Solid State Drives and Full Disk Encryption: it is getting worse

As you can read from a previous post, SSDs and SW FDE are not particularly a good combination and it is getting worse. Read on...

The "package" (form factor) of traditional laptop hard disks and Solid State Drives is the same. This means you can swap your old, slow hard disk with an ultra-fast SSD. The drivers do not change (both have a SATA interface) and you do not even have to leave 10-20% space for defragmenting. Defragmentation is not necessary on an SSD.

Self Encrypting Drives: Hard Disk and Solid State Drive

Although both drives work the same, they have a completely different internal structure. Since each flash memory location on an SSD can only be written a finite amount of time, the drive manufactures put more memory chips on the drive than that you "see" as user. E.g. a 256GB SSD has actually 1TB on chips. The reason for this is to distribute the writes over all of the chips that the drive can have a normal lifetime of 3 years without losing capacity.

When you write data to disk the driver (Operating System) uses a write method that comes from the traditional hard disk. That same write scheme is "translated" to the SSD storage by the controller on the SSD. The controller selects the right chips to store the data. And this is where new problems arise.

The problem

The OS sees a 256GB drive. The controller on the SSD sees 1TB of storage capacity. The OS does not control which chips are used to store the data. This means that if you are using software based full disk encryption (SW FDE), like Bitlocker or McAfee Endpoint Encryption, and the drive (256GB) is fully encrypted, that there is still unencrypted data in the chips on the drive! That data can be (partially) recovered. This means that you cannot proof that all data on the disk is encrypted when you have deployed SW FDE. So, when a laptop is stolen or lost and you have to report that to the authorities (like the Information Commissioner’s Office) you are responsible for the lost data and you could be fined.You might take a look at ICO's website and look at the fines.

The same problem exists when you think that you can wipe a drive (e.g. you are selling old laptops with SSDs). When using one of the wipe protocols, there is still data in the chips that can be recovered.

There is a special lab at the University of San Diego where they investigate this. In the next graph you can see how much data was recovered from the chips after wiping the drives (even with governmental approved wipe schemes):

The solution: Self Encrypting Drives


There is a solution that solves this problem. Also here Self Encrypting Drives (SED) that are Opal compliant can prevent all of this. The data on SSD SEDs is always encrypted by the controller on the disk. There is never unencrypted data on an SSD and no one is able to remove that encryption: full compliance! When your laptop is stolen or lost, you still might to have to report that to the authorities but since you are able to proof that the drive was encrypted you will not be fined nor do you have to contact all the persons of which data was stored on that laptop.

SEDs are produced by Seagate, Micron, Samsung and other drive manufacturers. The SED (aka Opal) standard is defined by the Trusted Computing Group. SED management is done with Wave EMBASSY Remote Administration Server (ERAS).

No comments :

Post a Comment

Real Time Web Analytics