Original Link: http://www.anandtech.com/show/8398/sandisk-x300s-512gb-review
SanDisk X300s (512GB) Reviewby Kristian Vättö on August 21, 2014 2:15 PM EST
Back in May SanDisk announced the X300s, which is the company's first SED (Self-Encrypting Drive). The X300s is based on the same Marvell platform as SanDisk's client drives but with the differentiation that the X300s is the only drive that supports encryption via TCG Opal and IEEE-1667 (eDrive) standards. Due to the encryption support the X300s is positioned as a business product since the main markets for encrypted drives are corporations and governments, which handle sensitive and confidential data on a daily basis.
In our Intel SSD 2500 Pro review I talked about the cost of a lost corporate laptop in more detail, but in short a lost unencrypted corporate laptop costs an average of $50,000 to the company through the loss of IP and data breaches. (Obviously not every lost laptop will cost that much -- some might not cost anything more than the hardware, but others could be far more valuable.) Encryption is the easiest way to minimize the loss because without access to the data in the laptop, the only loss is the physical laptop and the possible work hours as a result, but frankly that cost is only in the order of a couple of thousand dollars, whereas the loss of IP could result in millions of dollars in damage.
To provide the ease of encryption to everyone, SanDisk is including a license for Wave's EMBASSY Security Center with every X300s. While Windows 8 provides native support for hardware encryption through eDrive, most corporations are still using Windows 7 and that only provides software based BitLocker encryption. Moreover, eDrive has a rather strict set of hardware and software requirements, which can be a dealbreaker if dealing with older hardware with no UEFI and/or TPM support. In addition to Wave, the X300s has been certified by McAfee, WinMagic, Check Point, Softex, and Absolute for Opal encryption in case you or your company already has security software.
|SanDisk X300s Specifications|
|Form Factor||2.5" 7mm & M.2 2280|
|Controller||Marvell 88SS9188||Marvell 88SS9187|
|NAND||SanDisk 2nd Gen 64Gbit 19nm MLC|
|4KB Random Read||71K IOPS||85K IOPS||90K IOPS||92K IOPS||94K IOPS|
|4KB Random Write||37K IOPS||66K IOPS||80K IOPS||80K IOPS||82K IOPS|
|Idle Power (Slumber/DEVSLP)||90mW / 5.0mW||90mW / 5.0mW||90mW / 5.0mW||90mW / 6.0mW||95mW / 6.0mW|
|Max Power (Read/Write)||
|3.1W / 5.0W|
|Endurance||40TB (21GB/day for 5 years)||80TB (43GB/day for 5 years)|
|Encryption||TCG Opal 2.0 & IEEE-1667|
The X300s is available in both 2.5" and M.2 2280 form factors. The 2.5" version comes in up to 1TB capacity and uses two different controllers depending on the capacity. 256GB and lower use the 4-channel Marvell 9188 (codename Monet Lite), whereas the 512GB and 1TB models use the full 8-channel Marvell 9187 controller (whose codename is surprisingly just Monet). The M.2 2280 is limited to 512GB due to form factor limitations and uses the Monet Lite controller for all capacities.
The PCB in the X300s is single-sided and features a total of eight NAND packages. It is quite impossible to see the markings on the chips from this angle due to the residue from the thermals pads, so here is a closer shot of the NAND with light coming from a better angle.
Unfortunately SanDisk's part numbers do not tell much and there is no public part number decoder available, but SanDisk told me that the X300s uses 64Gbit 1Ynm (i.e. second generation 19nm) parts, meaning that our 512GB sample features eight octal-die NAND packages.
