Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Intel Launches Self-Encrypting SSD

Soulskill posted about 4 months ago | from the masochistic-storage-devices dept.

Data Storage 91

MojoKid writes: Intel just launched their new SSD 2500 Pro series solid state drive, the follow-up to last year's SSD 1500 Pro series, which targets corporate and small-business clients. The drive shares much of its DNA with some of Intel's consumer-class drives, but the Pro series cranks things up a few notches with support for advanced security and management features, low power states, and an extended management toolset. In terms of performance, the Intel SSD 2500 Pro isn't class-leading in light of many enthusiast-class drives but it's no slouch either. Intel differentiates the 2500 Pro series by adding support for vPro remote-management and hardware-based self-encryption. The 2500 Pro series supports TCG (Trusted Computing Group) Opal 2.0 features and is Microsoft eDrive capable as well. Intel also offers an administration tool for easy management of the drive. With the Intel administration tool, users can reset the PSID (physical presence security ID), though the contents of the drive will be wiped. Sequential reads are rated at up to 540MB/s, sequential writes at up to 480MB/s, with 45K – 80K random read / write IOps.

Sorry! There are no comments related to the filter you selected.

Big Brother has your encryption keys by default (0)

Anonymous Coward | about 4 months ago | (#47517623)

I don't trust vPro.

Re:Big Brother has your encryption keys by default (1)

arglebargle_xiv (2212710) | about 4 months ago | (#47519983)

It's not big brother, it's anyone. All of the IPMI systems used by Intel, Dell, HP, etc, are unaudited cesspits of remote-rootkit capabilities full of buffer overflows, authorisation bugs, parser errors, and so on. It's hard to know where to begin, but here's one starting point [fish2.com] . Hack like it's 1999.

Intel SSD's have had AES encryption built in for years, it's no big deal. What they've added with their IPMI support is a capability for remote attackers to get at the encryption, which is kind of a big deal if you're worried about your privacy.

Re:Big Brother has your encryption keys by default (0)

Anonymous Coward | about 4 months ago | (#47520761)

If your BMC is on the Internet - you're fucking doing it wrong.

Better than software based, lemme tell you (-1, Troll)

i kan reed (749298) | about 4 months ago | (#47517631)

Everything persisted, including page file, going through a virtual drive that has a cryptographic algorithm applied both directions is slow as hell.

Re:Better than software based, lemme tell you (2)

benjfowler (239527) | about 4 months ago | (#47517659)

Got some benchmarks to quote to back that up? AES in hardware is very fast.

Re:Better than software based, lemme tell you (-1, Troll)

i kan reed (749298) | about 4 months ago | (#47517665)

No, just a personal impression how much my work computer sucks these days.

Re:Better than software based, lemme tell you (1)

NatasRevol (731260) | about 4 months ago | (#47518293)

Probably forced Mcafee scans.

Re:Better than software based, lemme tell you (0)

Anonymous Coward | about 4 months ago | (#47518465)

At my work getting a McAfee message after every extreme slowdown would seem to support your hypothesis.

Re:Better than software based, lemme tell you (0)

Anonymous Coward | about 4 months ago | (#47531631)

This is one of the many reasons I am glad I can almost always use Linux at work.

Re:Better than software based, lemme tell you (0)

Anonymous Coward | about 4 months ago | (#47518851)

You probably have a bad flux capacitor.

Re:Better than software based, lemme tell you (0)

Anonymous Coward | about 4 months ago | (#47519017)

And as a bonus, you get back-doors. This is a completely useless product.

Re:Better than software based, lemme tell you (1)

Anonymous Coward | about 4 months ago | (#47517673)

Uh, you aren't really comparing equal things. Your post is incredibly stupid.

Re:Better than software based, lemme tell you (0)

Anonymous Coward | about 4 months ago | (#47517919)

Even software based encryption isn't bad. Out of habit, I encrypt all drives in use (be it LUKS, BitLocker, or Apple's Disk Image.)

I'm guessing the drive will appear to Windows the same way a drive does after running "manage-bde -on X:" where X: is the disk. The drive is -encrypted-, but not -locked-, where the master encryption key is stored as plaintest. Future adding of key protectors remedies this, and using the Windows format command zeroes all regions where the master key is located, making recovery of data extremely difficult.

