SandForce SSD encryption - security and support

Answering my own question, this is what I've found out after searching on the net for a couple of hours:

  • The SandForce devices have AES encryption turned on by default, but there are issues with this (see below)
  • If you zero out the drive using ATA Secure Delete, the key will be wiped and later regenerated and thus the old data will not be accessible anymore - making this an acceptable solution when you're about to sell or trash your SSD
  • It is, however, not possible to set a user password that would prevent someone who steals your laptop with an SandForce SSD from reading your data
  • The encryption key is not linked to the ATA security and/or BIOS
  • Setting a user password would be possible if there was a tool for this. OCZ promised a program called their "toolbox" that would allow this very often on their support forums, but when it was finally released in october 2010, it still didn't have the functionality (and still not today)
  • I guess even if you could set the password using the toolbox, it would not be possible to use the device as a boot device any more because you couldn't unlock it from the bios.
  • Using software full-disk-encryption on an SSD seriously impacts the performance of the drive - up to a point where it can be slower than a regular hard disk.

Source for some of this information.

Update: If you're interested, I wrote a little more about the issues in a dedicated blog post.

Tags:

Linux

Ssd

Thinkpad

Recent Posts