For AnandTech Storage Benches, performance consistency, random and sequential performance, performance vs transfer size and load power consumption we use the following system:
|CPU||Intel Core i5-2500K running at 3.3GHz (Turbo & EIST enabled)|
|Motherboard||AsRock Z68 Pro3|
|Chipset Drivers||Intel 126.96.36.1995 + Intel RST 10.2|
|Memory||G.Skill RipjawsX DDR3-1600 4 x 8GB (9-9-9-24)|
|Video Card||Palit GeForce GTX 770 JetStream 2GB GDDR5 (1150MHz core clock; 3505MHz GDDR5 effective)|
|Video Drivers||NVIDIA GeForce 332.21 WHQL|
|Desktop Resolution||1920 x 1080|
|OS||Windows 7 x64|
For Wave EMBASSY Security Center and slumber power testing we used a different system:
|CPU||Intel Core i7-4770K running at 3.3GHz (Turbo & EIST enabled, C-states disabled)|
|Motherboard||ASUS Z87 Deluxe (BIOS 1707)|
|Chipset Drivers||Intel 188.8.131.526 + Intel RST 12.9|
|Memory||Corsair Vengeance DDR3-1866 2x8GB (9-10-9-27 2T)|
|Graphics||Intel HD Graphics 4600|
|Desktop Resolution||1920 x 1080|
|OS||Windows 7 x64|
- Thanks to Intel for the Core i7-4770K CPU
- Thanks to ASUS for the Z87 Deluxe motherboard
- Thanks to Corsair for the Vengeance 16GB DDR3-1866 DRAM kit, RM750 power supply, Hydro H60 CPU cooler and Carbide 330R case
How Self-Encrypting Drives (SEDs) Work
SED means that instead of relying on the host processor and software for full-disk encryption (FDE), the encryption is done purely by the drive itself using Trusted Computing Group's (TCG) Opal standard. The Opal standard offers two major benefits over software based disk encryption: performance and security.
Instead of using the host resources (CPU and RAM) to encrypt the drive, the controller inside the SSD does the encryption, which provides higher performance due to the lack of CPU overhead and is also far more power efficient. In fact, the controller already encrypts all data on the fly regardless of whether encryption has been enabled by the user -- by default the encryption key in the drive is just not encrypted and thus the drive can be accessed by anyone. When enabling Opal encryption the password created by the user is used to encrypt the encryption key, making the drive inaccessible unless the correct password is provided. The encryption key is generated during the manufacturing process of the drive (although it can be regenerated later on) and resides in a small secured block of memory that is protected and isolated from other memory.
As for security, software encryption solutions do not generally encrypt the master boot record (MBR), which leaves the drive vulnerable to attacks using alternative boot medias (CD/USB). Hardware encryption does not have the same problem because every single bit that the drive receives will be encrypted, including the MBR. Basically, hardware encryption is transparent to the OS because the drive does not know or care what data it receives as all data is encrypted regardless.
Because even the MBR is encrypted, SEDs have a pre-boot OS that is essentially a very restricted version of MS-DOS or Linux. When the BIOS requests the MBR from the drive during boot, the drive instead returns the pre-boot OS that asks for authentication before allowing access to the MBR. Once the correct credentials have been provided, the drive allows the BIOS to access the MBR and the system will boot normally.
Testing Wave's EMBASSY Security Center
Every X300s includes a license for Wave's EMBASSY Security Center (ECS), which normally retails for $40. ECS can be acquired from SanDisk's SSD Dashboard under the Tools tab. ECS provides local SED management, and for IT administrators Wave offers EMBASSY Remote Administrator Server (ERAS) that allows central management of all SEDs in the organization.
Clicking the icon will lead you to the download site where you enter the promo code that comes with the SSD Dashboard as well as your personal details (name, address, email etc. -- no credit card is needed). Once you have entered all the information, you will be able to download the ECS and the serial key is sent to the email address you provide.
After installation and reboot, you will be ready to enable encryption. Drive management is found under the 'Trusted Drive' tab and at first everything is in the off state and the only option is to start the initialization process. For testing I used a very basic Z87 based system running Windows 7 in legacy mode with no TPM module.
The first step is to create the administrator for the drive, which will have the right to manage the drive. After the initialization process additional users can be added but I will look at that once we are there.
After creating the administrator, you will be given an opportunity to either print or save the administrator username and password to a USB drive. This step can be skipped but it is recommended since if the credententials are forgotten, you will be unable to access the drive and the only way to recover the drive is to perform a PSID reset (more on this later but it erases all the data in the drive).
After that you are done -- the drive is now fully encrypted. It only takes a few seconds to encrypt the drive because as I mentioned earlier, all the data in the drive is already in encrypted format and thus only the encryption key needs to be encrypted. You can check that the drive is really encrypted from the SSD Dashboard, which should now say that security is activated.
This is what the drive management looks like. The administrator has the right to un-initialize the drive, which will decrypt the key and make it accessible by anyone. There is also an option to disable drive locking, which is different in the sense that the drive will allow anyone to access the data but only the administrator can change the encryption settings (e.g. un-initialize or crypto-erase the drive). Additionally Wave can sync the drive's and Windows' passwords so there will be only one password, or you can enable single sign on that will eliminate the need to log into Windows separately.
