Protect Your Privacy
Security & Encryption Basics
In today’s mobile world, security is a major concern for both individuals and businesses. With the 840 and 840 Pro Series SSDs, Samsung is adding peace-of-mind through the implementation of hardware-based AES Full Drive Encryption.
In order to understand the encryption technology built into the latest Samsung SSDs, it is necessary to understand some basic security terminology.
The Advanced Encryption Standard (AES) is an encryption standard approved by the National Institute of Standards and Technology (NIST) for the safeguarding of electronic data. After being adopted by the US government, the standard is now used worldwide. This cipher, usually implemented with either 128-bit or 256-bit encryption keys, is widely used to protect sensitive information and is found integrated at both the hardware and software level. All 840 and 840 PRO Series SSDs are equipped with a high-performance hardware accelerator that implements AES encryption with a 256- bit key.
Full Drive Encryption refers to a storage device in which nearly everything is encrypted rather than encrypting only certain files or folders. This solution is attractive for high-security environments because it makes it simple to destroy all data on the drive by destroying and replacing the cryptographic key(s) that protect it. With this technology, the swap space and temporary files are also encrypted, and, when implemented through hardware rather than software, even the bootstrapping code is encrypted. By using a Trusted Platform Module (TPM), standardized by the Trusted Computing Group, in conjunction with FDE, the integrity of the boot environment can also be verified.
Self-Encrypting Drive (SED) is a term that refers to a storage device that implements hardware-based FDE. Therefore, an SED is a special case of FDE. SEDs boast better performance, security, and manageability compared to software-based FDE implementations, which commonly suffer severe performance degradation as a result of the encryption overhead. Also, because the encryption key exists only inside the SED itself, it is impossible to access it via the host (operating system). Software-based solutions are vulnerable to several types of attack because they must store the encryption key in main memory. Finally, because SEDs provide drive-level encryption that is independent of the operating system and any other data management tools (e.g. compression utilities, data loss prevention, de-duplication, etc.), users can easily install an SED into any system without worrying about operating system or application interference.
OPAL is the name for an SED storage specification developed by the Trusted Computing Group, the same group responsible for the TPM microchip mentioned above. It defines a means by which to place an SED storage device under policy control. Its goal is to protect the confidentiality of user data and prevent unauthorized access to the drive while still maintaining compatibility with multiple storage vendors through a standardized management interface. Most systems require 3rd party software to utilize the OPAL Storage Specification, although Windows 8’s BitLocker feature supports this functionality natively.
Choosing the Right Option
With the introduction of the SSD 840 and 840 Pro Series SSDs, Samsung has added AES hardware-based SED technology to its consumer SSD lineup. Simply enabling the ATA password via the BIOS will automatically render all data on the drive unintelligible without the proper password. Because it is implemented at the hardware level, there is no performance penalty like there is with a software-based FDE implementation. This feature is a valuable privacy tool for anyone who uses a portable computing device (e.g., laptop), especially frequent travelers.
In addition to addressing personal security concerns, there are many industries that either require or would benefit from SED technology, including healthcare, insurance, government, law enforcement, and finance, among others. SED technology helps protect sensitive information from physical attack on a lost or stolen laptop, making it nearly impossible to access data stored on a drive even if the drive is removed from its original system and installed in another PC or the NAND chips themselves are removed from the SSD.
While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.
Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.
Enabling AES Encryption
AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.