How Self-Encrypting Drives (SEDs) Work

SED means that instead of relying on the host processor and software for full-disk encryption (FDE), the encryption is done purely by the drive itself using Trusted Computing Group's (TCG) Opal standard. The Opal standard offers two major benefits over software based disk encryption: performance and security.

Instead of using the host resources (CPU and RAM) to encrypt the drive, the controller inside the SSD does the encryption, which provides higher performance due to the lack of CPU overhead and is also far more power efficient. In fact, the controller already encrypts all data on the fly regardless of whether encryption has been enabled by the user -- by default the encryption key in the drive is just not encrypted and thus the drive can be accessed by anyone. When enabling Opal encryption the password created by the user is used to encrypt the encryption key, making the drive inaccessible unless the correct password is provided. The encryption key is generated during the manufacturing process of the drive (although it can be regenerated later on) and resides in a small secured block of memory that is protected and isolated from other memory.

As for security, software encryption solutions do not generally encrypt the master boot record (MBR), which leaves the drive vulnerable to attacks using alternative boot medias (CD/USB). Hardware encryption does not have the same problem because every single bit that the drive receives will be encrypted, including the MBR. Basically, hardware encryption is transparent to the OS because the drive does not know or care what data it receives as all data is encrypted regardless.

Because even the MBR is encrypted, SEDs have a pre-boot OS that is essentially a very restricted version of MS-DOS or Linux. When the BIOS requests the MBR from the drive during boot, the drive instead returns the pre-boot OS that asks for authentication before allowing access to the MBR. Once the correct credentials have been provided, the drive allows the BIOS to access the MBR and the system will boot normally.

Testing Wave's EMBASSY Security Center

Every X300s includes a license for Wave's EMBASSY Security Center (ECS), which normally retails for $40. ECS can be acquired from SanDisk's SSD Dashboard under the Tools tab. ECS provides local SED management, and for IT administrators Wave offers EMBASSY Remote Administrator Server (ERAS) that allows central management of all SEDs in the organization.

Clicking the icon will lead you to the download site where you enter the promo code that comes with the SSD Dashboard as well as your personal details (name, address, email etc. -- no credit card is needed). Once you have entered all the information, you will be able to download the ECS and the serial key is sent to the email address you provide.

After installation and reboot, you will be ready to enable encryption. Drive management is found under the 'Trusted Drive' tab and at first everything is in the off state and the only option is to start the initialization process. For testing I used a very basic Z87 based system running Windows 7 in legacy mode with no TPM module.

The first step is to create the administrator for the drive, which will have the right to manage the drive. After the initialization process additional users can be added but I will look at that once we are there.

After creating the administrator, you will be given an opportunity to either print or save the administrator username and password to a USB drive. This step can be skipped but it is recommended since if the credententials are forgotten, you will be unable to access the drive and the only way to recover the drive is to perform a PSID reset (more on this later but it erases all the data in the drive).

After that you are done -- the drive is now fully encrypted. It only takes a few seconds to encrypt the drive because as I mentioned earlier, all the data in the drive is already in encrypted format and thus only the encryption key needs to be encrypted. You can check that the drive is really encrypted from the SSD Dashboard, which should now say that security is activated.

This is what the drive management looks like. The administrator has the right to un-initialize the drive, which will decrypt the key and make it accessible by anyone. There is also an option to disable drive locking, which is different in the sense that the drive will allow anyone to access the data but only the administrator can change the encryption settings (e.g. un-initialize or crypto-erase the drive). Additionally Wave can sync the drive's and Windows' passwords so there will be only one password, or you can enable single sign on that will eliminate the need to log into Windows separately.

Users can be added within the same interface to allow non-admin users to get through the pre-boot OS. Otherwise every user would need to use the administrator credentials, which would defeat the purpose of an administrator account as it is the only account with rights to manage the drive. In other words, normal users can use the system normally but administrator rights are needed to un-initialize the drive or change any settings related to security.

ECS also offers several options for Windows login. Aside from the typical password authentication, the user can login using biometric authentication (e.g. fingerprint), and smart cards are supported as well. Again, these settings can only be modified by the administrator, even though they are visible to the normal user.

SanDisk X300s 512GB - PCMark 8 Storage Test
  Storage Score Storage Bandwidth
No Encryption 4976 268.1MB/s
Wave ECS (Opal 2.0) 4974 265.1MB/s
Windows 7 BitLocker (Software) 4960 246.6MB/s

To compare the performance of hardware and software based encryption solutions, I decided to run PCMark 8's storage test on the drive with the two enabled (separately, of course) and with no encryption at all. Strangely enough, the performance difference is almost non-existent. When Anand tested eDrive with the Crucial M500 and PCMark 7, he found that software based BitLocker encryption resulted in a 14% decrease in performance, whereas my test data shows a mere 0.3% loss in Storage Score. It is true that the PCMark 8's storage bench is different and in my experience it tends to show very small difference between SSDs but nonetheless it is still interesting that BitLocker has such a minor impact in performance.

Of course, my testbed is not exactly an ideal representation of an average corporate laptop since it is a Haswell based desktop with i7-4770K and 16GB of RAM, so the difference in lower performance systems might be larger as BitLocker will use the host CPU and RAM for encryption. Anyway, it looks like I will have to run some more tests to figure out a way to better characterize the performance benefits of hardware accelerated encryption because I believe the scores above do not give an accurate picture of the difference.

