SSD encryption – How does it work?

Quite many vendors brag about the AES-256 encryption capabilities of their SSD drives. This sounds good, everybody like to keep their data safe & secure. But how this encryption really works, what does it protected you from? Easy questions, right? Sure this is clearly documented by the vendors.

Well.. It is surprisingly hard to find out how the encryption in modern SSD drives actually works. You get certain details, but the full picture. Google around and you are likely to find more questions than answers.

The main question is: Is the password entered by user used to encrypt the actual AES encryption key that is used to encrypt the data on SSD?

The data stored on flash memory chips is always encrypted. The drive controller maintains the key and encrypts/decrypts data on the fly as it passes through. Intel white paper states that Intel 320 SSD drives are initialized with unique encryption keys at the factory. User can trigger a generation of new encryption key through secure erase or enhanced secure erase procedure. The white paper does not give answer to your main question. Is the encryption key encrypted with the password entered by the user.

Obvious counter question is: why would they implement the AES encryption on the drive if the key is not encrypted with user entered password? Answer to this question is easy to figure out. Think about the situation when you want to discard old drive. With traditional hard drives you go and write zeros (or random data or random data multiple times, depending on your level of paranoia) on disk to remove existing content. With flash based storage this is not so easy. With hard drive you can write data over and over again on the exactly same spot on the disk platter. Not so with flash based storage. The flash memory consists of individual memory cells. Each memory cell supports only finite number of erase-write cycles. This means that at some point you can now longer write data to a specific flash memory cell. When computers use the hard disk, in many cases there are certain “hot spots” on the disk, think about the location of your swap file. Those  spots get constantly updates while other part of the disk are mostly just used to read data. Without some intelligence, the flash memory would quickly worn out from those hot spots. To combat this, the SSD drives use wear leveling algorithms. Instead of writing data always to the spot requested by computer/operating system, the drive actually decides how to evenly distribute the writes over the flash cells. SSD maintains internal mapping where data is actually written to so that during read operations it can recover it from correct place.

Now how does this relate to erasing data? The wear leveling means that operating system can never be certain that something it has written to SSD has been actually removed from there. Even if the operating system is trying to write at the very same spot on the disk to remove existing data, SSD could directing these writes to some other place. In some cases it could be that the flash cells have gone through their limited number of program-erase cycles and can’t be erased no matter what. These things pose a problem for securely removing the data. AES encryption to rescue! Remember the data written to the flash memory in encrypted by a key that is maintained by the drive. Instead of erasing actual data, we can simply erase the key. Once the key is gone the data is useless. Does not matter if somebody is able to recover the encrypted data from the flash chips in their laboratory. Since the encryption key no longer is, there is no way to decrypt the data.

Now back to original question. Let’s approach it with another question. Could the drive use the password entered by the user and not use it to encrypt the main encryption key. The obvious answer is yes. The drive you could implement a simple system where the password is stored in hashed form on the disk, when user enters it the drive would hash it again, compare to the hashed form and only allow access if correct password is given.

But how does the SSD actually work, is the ATA password entered by the user actually used to encrypt the AES encryption key or is the password just being used for traditional access control? After spending some quality time on Google, I finally found the answer from Intel Communities.

On April 8th, 2011 6:29 “Scott” from Intel Corporation has answered to this specific question: “Yes, ATA password is used to encrypt the encryption keys stores on the SSD.”  (This answer is related to Intel 320)

So there you have it. Of course this only applies to the specific Intel drive and it is just a comment on a discussion forum – hardly an official stament. It is also interesting that I could not find any white paper or more official documentation on the subject even though this is very important topic.

Now this is just a beginning. At least with Samsung 840 Pro drives there is already discussion about their encryption requiring TPM support from the system. Once again, very difficult to find any official documentation about the topic but it could be related to the OPAL specification. To read more about OPAL, check this presentation.