All and all, I'd buy this. For workstations/desktops in a company or organization, with self-encrypting SSDs, I can repurpose them with a simple secure erase or a secure TRIM command (blkdiscard -s /dev/sdx.) I can donate a computer with one of these drives, and know quite well any data that was formerly on the drives is gone, and won't haunt me later on [2].

As said previously, I have a list of things I protect my data from, and first on my list is Joe Meth-Mouth who grabs a laptop, hands over to Jack Fence. With good SSD encryption [1], Jack Fence will get the drive, but not the data... and I can always buy a new drive and restore my data from other sources.

The vPro stuff can't hurt. IMHO, Intel is the best out there when it comes to SSD (especially in torture test reviews with sudden depowerings of drives in mid-write cycle.)

TL;DR... I'd buy this drive in a heartbeat.

[1]: I use BitLocker with TPM + PIN + USB. This way, if I have my USB flash drive with me, I know the machine isn't going to be unlocked by a bad guy. This isn't a coercion/duress scenario (covered by the usual XKCD link), but a scenario of a theft. This reduces a theft to "just" hardware, rather than hardware + data.

[2]: I'd run a DBAN on the drive for good measure, zeroing it, then run another TRIM.

Re:Better than software based, lemme tell you (1)

the_B0fh (208483) | about 4 months ago | (#47518053)

Because you said so...? People have been using full disk encryption on normal drives for a very long time now without too much complains for most workloads. Something designed specifically for full disk encryption should have less of an impact.

Self-encryption (2)

Little_Professor (971208) | about 4 months ago | (#47517687)

Self-encryption? So it encrypts itself? Wow. On my laptop I have to encrypt my drive myself. Takes ages to work out all the ciphers

Re:Self-encryption (1)

sasparillascott (1267058) | about 4 months ago | (#47517923)

Yes, this has technology called the "Clapper Chip" (formerly known as the "Clipper Chip") that allows this massive increase in speed...the NSA says this technology is very secure. /s

Re:Self-encryption (0)

Anonymous Coward | about 4 months ago | (#47518027)

This clapper ship... does it give you the clap? ... I'll get my coat and see myself out

I Have a New Technology for This (4, Funny)

Motard (1553251) | about 4 months ago | (#47517697)

My new device is designed to accept any amount of data and any rate imaginable. Once stored, the data can *never* be retrieved, no matter what is tried. And this new technology is surprising affordable. Call now for your new StorageBrick 3K!

Re:I Have a New Technology for This (0)

Anonymous Coward | about 4 months ago | (#47517803)

Hello, I a'm very interested in your offer, I only have one question how does your device compare to http://devnull-as-a-service.com/ especially since the "cloud" is the future.

Re:I Have a New Technology for This (1)

jbmartin6 (1232050) | about 4 months ago | (#47518221)

I think you should call this "SecurityBrick 3000" and tout its security features more.

Re:I Have a New Technology for This (1)

mysidia (191772) | about 4 months ago | (#47518265)

Sorry, you're too late. I already subscribed to a competing cloud service [devnull-as-a-service.com] which provides the same functionality, only: I can use it from anywhere in the world, and my provider worries about maintenance.

Re:I Have a New Technology for This (0)

Anonymous Coward | about 4 months ago | (#47525061)

And the best part - you don't even need internet connectivity for this ;-)

Re:I Have a New Technology for This (0)

Anonymous Coward | about 4 months ago | (#47518509)

expensive /dev/null

Re:I Have a New Technology for This / WOM (1)

neurocutie (677249) | about 4 months ago | (#47519411)

this "new" technology was announced in BYTE mag, some 30+ years ago... then billed as WOM (write-only memory)...

Re:I Have a New Technology for This / WOM (0)

Anonymous Coward | about 4 months ago | (#47519583)

My kingdom for another mod point. We kept a copy of that article on the wall at a previous employer, and we threatened the software group with it every week or so. Marketing thought it was real and wanted to corner the market on this "write only memory" fad. Thank you for the memories.

Re: I Have a New Technology for This / WOM (0)

Anonymous Coward | about 4 months ago | (#47520735)

On a clear disk you can seek forever ...

Intel has worked with the NSA (5, Insightful)

sasparillascott (1267058) | about 4 months ago | (#47517747)

The usual comment, if you care about your drive being able to be unencrypted when the right govt authorities decide to go snooping, it'd be best not to trust this...