Crypto-Erasing an SED

Since SEDs are hardware encrypted, there is no way to fiddle with the drive without the administrator's credentials. However, what that also means is that in case you happen to forget the credentials, you will have a brick in your hands since SEDs cannot be secure erased using the standard ATA command like normal SSDs can. Fortunately, there is a way to revert the drive back to its factory setting by performing crypto-erase, or PSID revert as it is sometimes called.

The PSID can be found on the back label of every SED and it is a 32-character code.

To issue a crypto erase, a special utility is needed and SanDisk provides their Crypto Erase Tool for the X300s. It is very simple to use as the only thing you need to do is to enter the PSID and click erase now, which will deactivate encryption and secure erase all the data in the drive. I am not sure if SanDisk's tool supports other SSDs but in theory it should as there is nothing vendor-specific about crypto erase. However, there is also a third party freeware PSID revert tool available and I have confirmed that it works (tested with Samsung 850 Pro).

Final Words About Wave's ECS

Wave's ECS certainly provides a much smoother user experience compared to Microsoft's eDrive. It makes enabling Opal 2.0 encryption as easy as clicking a few buttons and it lacks the annoying hardware and software requirements that eDrive has. There is no need to play around with group policies if you lack a TPM module and what is best is that ECS is not limited to a UEFI-enabled Windows 8 Pro/Enterprise install like eDrive is. Basically, ECS should work with any system as long as you have an Opal-enabled SSD.

eDrive is a good (and free) alternative if you happen to have a system that meets the requirements, but otherwise it is a pain to get working, so I certainly see why corporations will gladly pay for ECS and other optimized encryption tools.

Introduction, The Drive & The Test Performance Consistency
POST A COMMENT

34 Comments

View All Comments

  • hojnikb - Friday, August 22, 2014 - link

    *at a cost of capacity :) :) Reply
  • Kristian Vättö - Friday, August 22, 2014 - link

    Yeah, fundamentally SLC, MLC and TLC are the same. Of course there are some silicon level optimizations to better fit the characteristics of each technology but the underlaying physics are the same.

    I'm thinking that pseudo-SLC is effectively just combining the voltage states of MLC/TLC. I.e. output of 11 or 10 from the NAND would read as 1, which allows for higher endurance since it doesn't matter if the actual voltage state switches from 11 to 10 due to the oxide wear out.
    Reply
  • Spoony - Friday, August 22, 2014 - link

    I believe you'd lose half the capacity on your drive. The MLC drives store two bits per cell, so they would store a 1 and a 0 for example. If you now are only allowing it to store a 1, then you've halved the capacity of the cell. Across the entire drive, this would thus halve the total drive capacity.

    As far as performance (read/write speed) I think this would be affected less. SSDs rely on parallelism to extract performance from NAND. The array is just as parallel as before. There might be an impact to performance having to do with extracting less information from each cell, how much this would be I'm not sure.

    I think the changes to firmware would have to be much more substantial than just re-programming how many bits per cell are stored. There is most likely a lot of interesting logic around voltage handling at very small scales. Perhaps even looking at how voltages from neighbouring cells influence each other. I'm not sure how serious this firmware gets regarding physics, but it must have to do some sort of compensation because the drives seem pretty reliable.
    Reply
  • hojnikb - Friday, August 22, 2014 - link

    Yeah, ive "edited" the post to reflect the loss of capacity. Obviously capacity drops, but its still waay cheaper than real SLC solutions.

    I bet write speeds would actually go up (since this is the exact reason why samsung and sandisk are doing pSLC) but read would stay unaffected (since this is controller/interface limited anyway).
    Reply
  • BillyONeal - Thursday, August 21, 2014 - link


    eDrive is not really designed for big corporate operations as it lacks the tools for remote management

    Erm, what is MBAM for then? http://technet.microsoft.com/en-us/library/hh82607... My work PC has remotely managed BitLocker.
    Reply
  • Zink - Thursday, August 21, 2014 - link

    MBAM is "Malwarebytes Anti-Malware" malware removal tool Reply
  • BillyONeal - Thursday, August 21, 2014 - link

    @Zink: It is also "Microsoft Bitlocker Administration and Management" Reply
  • Kristian Vättö - Thursday, August 21, 2014 - link

    Looks like I should have done my research better. Thanks for the heads up, I've edited the review to remove the incorrect reference. Reply
  • thecoolnessrune - Thursday, August 21, 2014 - link

    Yep, I the company I work with also has all of our drives encrypted with Bitlocker. It's managed by MBAM and integrated right into the rest of Active Directory Management. Really simple for the Domain Administrators (and relevant IT HelpDesk personnel) to use and manage.

    eDrive can fit in the Enterprise environment quite well.
    Reply
  • cbf - Thursday, August 21, 2014 - link

    Yup. As the other commenters indicate, the only thing we care about in the Enterprise is BitLocker. Hell, even if it was my personal drive, I'd probably only use BitLocker. I just trust it more than the third party solutions.

    So why don't you review this drive's encryption features using BitLocker. Anand showed how to do this last April: http://www.anandtech.com/show/6891/hardware-accele...
    Reply

Log in

Don't have an account? Sign up now