Users can be added within the same interface to allow non-admin users to get through the pre-boot OS. Otherwise every user would need to use the administrator credentials, which would defeat the purpose of an administrator account as it is the only account with rights to manage the drive. In other words, normal users can use the system normally but administrator rights are needed to un-initialize the drive or change any settings related to security.
ECS also offers several options for Windows login. Aside from the typical password authentication, the user can login using biometric authentication (e.g. fingerprint), and smart cards are supported as well. Again, these settings can only be modified by the administrator, even though they are visible to the normal user.
|SanDisk X300s 512GB - PCMark 8 Storage Test|
|Storage Score||Storage Bandwidth|
|Wave ECS (Opal 2.0)||4974||265.1MB/s|
|Windows 7 BitLocker (Software)||4960||246.6MB/s|
To compare the performance of hardware and software based encryption solutions, I decided to run PCMark 8's storage test on the drive with the two enabled (separately, of course) and with no encryption at all. Strangely enough, the performance difference is almost non-existent. When Anand tested eDrive with the Crucial M500 and PCMark 7, he found that software based BitLocker encryption resulted in a 14% decrease in performance, whereas my test data shows a mere 0.3% loss in Storage Score. It is true that the PCMark 8's storage bench is different and in my experience it tends to show very small difference between SSDs but nonetheless it is still interesting that BitLocker has such a minor impact in performance.
Of course, my testbed is not exactly an ideal representation of an average corporate laptop since it is a Haswell based desktop with i7-4770K and 16GB of RAM, so the difference in lower performance systems might be larger as BitLocker will use the host CPU and RAM for encryption. Anyway, it looks like I will have to run some more tests to figure out a way to better characterize the performance benefits of hardware accelerated encryption because I believe the scores above do not give an accurate picture of the difference.
Crypto-Erasing an SED
Since SEDs are hardware encrypted, there is no way to fiddle with the drive without the administrator's credentials. However, what that also means is that in case you happen to forget the credentials, you will have a brick in your hands since SEDs cannot be secure erased using the standard ATA command like normal SSDs can. Fortunately, there is a way to revert the drive back to its factory setting by performing crypto-erase, or PSID revert as it is sometimes called.
The PSID can be found on the back label of every SED and it is a 32-character code.
To issue a crypto erase, a special utility is needed and SanDisk provides their Crypto Erase Tool for the X300s. It is very simple to use as the only thing you need to do is to enter the PSID and click erase now, which will deactivate encryption and secure erase all the data in the drive. I am not sure if SanDisk's tool supports other SSDs but in theory it should as there is nothing vendor-specific about crypto erase. However, there is also a third party freeware PSID revert tool available and I have confirmed that it works (tested with Samsung 850 Pro).
Final Words About Wave's ECS
Wave's ECS certainly provides a much smoother user experience compared to Microsoft's eDrive. It makes enabling Opal 2.0 encryption as easy as clicking a few buttons and it lacks the annoying hardware and software requirements that eDrive has. There is no need to play around with group policies if you lack a TPM module and what is best is that ECS is not limited to a UEFI-enabled Windows 8 Pro/Enterprise install like eDrive is. Basically, ECS should work with any system as long as you have an Opal-enabled SSD.
eDrive is a good (and free) alternative if you happen to have a system that meets the requirements, but otherwise it is a pain to get working, so I certainly see why corporations will gladly pay for ECS and other optimized encryption tools.
Performance consistency tells us a lot about the architecture of these SSDs and how they handle internal defragmentation. The reason we do not have consistent IO latency with SSDs is because inevitably all controllers have to do some amount of defragmentation or garbage collection in order to continue operating at high speeds. When and how an SSD decides to run its defrag or cleanup routines directly impacts the user experience as inconsistent performance results in application slowdowns.
To test IO consistency, we fill a secure erased SSD with sequential data to ensure that all user accessible LBAs have data associated with them. Next we kick off a 4KB random write workload across all LBAs at a queue depth of 32 using incompressible data. The test is run for just over half an hour and we record instantaneous IOPS every second.
We are also testing drives with added over-provisioning by limiting the LBA range. This gives us a look into the drive’s behavior with varying levels of empty space, which is frankly a more realistic approach for client workloads.
