Why does my SSD internally encrypt data, even without a password set?

hard-drive ssd encryption data-recovery

12,300

Solution 1

Always-on encryption allows you to secure your data by setting a password without having to wipe or separately encrypt the data. It also makes it fast and easy to "erase" the entire drive.

The SSD does this by storing the encryption key in plaintext. When you set an ATA disk password (Samsung calls this Class 0 security), the SSD uses it to encrypt the key itself, so you'll need to enter the password to unlock the drive. This secures the data on the drive without having to erase the entire contents of the drive or overwrite all data on the drive with an encrypted version.
Having all the data encrypted on the drive also brings another perk: the ability to effectively erase it instantly. By simply changing or deleting the encryption key, all data on the drive will be rendered unreadable, without having to overwrite the entire drive. Some newer Seagate hard drives (including several newer consumer drives) implement this feature as Instant Secure Erase.¹
Because modern hardware encryption engines are so fast and efficient, there is no real performance advantage to disabling it. As such, many newer SSDs (and some hard drives) have always-on encryption. In fact, most newer WD external hard drives have always-on hardware encryption.

¹In response to some comments: This may not be entirely secure considering that governments may be able to decrypt AES within the near future. It is, however, generally sufficient for most consumers and for businesses who are trying to reuse old drives.

Solution 2

It is a beautiful utterly elegant hack used to save on wear on the disk. Scrambling/randomising data on MLC drives also improves reliabilty on smaller process sizes - see this paper and these two referenced patents (here and here, and encrypted data is essentially random (thanks to alex.forencich for digging that up in the comments). In a sense AES encryption works the same way as the LSFR used to randomise data on a non encrypted ssd, only faster, better and simpler.

This class of drive is known as self encrypting drives, and quite a few modern SSDs are built like this. Essentially, encryption is relatively 'cheap', and allows you to store data scrambled on a SSD (some drives do this without encryption to improve reliability anyway). If you need to format it? just make the data inaccessible until the space is needed by discarding the key. It's done at the firmware level, and is decrypted on the fly. This also helps save on wear since data is spread out in the process.

Unless you set an HDD security password in bios, or set some other type of supported security/encryption option, all this prevents someone from doing is desoldering your NAND chips and reading them elsewhere, or putting in a new controller and getting your data out - see this AnandTech review of the Intel 320. Of course, when your drive dies, and if it's the controller, that's exactly what a recovery service would end up doing. Unless they could somehow recover the encryption keys from where its stored, (firmware?) and transfer it, it's probably impossible.

In short, encryption increases the lifespan of your disk, and makes it 'faster' when deleting files.

Solution 3

For security reasons! SSDs store the data scrambled all over the place and on different flash chips. Because flash can break, they all have more storage space than advertised and useable.

Now assume you have top secret information on your disk unencrypted. You now decide that's a stupid idea and encrypt the whole drive.

But you can't encrypt the whole drive. The SSD just shows you 16GB of space, while it has 20GB internal (in reality, the additional space is less). You encrypt all of the 16GB, but inside the drive there are still 4GB and you have no way to know what's stored there. Maybe one flash chip is even partially defective and the drive will never touch it again. A data thief could still directly read data from that.

Another reason is to allow fast data destruction. If you have to erase a 1TB SSD with 400MB/s, that will take 42 minutes. If you want to remote-wipe your SSD in a stolen laptop, in this 42m the thief will see that something is wrong and cut the power. For the same reason, most newer smartphones are encrypted by default, even if you don't need any pin.

Wiping a encrypted SSD/phone works by just wiping the 128bit (or 256bit) key. After that, all the data is worthless.. This takes less than a second.

12,300

Tyler Durden

Updated on September 18, 2022

Comments

Tyler Durden over 1 year

Recently I had an SSD fail and am attempting to do a data recovery. The data recovery company tells us that it is complicated because the build-in drive controller uses encryption. I presume this to mean that when it writes data to the memory chips it stores it in an encrypted format on the chips. If this is true, why on earth would they do that?
- Giacomo1968 over 8 years
  
  Please edit your question to add some details on the OS this SSD was running on as well as the exact make/model of the SSD. To my knowledge, unless you have full disk encryption enabled or the drive has native encryption, it all sounds like a ruse by the data recovery company to deflect their incapability to some “magic” that prevented them from recovering data. SSDs should just be storing data in a raw format—like all other storage devices—and not any encrypted format by default.
- phuclv over 8 years
  
  some external drives do have hardware encryption by default but I'm not sure if an internal one also encrypts data
- Thalys over 8 years
  
  @JakeGould many modern drives are internally encrypted. Annoyingly, finding sources is a pain when you actually need them, but at the very least sandforce's controllers certainly does this.
- Giacomo1968 over 8 years
  
  @JourneymanGeek SSD or hard disk drive as well? It seems this is a functionality that is mainly borne in the needs of SSD drives that might have migrated to newer hard disk drives as well?
- bwDraco over 8 years
  
