Hi there

You can actually have "Too much" security -- what happens on a corporate laptop if the SSD needs to get replaced.

Things like encryption need to be USER controlled -- where it can be turned off and on at the users choice.
Wait until we see a few posts appearing -- My encrypted drive is going defective -- how can I recover my data.

If it's only the OS stored on the SSD (probably would be in the case of smaller capacities anyway) why would you need to encrypt it. Corporate passwords etc are usually store remotely on the server and not on the client's machine anyway.

Thinks like Bitlocker are decent enough anyway -- I'm against this "self encryption".

Cheers
jimbo

I guess I don't understand why this is useful. The key has to be stored on the drive, right? So what use is it to encrypt it if the encryption key is right there and you just have to ask the drive to unencrypted itself?

Cr00zng said:

Recovering from hard drive going bad is a shot in the dark with or without Self Encrypting Drives, or SED. The SED does prevent recovering the data with recovery software in the lab.

For individuals, the SED might be an overkill; however, for enterprises with software solution to manage the SED will simplify data protection and sanitizing data on the recycled disks. Please keep in mind that within an enterprise, data protection should be managed centrally instead of by the end user for obvious reasons.

The Self Encrypting Drive (SED), based on Opal standards, is a hardware based encryption that poses no performance impact to the system. It has been available for quite a few years for both HDD and SSD. You maybe using one already, just don't know it...

A new SED drive, meaning both HDD and SSD, receive a randomly generated encryption key in the factory. The hardware based encryption utilizes this key to encrypt everything written to the disk by default. In another word, when you install Windows on one of this drive, the "C" drive will be fully encrypted. Neither you, nor the OS are aware of the encrypted data. Provided that you didn't know anything about the SED drives...

That in itself does not provide security, since anyone can start up the system and/or mount the drive in an other system. To activate protection, you'd need to set a BIOS HDD password, based on ATA specification, that in return controls access the the drive and indirectly to the encryption key. Alternatively, you could use third-party software that manages the SED, including the HDD password, within the operating system. All major OEMs offer SED option with a third-party software. So, this isn't anything new...

For enterprises, the SED based drives are great for all systems, such as laptop, desktops, servers, etc., especially when one has third-party software that capable to manage SEDs at the enterprise level. Any stolen/lost drive is encrypted and the data is not accessible when access is controlled to the encryption key. When the drive is being sent out for recycling, simply issue a "crypto erase" command and/or do the same in the GUI. Once command executed, less than 30 seconds on a single drive, the the factory encryption key is regenerated on the drive, effectively making the data on the drive encrypted with the factory encryption key unreadable, even for the company. There's no need to further sanitize the disk, which is great for businesses especially with large size drives.

Hi there

I'm sure I'm not using SED's -- I have one or two INTEL SSD's as well as SAMSUNG's - and I'm often swappimg them between machines or even using as external drives for things like Windows to GO or VM's. If these were SED's I'm sure I'd get some warning about trying to access data on these when they are swapped to different machines - often running DIFFERENT HOST OS'es too.

OK at the hardware level the SSD's own microcode will handle the encryption - so what's the point if I can just switch these drivres to totally different hardware and OS'es. So have I misunderstood how these work -- for example is it a BIOS feature enabling the SED, or an application program / service running under control of the OS or what. ?.

If it's factory activated or embedded in the OS with the HDD (SSD) then this would imp;ly that the SSD is forever LOCKED to that specific machine -- not a GOOD idea.

Cheers
jimbo