Samsung SSD 850 EVO. Best way to protect personal data against thiefs

For Samsung 850 drives and other SSDs, your best and most secure option is to use the OPAL full-disk encryption by enabling a drive password in your system's BIOS.

The way the encryption on these SSDs works is that the drive is always encrypted -- it comes from the factory with an encryption key generated and set. All data it writes and reads is encrypted/decrypted with this key, nothing is written unencrypted.

When you set a password in BIOS, the drive encrypts the encryption key (stored in the drive controller) with the password you supply. Thus, until you enter the password and give the drive the key it needs to decrypt it's own encryption key, all the data is unreadable -- even to the SSD itself. Additionally you can't issue any SATA commands or even format/repurpose the drive without supplying this password.

Note that this is transparent to the operating system -- the encryption is handled at the hardware level, and decryption at startup via the BIOS. The OS, no matter what it is, will just see a regular SSD and interact with it normally.

When you use the Samsung software to conduct a "Secure Erase" of an SSD, it actually doesn't 'erase' anything in the pure sense of the word. With SSDs, each write/rewrite of a sector can be easily recovered through forensic analysis. If that data was encrypted, you can still recover it -- so long as you have the encryption key. What the "secure erase" facility does is reset the drive's internal AES encryption key to a new one; effectively resetting the drive. Thus, all the old information on the drive which could be recovered by forensics is now encrypted/unreadable even to the drive itself, making recovery of the data exponentially more challenging if not impossible.

The drive controller itself handles the password. If your BIOS supports OPAL or SED drives, you cannot bypass drive encryption using the supervisor password of the BIOS to change the disk password. Even if logged into BIOS with a supervisor password, you will be unable to change the password on an OPAL/SED SSD (if your BIOS supports this properly) without supplying the existing SSD password. If you can, that means your BIOS never communicated with the drive to set the password in the first place. If this was the case, the BIOS doesn't support OPAL and you could also simply plug the SSD into another computer and image the data unhindered. Most drive manufacturers offer tools you can use to check this and see if the drive's status is "encrypted," meaning a password has been set.

Note that TrueCrypt has now been retired and there's rampant speculation as to whether the project's codebase may have been compromised by some entity like a government agency; or if the creators simply retired. Here's an article with some information.

Also note the vulnerability of full disk encryption is that your data is protected when the encrypted data is not in use/the encryption key is not in memory -- meaning when your computer is on and in use. If an adversary got ahold of your computer while it was running, it is possible (although difficult) for them to recover the key from the system BIOS/drive controller memory.

Of course, full disk encryption also won't protect you from the effects of malware or other compromises when the system is running as well.

Links

Samsung's marketing site noting Samsung 850 SSD's support OPAL encryption

Samsung SSD White Paper detailing how encryption works


I don't know for the specific model but this answer is suitable for most self encrypting devices:

For SSDs the advantage of using the builtin SED-encryption is that it can take advantage of the trim function (wear-levelling).

A few years ago a big German computer magazine showed that many builtin selfencryption function of harddrives a badly implemented http://www.heise.de/security/artikel/Windige-Festplattenverschluesselung-270702.html http://www.heise.de/security/artikel/Verschusselt-statt-verschluesselt-270058.html and can very easily be decrypted (if the data is even encrypted and not just password-protected!). Some of them claimed to use AES but only used AES to encrypt the key but used the insecure XOR-encryption for the data. Also when using AES for the data they can do it wrong using it in the wrong mode/combination. OPAL seems to use only the builtin functions from my first glance.

I don't know if it is this possible to circumvent the encryption like in your second link, but this would be a very bad sign for the encryption.

So basically the question is how important the encryption of the data is for you and how much you trust the builtin encryption. If there is no security audit for exact this model from a trusted external security company, I wouldn't use it for more important than the secret Christmas present list for your wife.

For anything else I would use an independent encryption like truecrypt/LUKS/EncFS/... . When using full disk encryption on SSDs leave some unpartioned space for wear levelling. When using file based encryption like EncFS an attacker can get information about file-/folder-structure and file sizes. For some this is an issue, for some not.