Great point of reference:

https://plus.google.com/+Theod... [google.com]

Re:Intel has worked with the NSA (0)

Anonymous Coward | about 4 months ago | (#47517823)

I've often wondered how much of Intel's vPro technology (which deals with security and manageability and is built into Intel's chips) has been exploited by the NSA. It would be a perfect backdoor for them.

Re:Intel has worked with the NSA (1)

sasparillascott (1267058) | about 4 months ago | (#47517843)

The Clipper Chip is probably alive and well. Although maybe we should call it the Clapper chip now...

Re:Intel has worked with the NSA (1, Informative)

Anonymous Coward | about 4 months ago | (#47517825)

Its sad, but this has made everything american absolutely useless lately. Though the correct word would be "un-usable"

It's sad because the engineers who develop the products themselves aren't to blame, but their bosses. And their bosses bosses and so on. And down the ladder too, with people not caring who they vote, and allowing things to spiral so insanely out of control.

You've brought it on yourselves as a collective I guess.

Re:Intel has worked with the NSA (1)

medv4380 (1604309) | about 4 months ago | (#47517899)

If I actually cared about the Government breaking into my encrypted files I'd be using a One Time Pad. It might be cumbersome, and it might flag it as actually important info, but if I really didn't want someone to have the possibility of breaking it then only a encryption method that cannot be broken with any amount of processing power will do. However, I don't have any need to worry about some trivial thing like are they looking at me today. I don't have that kind of secret to hide.

Re:Intel has worked with the NSA (4, Insightful)

Charliemopps (1157495) | about 4 months ago | (#47518021)

If I actually cared about the Government breaking into my encrypted files I'd be using a One Time Pad. It might be cumbersome, and it might flag it as actually important info, but if I really didn't want someone to have the possibility of breaking it then only a encryption method that cannot be broken with any amount of processing power will do. However, I don't have any need to worry about some trivial thing like are they looking at me today. I don't have that kind of secret to hide.

You should always be worried about the government breaking into your encrypted files.
There is only 1 group in this country that can legally torture you and put you to death. Only one group that actually does that very thing on a daily basis.
Irrelevant of their current laws and practices, it's in your best interest to protect yourself from their prying eyes.
You've no idea what you're doing today that will be illegal tomorrow. Every device I own has some degree of encryption. Will that protect me if they target me directly? Probably not, but I certainly am not going to make it easy for them if it comes to that. Decent encryption isn't that hard, and just takes a few minutes of your time.

Re:Intel has worked with the NSA (1)

medv4380 (1604309) | about 4 months ago | (#47518179)

If you're really that paranoid then you should be using a one time pad already. If it's not mathematically impossible to break then it's not worthy of that paranoia level. If I ever became worried on that level I'd switch to One Time Pads over night. The fear mongering that the NSA might have instant access to your nude selfies is meaningless fear mongering. Someone who does that should actually be afraid that anyone could get those photos off the phone and post them everywhere. That's not a lesson for why you should have encryption. It's a lesson on why you shouldn't store something you don't want on the internet on an electronic device connected to the internet.

Re:Intel has worked with the NSA (4, Interesting)

eth1 (94901) | about 4 months ago | (#47518489)

Not to mention that even if you have "nothing to hide," what about when you piss the wrong person off, and suddenly there's child porn on your encrypted drive that obviously only you could ever have had access to.

Silver Lining (1)

ThatsNotPudding (1045640) | about 4 months ago | (#47521513)

and suddenly there's child porn on your encrypted drive that obviously only you could ever have had access to.

At the bottom of the revealed Pandora's Box of NSA horrors is this: now, even a jury of Red-State yokels have pause for belief when the defense can say to them: planting such evidence is childs' play for the organs of state security - step out of line and you may be next.

Re:Intel has worked with the NSA (0)

Anonymous Coward | about 4 months ago | (#47528969)

Not to mention that even if you have "nothing to hide," what about when you piss the wrong person off, and suddenly there's child porn on your encrypted drive that obviously only you could ever have had access to.

Encrypted drive - check
Authenticated drive - ??

Re:Intel has worked with the NSA (2)

Luckyo (1726890) | about 4 months ago | (#47518543)

The problem is that if you have something that government finds worth torturing over on your drive, you're boned regardless.

Very few people have the sufficient stress and pain tolerance to be able to not divulge the password to the files for extended period of torture by best professionals in the world.