Each of the three graphs has its own purpose. The first one is of the whole duration of the test in log scale. The second and third one zoom into the beginning of steady-state operation (t=1400s) but on different scales: the second one uses log scale for easy comparison whereas the third one uses linear scale for better visualization of differences between drives. Click the dropdown selections below each graph to switch the source data.
For more detailed description of the test and why performance consistency matters, read our original Intel SSD DC S3700 article.
The IO consistency is good but obviously not as good as the Extreme Pro due to lower over-provisioning (7% vs 12%). The architecture is still the same, though, as first the performance drops to around 10K IOPS, which is followed by a higher throughput burst. At steady-state the X300s averages about 5K IOPS, which is actually similar to the Crucial MX100 but with added over-provisioning the X300s gets close to the Extreme Pro level.
AnandTech Storage Bench 2013
Our Storage Bench 2013 focuses on worst-case multitasking and IO consistency. Similar to our earlier Storage Benches, the test is still application trace based – we record all IO requests made to a test system and play them back on the drive we are testing and run statistical analysis on the drive's responses. There are 49.8 million IO operations in total with 1583.0GB of reads and 875.6GB of writes. I'm not including the full description of the test for better readability, so make sure to read our Storage Bench 2013 introduction for the full details.
|AnandTech Storage Bench 2013 - The Destroyer|
|Photo Sync/Editing||Import images, edit, export||Adobe Photoshop CS6, Adobe Lightroom 4, Dropbox|
|Gaming||Download/install games, play games||Steam, Deus Ex, Skyrim, Starcraft 2, BioShock Infinite|
|Virtualization||Run/manage VM, use general apps inside VM||VirtualBox|
|General Productivity||Browse the web, manage local email, copy files, encrypt/decrypt files, backup system, download content, virus/malware scan||Chrome, IE10, Outlook, Windows 8, AxCrypt, uTorrent, AdAware|
|Video Playback||Copy and watch movies||Windows 8|
|Application Development||Compile projects, check out code, download code samples||Visual Studio 2012|
We are reporting two primary metrics with the Destroyer: average data rate in MB/s and average service time in microseconds. The former gives you an idea of the throughput of the drive during the time that it was running the test workload. This can be a very good indication of overall performance. What average data rate doesn't do a good job of is taking into account response time of very bursty (read: high queue depth) IO. By reporting average service time we heavily weigh latency for queued IOs. You'll note that this is a metric we have been reporting in our enterprise benchmarks for a while now. With the client tests maturing, the time was right for a little convergence.
Due to the lower over-provisioning, the X300s ends up being slightly slower than the Extreme Pro and Extreme II. Still, the X300s is a solid performer and faster than e.g. Intel's SSD Pro 2500, which is Intel's offering to the business market. Ultimately the 850 Pro is the fastest SED on the market but the X300s provides a more complete set of features with the inclusion of Wave's EMBASSY Security Control.
AnandTech Storage Bench 2011
Back in 2011 (which seems like so long ago now!), we introduced our AnandTech Storage Bench, a suite of benchmarks that took traces of real OS/application usage and played them back in a repeatable manner. The MOASB, officially called AnandTech Storage Bench 2011 – Heavy Workload, mainly focuses on peak IO performance and basic garbage collection routines. There is a lot of downloading and application installing that happens during the course of this test. Our thinking was that it's during application installs, file copies, downloading and multitasking with all of this that you can really notice performance differences between drives. The full description of the Heavy test can be found here, while the Light workload details are here.
The X300s does not perform that well in our 2011 Storage Benches. I would say that the 2011 Benches, especially the Light suite, are closer to a typical corporate workload with lots of email and office use, so I would give more value to that instead of the 2013 Bench. The X300s is still okay in both 2011 Benches and better than the Intel SSD Pro 2500, but I was expecting a bit more given the performance of the Extreme Pro and Extreme II.
Random Read/Write Speed
The four corners of SSD performance are as follows: random read, random write, sequential read and sequential write speed. Random accesses are generally small in size, while sequential accesses tend to be larger and thus we have the four Iometer tests we use in all of our reviews.
Our first test writes 4KB in a completely random pattern over an 8GB space of the drive to simulate the sort of random access that you'd see on an OS drive (even this is more stressful than a normal desktop user would see). We perform three concurrent IOs and run the test for 3 minutes. The results reported are in average MB/s over the entire time.
