SSD Encryption FAQs
Q1: How does self-encryption differ from other common SSD (e.g. software) encryption solutions?
A1: Self-encrypting drives include dedicated AES encryption engines that do not require software to run on the host. Dedicated hardware encryption typically has superior performance compared to software based solutions. Software can also be corrupted or negated whereas hardware cannot as software runs under an operating system that is vulnerable to viruses and other attacks. Furthermore, an operating system, by definition, provides open access to applications and thus exposes these access points to improper use. Hardware-based security can more effectively restrict access from the outside, especially to unauthorized use.
Q2: What is unique about Virtium’s SED solution?
A2: SED is the industry’s only true industrial SSD solution supporting all SATA formats including those like Slim SATA, mSATA and CFast that are not typically supported by competitive solutions. Virtium is also one of the few that supports all StorFly drive classes including SLC (PE), iMLC (XE) and CE (MLC).
Q3: What are some key features and corresponding benefits of the SED product?
A3: In order of importance: Feature 1: integrated AES encryption engine with self-encrypting capabilities Benefit: no burden on host system and no extra host encryption elements required. Feature 2: supports rapid sanitization via “crypto-erase” as well as standard secure erase Benefit: sanitizes SED in milliseconds, at very low power and is unaffected by power loss to SED; secure erase wipes all NAND blocks including spare area. Feature 3: supports all SATA formats, not just 2.5” and M.2 like most competitors Benefit: first industrial SSD supporting full range of embedded form-factors providing system designers with options previously unavailable. Feature 4: supports all StorFly drives including SLC, iMLC and MLC. Benefit: wide range of endurance and performance options to meet most any application and price target. Feature 5: supports industrial operating temperatures (-40Cº to 85Cº) Benefit: extends new levels of security to designs in extreme operating conditions.
Q4: Which Virtium products does SED support?
A4: SED supports StorFly SATA and PCIe SSDs as well as TuffDrive USB solutions.
Q5: Is the encryption automatic or does it require a user command?
A5: Encryption is automatic and does not require any special commands by the user/host.
Q6: Can the encryption be disabled?
A6: Encryption cannot be disabled in the SED solution. Each SED solution has an equivalent non-encryption solution that can be ordered under its own part number.
Q7: How is the key on the drive protected?
A7: The original encryption key value is generated in the factory by an on-board random number process; it never leaves the drive. When the drive is configured by the user (or IT), the authorization key is used to encrypt the encryption key inside the drive, so the key is never stored in the clear. The encryption key can be changed by the user administration function (IT department), which ensures that anybody who might have had possession of the drive before the user puts it into service could not have obtained any information that might help in later retrieving data from the drive.
Q8: What happens to data in flight?
A8: Different and proven techniques (e.g. SSL/TNS) are used to protect data in flight. Self-encrypting drives are focused on data at rest.
Q9: How is the access to the drive secured to allow only the Authorized user to access it? Is there a boot-up password that is entered via a BIOS dialog?
A9: When the BIOS requests the Master Boot Record (MBR) from the drive, the drive instead returns the pre-boot record to the user. This pre-boot record is a complete, though quite restricted OS, usually something simple like MS-DOS or LINUX. The pre-boot image requests the Authentication Credentials from the user, which are passed to and checked directly by the drive logic. If accepted, then the drive returns the MBR and the OS is loaded. Important point: This pre-boot authentication is the FIRST thing that happens and is controlled by the drive directly. This has the added advantages of not modifying the MBR, which many software encryption products do, and allowing the MBR to be encrypted like all other user accessible data. Virtium also supports customizable “secure boot” options built on the OPAL trusted send/receive command. As the SED does not provide protection from unauthorized viewing, it is recommended to use the supported ATA security commands set passwords for preventing unauthorized access which, when used in conjunction with data encryption, makes the data on the drive unreadable for unauthorized users.
Q10: What happens to data if the DEK is stored in drive space that goes bad? Is the data lost or is there any way to recover?
A10: An SED is used to protect the one copy of data stored on that one drive. Good security practice dictates that important data is backed up somewhere else for recovery. To mitigate the occasional bad sector issue, Virtium’s SED stores the encryption key in several storage locations, thus greatly minimizing the chance that all encrypted copies are lost.
Q11: How is data recovery from a crashed SED handled?
A11: If the encrypted data, the DEK, and the Authentication Key are not available, then the data is NOT recoverable from that one drive. However, good security practice encourages valuable data to be backed up. Simply retrieve the back-up copy.
Q12: Is drive sanitization now a thing of the past?
A12: Drive sanitization is still required but is much easier now. Using supported vendor commands, the host can randomize the SED’s internal AES key – rendering the data unreadable (erased for all intent and purposes) almost instantly and at very low power. Virtium’s sanitization method satisfies the NIST 800-88 sanitization requirements. The same vendor command also initiates a secure erase of the SSD which includes the wiping of data from all NAND blocks including the spare area.
Q13: What happens if the sanitization / secure erase is interrupted from a loss of power, does it need to be manually restarted?
A13: Virtium’s sanitization method is persistent across power cycles, meaning that if the SED loses power, the sanitization/erase will resume automatically upon power being supplied to the SED.
Q14: What is the time difference between sanitizing an encrypted vs non-encrypted drive?
A14: The time difference depends on the size of the drive. It takes less than a second to erase/ overwrite the DEK in an SED, irrespective of the capacity. It can take hours-to-days to overwrite a large capacity non-SED drive.
Q15. Are there any countries where encryption based products cannot be shipped?
A15: SEDs have received EXPORT licenses from the U.S. Dept/Commerce/BIS but there are some countries that the U.S. federal government does restrict shipments to as they are considered dangerous. There are several web sites that track this information and it is best that the user check before shipping any encryption products. One should also keep in mind that an SED is not a general purpose encryption tool. The cipher-text is not available to the user; rather, it exists on the drive media.
Q16: What security standards are supported with SED?
A16: Virtium SEDs are compatible with the pre-boot authentication environment and authentication features in the Trusted Computing Group (TCG) Opal 2.0 standard. Sanitization features also satisfy NIST Special Publication 800-88 Revision 1 sanitization requirements.
Q17: What is the difference between crypto erase and block erase?
A17: Crypto erase erases the encryption key of a self-encrypting drive (SED). In general, the process takes less than a second to complete. Data on the NAND are not erased unlike block erase. In block erase, data in the NAND are deleted and the process time is significantly higher. This is capacity dependent as well. For example, the block erase time for a 16GB drive is about 11 seconds, while a 1920GB takes about 30 seconds.