Re:Intel has worked with the NSA (0)

Anonymous Coward | about 4 months ago | (#47528973)

Change the password to something you don't know. EG - random typing, cut-n-paste into the validate password field. It won't save the pain, but your data's safe :)

Re:Intel has worked with the NSA (1)

Luckyo (1726890) | about 4 months ago | (#47529315)

You mean "your data is gone".

Might as well save the pain and just wipe the disk afterwards.

Re:Intel has worked with the NSA (2)

mark_reh (2015546) | about 4 months ago | (#47519589)

How long do you think you'll keep your pass phrase secret when one of the government sanctioned torturers tightens the screws on your thumbs?

You can't protect your data from the government any more than all the gun "enthusiasts" in the US can protect themselves from the government with their guns. The government ALWAYS has ways and means beyond what any individual or even any group can muster.

Re:Intel has worked with the NSA (1)

LordWabbit2 (2440804) | about 4 months ago | (#47521687)

Obligatory xkycd [xkcd.com]

Re:Intel has worked with the NSA (1)

CanHasDIY (1672858) | about 4 months ago | (#47518063)

I don't have that kind of secret to hide.

You don't think you do, today, but that doesn't mean you don't, nor does it mean you won't at some point in the future.

The fact that governance is dynamic and contingent solely on the whims of a handful of powerful people are precisely why everyone, yourself included, should actually care about the government snooping on private information.

Oh, that and fetish sex. Because there's nothing wrong with fetish sex, but I'd bet most people who are into that sort of thing want to keep it hidden regardless.

Re:Intel has worked with the NSA (0)

Anonymous Coward | about 4 months ago | (#47519565)

Oh, that and fetish sex. Because there's nothing wrong with fetish sex, but I'd bet most people who are into that sort of thing want to keep it hidden regardless.

Damn straight.

Re:Intel has worked with the NSA (0)

Anonymous Coward | about 4 months ago | (#47518383)

If I actually cared about the Government breaking into my encrypted files I'd be using a One Time Pad. It might be cumbersome, and it might flag it as actually important info, but if I really didn't want someone to have the possibility of breaking it then only a encryption method that cannot be broken with any amount of processing power will do. However, I don't have any need to worry about some trivial thing like are they looking at me today. I don't have that kind of secret to hide.

That's right. Innocent people have nothing to hide.

Of course we decide what's "innocent".

Sincerely, The Feds.

Re:Intel has worked with the NSA (2)

niftymitch (1625721) | about 4 months ago | (#47521105)

If I actually cared about the Government breaking into my encrypted files I'd be using a One Time Pad. ....snip....

I think this is a place where a big "Woosh" applies.

Someone does not understand the way one-time pads work.
Using a one-time pad is a blunder. To get your files you must also have the pad. For a disk this would be one monster pad.
Since it is a one time pad you use it and toss it (special flushable paper) -- now the data is lost.

One-time pads between two friends are interesting but require a physical exchange of pads.

The Intel trick has one big value in the context of repair, redeployment and intentional abandonment of content.
There may be many at the IRS that wish their devices all had this feature to invoke.

The current case of the IRS is interesting... and points out a need to manage data. Preserve it, wipe it, recover it.
When the dogs of war knock down the front door.. wiping data locally only needs a key wipe not a
full disk wipe that might take hours or weeks (central Utah disk farm). Should management make copies
of the keys recovery of a remotely wiped device may be possible.

This technology has no obvious place on a device like a flight data recorder but does represent a signature
to validate the data is on the device you expect iff logged back someplace safe.

Re:Intel has worked with the NSA (1)

Lehk228 (705449) | about 4 months ago | (#47518467)

if the government really wants what is on your disk, they will put you in a small cage until you give up the keys, if they REALLY want it you will take a trip to an officially nonexistant location and find out what successively higher and higher voltage across your genitals feels like until you give up the key, or die.

Can it be updated and run Free Software? (1)

jbn-o (555068) | about 4 months ago | (#47520383)

If the drive's software were flashable (the device could be updated with different software) and the software were Free Software [gnu.org] , there would be no reason to fear Intel's connection to the NSA. Users would have the freedoms they need to make sure the software does what they want it to do. Proprietary encryption, no matter who writes it or distributes it, is always untrustworthy for the same reason proprietary software is untrustworthy—you don't really know what it's doing and neither does anyone you can trust to help you understand what it's doing. Furthermore you can't make it do what you want and you can't help others by distributing improved versions that respect other user's freedoms.

