to use, and then it's up to the BIOS/OtherHardware to obtain the key in a suitable manner (e.g. as in 1-3 above) and send it to the SSD via some SATA command?

Thanks!
 
This is a great question, and I wish it was discussed more, as hardware drive encryption for me is a HUGE selling point. It's hard to even find out what drives have it-Intel's 320 and 520 (and 330?) have it. Samsung made rumblings about it, but then includes a software program, which makes no sense...if it's hardware based, it doesn't need a software program, sooooo...

My understanding is basically like on Intel's 320 and 520, the data is always technically encrypted regardless of whether you set a password. Setting a hard drive password has that password work to unlock the drive's key, like you can't unlock the key without that password, and it's just using the normal Windows PC/BIOS drive password interface that seems to be present on most if not all Windows notebooks.

It doesn't involve a TPM and it's not stored in the BIOS, basically just the BIOS throws up a hard drive password screen, you type it in, it gets passed to the drive but not stored anywhere, the drive unlocks the key and the key encrypts/unencrypts the drive's data on the fly with no further interaction (and is technically doing that on the fly even if no password is set, it's just with no password the key is always unlocked).

At least I THINK that's what's going on...I wish Anandtech would do an article on this and also make a big point of it in SSD reviews. Sandforce doesn't look like it makes sense for me and also seems like a buggy mess, not sure I even trust Intel to fix it, buuuuuut considering the 320 is that much more expensive and Crucial's M4 apparently lacks any encryption....520 it is for me probably. (I've got a 300GB 320, but have you SEEN prices for the 600GB model? :lol🙂
 
VirtualLarry said:
Only problem is that very few desktop mobo BIOSes have an HDD password setting.
Click to expand...

True. This is regarded as an enterprise feature so is typically only found in servers, workstations and business grade laptops.

It's very uncommon to see this in consumer grade stuff.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top