Random performance is similar to the Extreme Pro except for high queue depth write. Most client/corporate workloads do not go above queue depth of 5 anyway, so that should not be a problem.
Sequential Read/Write Speed
To measure sequential performance we run a 1 minute long 128KB sequential test over the entire span of the drive at a queue depth of 1. The results reported are in average MB/s over the entire test length.
Sequential read performance is excellent and sequential write is okay too, making the X300s equivalent to the Extreme Pro.
AS-SSD Incompressible Sequential Read/Write Performance
The AS-SSD sequential benchmark uses incompressible data for all of its transfers. The result is a pretty big reduction in sequential write speed on SandForce based controllers, but most other controllers are unaffected.
Performance vs. Transfer Size
ATTO is a useful tool for quickly benchmarking performance across various transfer sizes. You can get the complete data set in Bench. Read performance is equivalent to the competitors at all IO sizes, but the maximum write speed is slightly lower compared to the rest of the pack.
Click for full size
Slumber power is lower than the Extreme Pro and overall very good. Only the 850 Pro is more power efficient, although Samsung has always had an advantage in idle/slumber power consumption. Load power consumption is also great and below average. Overall, the X300s would be a good option for a laptop and it should help battery life relative to some alternatives.
The X300s is essentially a slower version of the Extreme Pro with encryption support. For typical office and corporate workloads the performance is fine and the X300s is also power efficient, which means longer battery life in a laptop. That will obviously be important if the laptop is used while on the go.
|NewEgg Price Comparison (7/29/2014)|
|Intel SSD Pro 2500||-||$115||$147||$272||-|
|Samsung SSD 850 PRO||-||$130||$200||$400||$700|
|Samsung SSD 840 EVO||-||$90||$140||$250||$470|
In the end, it all boils down to pricing, though, and that is not in favor of the X300s. At 128GB the price is still decent since it includes Wave's software that is worth $40, but at 256GB and 512GB the pricing is quite high. Even if the value of the software is subtracted from the retail price, the X300s is still expensive. To make the comparison fair, I only included drives that support TCG Opal 2.0 / eDrive in the table, which are the X300s' competitiors in the market.
|Comparison of ISV Support|
|SanDisk X300s||Intel SSD Pro 2500||Samsung SSD 850 PRO||Samsung SSD 840 EVO||Crucial MX100||Crucial M550|
|Wave EMBASSY Security Center||X||X||-||X||-||X|
|McAfee Drive Encryption||X||X||-||-||-||-|
|Absolute Software Secure Drive||X||-||-||-||-||-|
|Dell Data Protection||-||X||-||-||-||-|
|Checkpoint Full Disk Encryption||X||-||-||-||-||-|
However, I decided to take the comparison one step further and included a comparison of ISV (Independent Software Vendor) support. Basically, the table above tells whether the drive has been validated to work with a certain encryption software and it gives a pretty good picture as to why SanDisk and Intel have separate business SSD lineups. While all the SSDs in the table support TCG Opal 2.0 and eDrive, only the X300s and Pro 2500 have actually been validated by several ISVs. In other words, SanDisk and Intel have taken the extra time and money to work with the ISVs before launching the products, whereas Samsung and Crucial seem to focus on ISV validation post-launch. The 850 Pro and MX100 are currently not supported by any ISVs (at least based on their public compatibility lists) but I am sure that at least Wave and WinMagic will validate the drives sooner than later.
For an SSD that is targeted at business users, it is logical to ensure broad ISV support before the launch, but it still does not justify the price of the X300s. It does offer the broadest ISV support but that argument only holds weight if you plan on using Absolute Software's Secure Drive or Checkpoint's Full Disk Encryption. Otherwise the SSD Pro 2500 offers the same ISV support at a much lower price, or if you plan to use Wave, WinMagic or eDrive the 840 EVO and M550 provide an even better value.
All in all, I like SanDisk's approach of including encryption software with the X300s to make sure that every user has an easy way to enable Opal encryption, but that is ruined by the high pricing. With prices closer to the SSD Pro 2500, we could recommend the X300s over the SSD Pro 2500 as it provides higher performance and already includes Wave's encryption suite. Of course, the retail prices may not tell the whole truth since corporations are likely to buy the drives in bulk with a discount, but as it stands the retail prices at least are too high to make the X300s a good value relative to competing offerings.