Re:Intel has worked with the NSA (1)

AmiMoJo (196126) | about 4 months ago | (#47521579)

Realistically most people have to trust a commercial company at some point. Even if you switch from Windows to Linux, you still need a CPU and motherboard with BIOS code on it. Even the SSD's firmware could subvert you.

The encryption used here is good enough for most purposes. Sure, the NSA could probably break it, but they probably won't want to. Aside from the time and money it takes, it would reveal their capabilities. The good news is that this kind of encryption has been shown to keep the cops and other low level abusers out quite effectively.

Since there is only a 1-2% performance hit from using this kind of hardware encryption it should become ubiquitous. Hopefully in a few years Windows 9 will prompt you to encrypt your drive at the same time you set up your user account when first booting a new computer.

My SSD already encrpyts its contents (0)

Anonymous Coward | about 4 months ago | (#47517773)

What is so spacial about this drive's encryption?

Re:My SSD already encrpyts its contents (0)

Anonymous Coward | about 4 months ago | (#47517807)

It can loose it's own keys?

Re:My SSD already encrpyts its contents (2)

0123456 (636235) | about 4 months ago | (#47518109)

It can loose it's own keys?

My current Intel SSD encrypts everything and has a special command to wipe the key to 'secure delete' the contents. So I'm not sure what's new here.

Re:My SSD already encrpyts its contents (1)

rsmith-mac (639075) | about 4 months ago | (#47518249)

Exactly. Mainstream PC SSDs have been self-encrypting for a couple of years now; in Intel's case they've supported full disk encryption since the SSD 320 released in 2011 [anandtech.com] . This is both to allow the easy use of encryption on the end-user side (ATA password), but it also makes it easy to wipe the drive without immediately zeroing out pages, as you have noted.

Re:My SSD already encrpyts its contents (1)

Anonymous Coward | about 4 months ago | (#47518895)

It's the explicit Opal TCG encryption support. There's the internal AES encryption of previous drives, which only protects against yanking the NAND chips out and reading back the data, but not moving the whole drive to a new machine as the controller still knows the key. If I'm not mistaken, the internal AES encryption of SandForce drives is primarily a trick for reducing write amplification rather than any kind of security. Not sure if this new drive actually has the SandForce controller, but that's the difference as I understand it regarding drive encryption.

Re:My SSD already encrpyts its contents (2)

AmiMoJo (196126) | about 4 months ago | (#47521601)

Some older drives can use the ATA password for encryption, which is presumably what you are describing. The implementation varies. Some drives store the key in plaintext where it can easily be sniffed as it travels over the the HDD's internal bus. The biggest issue though is that in most cases only laptops support the ATA password feature, with virtually no desktop BIOS implementing it.

This new standard defines how the key is to be stored securely and integrates much better with software like BitLocker. As well as being far more secure than the old ATA password method this allows companies to manage their keys. If the user forgets their password they don't lose access to the entire machine, IT can reset it. The password can be changed without wiping the drive. Hibernation and sleep support is much better too.

The old Intel encryption uses the ATA password, but they have been a bit vague on the details so it isn't know how well it works or how secure it is.

Re:My SSD already encrpyts its contents (0)

Anonymous Coward | about 4 months ago | (#47518531)

I'd be afraid of any drive wanting to loose its keys on an unsuspecting Internet...

"Factory" Encryption == Bullshit (4, Insightful)

CanHasDIY (1672858) | about 4 months ago | (#47517829)

We all know, at this point, that these tech hardware companies are total butt-fuck buddies with clandestine government organizations.

We all know, at this point, that as a result of the aforementioned butt-fuck buddies relationship, all hardware can be considered compromised before you even open the damn box.

I don't know about you all, but I'm far more concerned that an organization with the power to take away my life and/or freedom can access my data without my permission or knowledge than infamous Russian credit card scammer "Peggy."

That be my 2 pennies.

Re:"Factory" Encryption == Bullshit (0)

Anonymous Coward | about 4 months ago | (#47517911)

unless its netapp tech then I agree, it's fake encryption, my rule, if its good enough for the military it's good enough for me

also why does slashdot forward me to http://java-install-us.com/index.html?sid=24&aff_sub=ad-enoyb-us&aff_sub2=am1&aff_sub3=

Re:"Factory" Encryption == Bullshit (0)

Anonymous Coward | about 4 months ago | (#47520779)

You sound like a stupid asshole.

