SSD encryption - How does it work?
Quite many vendors brag about the AES-256 encryption capabilities of their SSD drives. This sounds good, everybody likes to keep their data safe and secure. But how does this encryption really work, and what does it protect you from? Easy questions, right? Sure, this is clearly documented by the vendors.
Well, it is surprisingly hard to find out how the encryption in modern SSD drives actually works. You get certain details, but not the full picture. Google around, and you are likely to find more questions than answers.
The main question is: Is the password entered by the user used to encrypt the actual AES encryption key that is used to encrypt the data on SSD?
The data stored on flash memory chips is always encrypted. The drive controller maintains the key and encrypts/decrypts data on the fly as it passes through. Intel white paper states that Intel 320 SSD drives are initialized with unique encryption keys at the factory. Users can trigger a generation of a new encryption key through secure erase or enhanced secure erase procedure. The white paper does not answer your main question: Is the encryption key encrypted with the password entered by the user?
An obvious counter question is: why would they implement AES encryption on the drive if the key is not encrypted with a user-entered password? The answer to this question is easy to figure out. Think about the situation when you want to discard an old drive. With traditional hard drives, you go and write zeros (or random data or random data multiple times, depending on your level of paranoia) on the disk to remove existing content. With flash-based storage, this is not so easy. With a hard drive, you can write data over and over again on the exact same spot on the disk platter. Not so with flash-based storage. The flash memory consists of individual memory cells. Each memory cell supports only a finite number of erase-write cycles. This means that at some point you can no longer write data to a specific flash memory cell. When computers use the hard disk, in many cases there are certain “hot spots” on the disk, think about the location of your swap file. Those spots get constantly updated while other parts of the disk are mostly just used to read data. Without some intelligence, the flash memory would quickly wear out from those hot spots. To combat this, SSD drives use wear leveling algorithms. Instead of writing data always to the spot requested by the computer/operating system, the drive actually decides how to evenly distribute the writes over the flash cells. SSD maintains internal mapping where data is actually written to so that during read operations it can recover it from the correct place.
Now, how does this relate to erasing data? The wear leveling means that the operating system can never be certain that something it has written to SSD has been actually removed from there. Even if the operating system is trying to write at the very same spot on the disk to remove existing data, SSD could be directing these writes to some other place. In some cases, it could be that the flash cells have gone through their limited number of program-erase cycles and can’t be erased no matter what. These things pose a problem for securely removing the data. AES encryption to the rescue! Remember the data written to the flash memory is encrypted by a key that is maintained by the drive. Instead of erasing actual data, we can simply erase the key. Once the key is gone, the data is useless. It does not matter if somebody is able to recover the encrypted data from the flash chips in their laboratory. Since the encryption key no longer exists, there is no way to decrypt the data.
Now back to the original question. Let’s approach it with another question. Could the drive use the password entered by the user and not use it to encrypt the main encryption key? The obvious answer is yes. The drive could implement a simple system where the password is stored in hashed form on the disk, when the user enters it, the drive would hash it again, compare it to the hashed form, and only allow access if the correct password is given.
But how does the SSD actually work, is the ATA password entered by the user actually used to encrypt the AES encryption key or is the password just being used for traditional access control? After spending some quality time on Google, I finally found the answer from Intel Communities.
On April 8th, 2011, 6:29 “Scott” from Intel Corporation has answered this specific question: “Yes, ATA password is used to encrypt the encryption keys stored on the SSD.” (This answer is related to Intel 320)
So there you have it. Of course, this only applies to the specific Intel drive and it is just a comment on a discussion forum - hardly an official statement. It is also interesting that I could not find any white paper or more official documentation on the subject even though this is a very important topic.
Now, this is just the beginning. At least with Samsung 840 Pro drives, there is already discussion about their encryption requiring TPM support from the system. Once again, very difficult to find any official documentation about the topic but it could be related to the OPAL specification. To read more about OPAL, check this presentation.