Pages

20121004

Solid State Drives and Full Disk Encryption: a bad combination

You have discovered that Solid State Drives (SSD) solve your disk I/O performance issues. To protect your data (data-at-rest) you have applied a Software Based Full Disk Encryption (e.g. MEE, SGE, TrueCrypt or Bitlocker). You are probably not aware that this is a bad combination. Even when you change a single bit in file, due to the re-encryption of the file, the whole file will be written back to the SSD and not only the changed block of data. This will incur additional wear-and-tear of the SSD, reducing the performance exponentially. Current benchmarks shows that the SSD lifespan will be 24 months or even less when SW FDE is applied. This means that in the life-cycle of your laptop (usually 3 years) you might need to replace the SSD.

You can prevent this additional reduction of performance by using Self Encrypting Drives (SED). A SED will encrypt data in the hardware of the drive. So you win on drive performance two times:

1. Encryption is done in real-time (e.g. when SW FDE is applied it will reduce immediately 40-50% of SSD read and write performance) and
2. inefficient use of the SSD is prevented by optimization routines in the controller of the SED.

Besides this, there are more advantages of using SEDs (much lower operational costs than FW FDE, higher security, compliancy etc.). This is the typical throughput of a Micron 256GB SED, fully encrypted, benchmarked with disk-tt (eat my dust!):




SEDs are produced by Seagate, Micron, Samsung and other drive manufacturers. The SED (aka Opal) standard is defined by the Trusted Computing Group. SED management is done with Wave EMBASSY Remote Administration Server (ERAS).

1 comment:

  1. I believe that altering a single bit will not in fact re-write the entire file. Veracrypt (a fork of TrueCrypt) uses 16 byte cipher blocks:

    https://veracrypt.codeplex.com/wikipage?title=FAQ

    and in any case is doing block level encryption, not file based encryption. Therefor altering a single bit would at worst yield a standard full block write (probably 4kb). I don't believe this is any different than altering a bit on a non-encrypted filesystem, since typically all reads/writes are done in full blocks.

    There are other negatives with encrypting SSDs, which can be found here:

    https://veracrypt.codeplex.com/wikipage?title=Wear-Leveling
    http://asalor.blogspot.hu/2011/08/trim-dm-crypt-problems.html
    https://veracrypt.codeplex.com/wikipage?title=Trim%20Operation

    Note that if it is an SED Opal SSD drive, tools like Bitlocker will utilize the SED capabilities.

    ReplyDelete