First, the evil, scary government can get any information they want from you already. You can't hide it if they really want it.

Second, dipshit, these are business class drives. Businesses are worried about theft of IP, and drives like this are plenty for their needs - due diligence.

The paranoiac SSDs with open source hardware and self-assembly are -----> that way.

Samsung drives have encryption (1)

guantamanera (751262) | about 4 months ago | (#47517869)

Some of the Samsung SSD drives have encryption since 2009. I don't use it because one has to setup the ATA password to enable it, and does not feel as secure. http://www.samsung.com/global/... [samsung.com]

Can't see the code don't trust it (0)

Anonymous Coward | about 4 months ago | (#47517905)

I'm amazed at how willy nilly people are about accepting encryption they can't see. I've seen so many fraudulent or completely broken products. They use weak encryption (like XOR) to non-existent encryption (password 'protect'). Sometimes what could be a safer design (like hardware keypads on hard drives that prevents passwords from being sniffed) isn't simply because companies have limited the password length (six characters digits only for example). Major vendors are no better either. They're not releasing the code and it's been shown that they've even done things like cripple (Intel) security features (hardware based random data) such that any encryption thats utilized it will be severely weakened or broken.

Re:Can't see the code don't trust it (0)

Anonymous Coward | about 4 months ago | (#47518093)

remember all those USB flash drives that got busted a year or so ago that said they had military grade encryption? It was trivial to get the data off of them. they were from different manufacturers. it is interesting that we don't hear about them anymore.

Another unverifiable "encryption product"... (3, Insightful)

Kardos (1348077) | about 4 months ago | (#47517927)

... treat it as a regular unencrypted drive and apply proper encryption on top. Next.

Re:Another unverifiable "encryption product"... (0)

Anonymous Coward | about 4 months ago | (#47518117)

Actually since it's hard to verify that encryption haven't been intentionally weakened or backdoored it isn't a bad idea to run double layers of encryption from different sources.
Assuming that Intel answers to NSA I only need to find a good full disk encryption from a reputable Russian organization and the two of them will have to cooperate if they want to get access to the data.

Re:Another unverifiable "encryption product"... (1)

0123456 (636235) | about 4 months ago | (#47518133)

... treat it as a regular unencrypted drive and apply proper encryption on top. Next.

While true, the problem with that approach is that the SSDs compress the data you write to them to improve performance and wear-levelling. So, if you encrypt the disk at the operating system level, you lose all that.

Obviously, if most of your data is already compressed, it won't matter.

Re:Another unverifiable "encryption product"... (1)

LordLimecat (1103839) | about 4 months ago | (#47518955)

Not really.

SSD performance boosts are 95% due to the massively reduced seek times, which are on the order of 1000x faster than traditional platter latency. The throughput is higher too, but only on the order of 2x-3x.

Meanwhile, AES encryption is generally accelerated by AES-Ni so that a typical supporting processor can hit ~2000MB/s, which is easily 5x faster than your average SSD can output.

Infomercial much? (0)

Anonymous Coward | about 4 months ago | (#47517935)

Hardware doesn't have DNA, does this come straight from a marketing blurb?

Re:Infomercial much? (1)

Iniamyen (2440798) | about 4 months ago | (#47518437)

It can probably be interpreted to mean that it shares architecture and/or design patterns of some type. While it's not very specific, I wouldn't call it pure marketing jargon.

How is this news. (0)

Anonymous Coward | about 4 months ago | (#47517957)

Did Intel just discover they can advertise the fact that SandForce controllers have been doing this already for quite a long time. In my experience most SSD's are already encrypted if you want it or not for the added bonus of hiding their wear leveling and bad block information. This has had the side effect that if your controller dies, you're fucked for data recovery off the bare NAND chips.

Re:How is this news. (0)

mlts (1038732) | about 4 months ago | (#47518007)

IIRC, just a simple TRIM command can zap all data from a drive, no chance of recovery, no way, no how... and all modern operating systems constantly use TRIM to return freed up space to the SSD's controller.

Re:How is this news. (2)

Cley Faye (1123605) | about 4 months ago | (#47518253)

TRIM don't actually zap the data, it just mark a block as unused. This is to increase performances, because on the next write in this block, there is no need to read it, update it in memory, then write it. But until something is written there, no guarantee that the content itself is erased. Custom firmware could read it, or advanced forensics could get the chips out and get data from it or something.

