6

I understand that most SSDs which support encryption usually encrypt all data, but that only some actually encrypt the encryption key with a user BIOS password. This means that the models which don't do that can be circumvented by moving to a new computer.. is this correct??

To me this seems like little more than a deterrent - no different to setting a BIOS password on a non-encrypted drive. Is there something I am missing (apart from when disposing of old drives i.e. secure wipe)?

If my previous thoughts are correct, then my big question is - Is there a list of which models/brands are actually secure (i.e. use the user password to encrypt the encryption key)??

I have heard that Intel is the only brand, but there seems to be very little information about this.

Thanks for any input!

Mark
  • 183
  • 1
  • 5

2 Answers2

9

The ones which are tied to a BIOS identifier are harder to move to another computer - the idea is that they will only work in the computer they are configured for, but this really only works if you have a Trusted Hardware Platform.

You can't circumvent the ones which don't have an encryption key tied to the BIOS password by moving them to another machine - you still need to use the encryption key to get anything off them.

SSD's which encrypt all the data are all secure (secure here can mean many things, but I mean - if you lose the key all the data is inaccessible to anyone. There are some variations, but for consumer grade SSD's this is broadly correct) - it doesn't matter which brand.

You should be able to find vast amounts of information online - both here (we have questions and blog posts on this subject) and all over the Internet, as security of data on SSD's is a hot topic.

Rory Alsop
  • 61,507
  • 12
  • 118
  • 322
  • I have a fairly cheap Lenovo so I don't know if I have a TPM. It is the link to BIOS/ATA password that I am trying to find - I can't find a definitive list of what drives support this. For me, my concern is theft. So if the encryption key is not linked to a password, then I would consider it insecure (I accept that this definition depends on requirements, as you say..). I have found a great deal of information online, but very little on which drives encrypt the key with the password. – Mark Jan 23 '13 at 14:06
  • I think that the blog post referenced is the best I have found on the subject. I had already found it, but as a future reference this is therefore the best answer I think. Thanks! – Mark Feb 24 '13 at 16:19
6

I'd start off by saying that as far as I've seen you're right in that information about this is pretty spotty and exact implementations seem to vary.

The theory as I understand it is that the SSD encrypts all it's data anyway (to enable fast wipe of the drive) and that setting a hard drive password (which in my experience was distinct from the BIOS passowrd) essentially uses that password to encrypt the key used to encrypt all the data on the drive.

Where the problem seems to occur is between the laptop/BIOS/Drive manufacturers as it seems there are compatibility problems with exactly how this is implemented, which I guess could lead to the case you mention where the password doesn't actually have any effect on the SSD encryption key, which makes it rather useless.

I've used a setup with an OCZ Octane and Lenovo Thinkpad which seemed to encrypt the data ok. When the drive was moved it couldn't be read at all and indeed there were problems in wiping it as the password only worked when the drive was placed in another Lenovo Laptop and it couldn't even be wiped without the password.

FWIW, I think that Bitlocker + TPM chip is possibly a better solution (with the caveat that you should disable hibernation and sleep modes on your laptop to avoid leaving the encryption keys available for recovery)

Rory McCune
  • 62,266
  • 14
  • 146
  • 222
  • Yes, it seems that most use encryption - but very few state whether this is for proper security (i.e. from theft) or just to avoid wiping the drive for disposal. I think that is how the password should relate to the key - but apparently this is often not the case. But I can find no evidence of when this is or is not the case. I have an i3, so using software encryption is not ideal since there is a significant performance hit. I am also unsure whether I have a TPM in my cheap laptop. Is this fairly standard for low end consumer laptops? – Mark Jan 23 '13 at 14:11
  • 1
    yep, I had great difficulty in finding out whether specific SSDs support encryption properly. the best i could find at the time was the Octane where they stated it on their forums, but there's still no formal testing of it (that I'm aware of). On the TPM front, I think it's more a business laptop feature, although it's becoming somewhat more common, it should mention it on the spec. sheet for your laptop if it's present. – Rory McCune Jan 23 '13 at 15:29
  • 1
    Yea, about TPM, that's what I thought.. I will check my model but it's pretty low end so I'm not hopeful. – Mark Jan 23 '13 at 17:07