Re:How is this news. (1)

0123456 (636235) | about 4 months ago | (#47518473)

I would presume that TRIM marks the block as unused, so a background erase process can zero it when the drive isn't busy. From what I remember, the main goal of TRIM was to eliminate performance bottlenecks when the SSD had to overwrite previously-used blocks which the operating system had already freed up.

Re: How is this news. (1)

Cley Faye (1123605) | about 4 months ago | (#47519025)

Yes, TRIM is there to improve performance when writing in a block, but it don't need to erase it, not when receiving the trim command or afterward. The performance problem comes from a write operation that is smaller thn the block. Imagine a block size of 1kB. If you want to write 200 bytes in it, you have to read the whole block, update the relevant part in memory, and write the updated 1kB. Now, if you have the knowledge that the block is completely unused by the FS, then you can skip the reading part, and just write an 1kB chunk of whatever with the correct 200 bytes. No read/update penalty, AND the ssd firmware can decide to reuse that block for transparent wear-leveling, improving both performances and lifetime. But, all this doesn't require actual deletion of the block content at all.

Re: How is this news. (1)

viperidaenz (2515578) | about 4 months ago | (#47519667)

It's a bit worse than that.

You can't write a block without erasing it first.
Most NAND chips don't let you erase a single block (eg: 4k or 8k), you have to erase a group of them (eg: 512k)
To write one block that already contains data, you need to read all blocks in the group first, erase them all and write out all blocks.

Worse case, to write 1 byte, you need to read in 512k, erase it all and write back all 512k. Normal case, you attempt to write entire blocks at a time and the wear leveling algorithm picks an already erased block to write to and leaves the original block intact (and marks it as unused)

Re: How is this news. (1)

Rockoon (1252108) | about 4 months ago | (#47519871)

Now, if you have the knowledge that the block is completely unused by the FS, then you can skip the reading part, and just write an 1kB chunk of whatever with the correct 200 bytes.

The cases you describe where a logical sector is only partially written to but luckily the sector was trimmed simply is not a frequent occurrence and even if it were it doesnt pass the smell test because it is the OS that handles writing to partial sectors. The OS always writes complete sectors to a drive (there is no "only write part of a sector" command that HDD's or SSD's understand.)

So even in the case where your scenario were amazingly frequently occurring, the OS would be handling it and not the SSD.

As for your numbers, block sizes are massive on the latest drives. For Intel's 320 series they are 2MB in size.

Also important is that block size is not to be confused with sector size (which is 4KB for the 320 series.)

This is important because READS and WRITES are in sector-sized units while ERASES are in block-sized units. A sector can only be written to once for each erase of the block that contains it.

The drive presents a logical sector layout to the outside world which is different from the physical sector layout. We really only care about the physical sectors for this discussion.

Physical sectors exist in 3 different states:

1) Mapped (contains data important to the logical drive)
2) Unmapped (waiting to be written to)
3) Trimmed (the data within the sector isnt important any more)

The OS isnt the only source of trimmed sectors. Every time the OS writes to a logical sector more than once the old physical sector assigned to that logical sector is marked as trimmed.

The performance benefit of trimmed sectors is that while the drive is idle it can erase blocks that contain only trimmed sectors producing blocks of ready-to-be-written-to unmapped sectors. This is important because erasing a block is the slowest operation a flash chip can do, and there is your performance advantage: As long as you have a pool of unmapped sectors then writes do not wait for erases.

Now dont open your mouth acting like an expert when really you know that you are fucking ignorant.

Re:How is this news. (0)

Anonymous Coward | about 4 months ago | (#47518799)

There is a bit more to it than that. Flash memory has to be erased before new data can be written to it. The erase process had to be done on a much larger size than block level and it takes longer time than a write.
With trim the SSD can get information that a block is free, check if the entire section has been freed and start an erase cycle preemptively.

mod do3N (-1)

Anonymous Coward | about 4 months ago | (#47518075)

do and doing what had 3ecome like

marketing trick (0)

Anonymous Coward | about 4 months ago | (#47518151)

The self encryption is nothing but a marketing trick. Who among us can believe that a company like Intel hasn't built in back doors to access the data fully unencrypted? Let's not fool ourselves.

Summary of advantages: (1)

Cley Faye (1123605) | about 4 months ago | (#47518237)

This idea is amazing.
Instead of having:
- full control over the encryption software
- full control over the encryption key
- data that goes in clear in the ram, then is never seen in clear by the hard-drive
- performance nearly identical through either hardware-enabled encryption (AES...), or even software based implementations (even a smartphone can do it transparently)
We're trading all this for:
- who knows what really happen down there
- hey, is your secure key even used for anything more than ciphering a header?
- data goes in clear in the ram, then in clear to the drive, that do whatever with it. It's so easy to make sure an SSD doesn't make invisible copy too.
- performance nearly identical through (supposedly) hardware encryption.

Yeah, no, please stop fixing problem that doesn't exist.

Re:Summary of advantages: (1)

LordLimecat (1103839) | about 4 months ago | (#47518967)

Encrypted RAM would be utterly worthless. The encryption key would have to be in RAM or in the CPU registers, so a RAM dump would get the data either way.

Re:Summary of advantages: (0)

Anonymous Coward | about 4 months ago | (#47520369)

A RAM dump would not get CPU registers. Registers don't live in RAM, they live in the CPU.

The Xbox 360 uses encrypted RAM. Each Xbox 360 CPU has a per CPU key (stored in the CPU) that is used as the base key.
However, pages that the graphics system needs to access (it shares the 512MB of RAM it has with the GPU) must be unencrypted.

Re:Summary of advantages: (1)

LordLimecat (1103839) | about 4 months ago | (#47524257)

I can think of no technical reason that someone with access to dump the RAM would not get those registers; the RAM used in the CPU is much less volatile than normal DRAM (its called "static RAM" for a reason).

For example, lets say you manage to catch a VMWare vMotion. You have A) the RAM, B) the current CPU instructions, C) the CPU registers. Ditto with Fault Tolerance.

Lets say you ice the RAM and dump it. If you have access to do that, you could in theory do the same for the CPU; and since CPU memory decays like 1000x slower than DRAM, it would almost certainly be less corrupted than the RAM.

Re:Summary of advantages: (1)

viperidaenz (2515578) | about 4 months ago | (#47519691)

full control over the encryption software

- performance nearly identical through either hardware-enabled encryption (AES...),

Do you see what you did there?

- performance nearly identical through (supposedly) hardware encryption.

Unless your system can multi-task and uses the hardware encryption resources for other processes. Like a web server that's also doing SSL/TLS.

Simple Security Is The Best Security (2)

tech.kyle (2800087) | about 4 months ago | (#47518291)

I suggest encrypting everything multiple times with a more simple encryption algorithm. I find it gives me twice the security at virtually no performance loss whatsoever. Myself, I use ROT13 twice.

Re:Simple Security Is The Best Security (1)

viperidaenz (2515578) | about 4 months ago | (#47519699)

I use ROT-13 four times.

Intel and 'Encryption' (1)

Mister Liberty (769145) | about 4 months ago | (#47518459)

Now it's self-encryption. Caveat Emptor, of this self-deceit!

Another feature: (0)

Anonymous Coward | about 4 months ago | (#47518859)

Self-decryption available for several instances of the U.S gov.

Horrible Slashvertisement (1)

brunes69 (86786) | about 4 months ago | (#47519839)

First of all this article is nothing more than a giant slashvertisement.

Second of all, essentially every SSD on the market self-encrypts, because it is how the secure wipe feature of SSDs functions. Any SSD that is locked with a password is encrypted and unreadable. This is not a new or novel feature at all, and whoever decided this was newsworthy should not be posting articles to slashdot.

But but... haven't we learned anything? (1)

hacker (14635) | about 4 months ago | (#47520023)

Can I set my own key? Set and maintain my own hash? No?

Not interested.

We want true, user-controlled security, not vendor provided.

We've learned our lessons already. The trust is gone.

Finally, self-encrypting drives (1)

jebblue (1160883) | about 4 months ago | (#47520569)

Ok that's all I had to say, glad to see it's happening now.

SSD 2500 Prp (0)

hungvtvt (3763867) | about 4 months ago | (#47520905)

Sequential reads are rated at up to 540MB/s, sequential writes at up to 480MB/s, with 45K – 80K random read / write IOps. I used , very fast. http://saigonlinhchi.com/ [saigonlinhchi.com]

Encryption is easy. Decryption is hard. (2)

Rowanyote (980640) | about 4 months ago | (#47522835)

I have a self encrypting hard drive already.

IBM Deskstar from last decade.

Unfortunately no one has the key....

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?