  @JakeGould: Many newer SSD controllers, including all recent SandForce and Samsung controllers, use always-on encryption. Some newer Seagate hard drives, including several consumer desktop models, are self-encrypting (see here; this is what enables the Instant Secure Erase feature). Most newer WD external hard drives are self-encrypting.
- Thalys over 8 years
  
  SSDs encrypt or at the very least scramble the data (citation needed here!) for wear levelling reasons. HDDs have no need to encrypt data at a firmware level for the same reasons.
Giacomo1968 over 8 years

“The SSD is always encrypting data…” All SSDs do this? Can you provide examples? You have, but the opening statement is a very assertive and declarative claim that all SSDs behave this way and that throws the answer off.
bwDraco over 8 years

"The SSD" refers to the OP's disk. This is not a claim that every SSD is self-encrypting. Edited to address the claim.
Giacomo1968 over 8 years

I just edited to clarify this specific claim. Remember: These questions and answers are for others as well as the original poster. Being as clear as possible about context helps everyone including users who would stumble across this thread in the future.
David Schwartz over 8 years

I don't think this is true. For one thing, SSDs typically know what space is free and need it to be pre-erased to preserve performance.
Thalys over 8 years

In this specific case, its true of many not all SSDs. I'm very sure sandforce does this (and that anandtech link confirms that), and its well documented, and I vaguely recall samsung does this. I'm still looking for the review I saw ages ago that goes into detail, but what the OP's told is reasonably consistent with this. I know, its a very odd claim, but that's why I've linked specific examples.
DrZoo over 8 years

@JourneymanGeek I do know for a fact that the Samsung 850 and 950 disks implement AES 256-bit Full Disk Encryption (FDE) and TCG/Opal v2.0, Encrypted Drive (IEEE1667) :)
David Schwartz over 8 years

What source do you think backs up the claim that the reason SSDs implement encryption is to save wear on the disk? That seems like an absurd claim to me, since SSDs know what space is free, they pre-erase it anyway, and secure erases are rare. Also, there are many obvious reasons to support encryption in firmware that have nothing to do with erasing.
Thalys over 8 years

"I've read it before" isn't a great source. I'm actually trying to find the review where it was mentioned. I know where it was (anandtech) but not when or where it was about. I'll update if I can find it.
r_ahlskog over 8 years

It is utterly insanely elegant, because you want to have a balance between the 1s and 0s on the disk to make sure it wears evenly. So you want a even distribution of bits, something normal data is extremely poor at but encrypted data is excellent at. So they run everything through AES to keep the 1s and 0s evenly distributed, elegant solution that also has side benefit of being able to secure erase the drive by forgetting the key.
David Schwartz over 8 years

@r_ahlskog "you want to have a balance between the 1s and 0s on the disk to make sure it wears evenly" Umm, do you have a source for this claim?
Wayne Jhukie over 8 years

It's not true anyway: Flash is not symmetrical. Block erase usually sets all bits to 1 and they are programmed to 0 by charge injection through the dielectric. It's that which causes the wear.
Tyler Durden over 8 years

Yeah, well, the "lifespan" of my SSD was about 1 year and I am facing thousands in data recovery costs because of this stupid "encryption", so it did not seem to work very well.
Josef over 8 years

@TylerDurden if you have data with any worth, make backups. Storing data only once is like not storing it at all. And SSDs are especially known for failing instantly and totally. On a HDD, you have a chance to still read some parts most of the time. If a SSD is broken, it's broken.
kapex over 8 years

"The SSD does this by storing the encryption key in plaintext" - does that mean if you have access to a not password protected SSD and copy the key, you could decrypt the whole drive even after the user creates a password?
James over 8 years

I like how the industry tries to convince the user that throwing away the encryption key is == destruction of data. In reality it most certainly is not. Encryption only buys time that the adversary has to invest in recovering your data. If you want 'Secure Erase' then you actually need to overwrite the data.
Fizz over 8 years

"there is no real advantage to disabling it". Yes, there is, right in the question. If the drive loses or messes up the key... basically 0 chance of data recovery... unless you've got the NSA working for you.
kasperd over 8 years

@kapep In principle yes. Actually copying the key might prove tricky. I imagine the key might be stored in a chip that it cannot easily be copied from. A more secure design would be to organize data into a tree structure in such a way that a new key is generated by every write operation. Then a copied key would not provide access to data written after the key was changed. But I doubt that much effort has been put into securing the encryption.
Josef over 8 years

@TechMedicNYC if you know a way to break AES-256 in less than say the next few billion years, please do share.
Admin over 8 years

@TechMedicNYC I don't particularly care that my data would become accessible to some governmental agency / big corporation that decides to dedicate a few million (billion?) years of resources to decrypt my drive. I do however care about my data being accessed by the people around me, who typically don't have access to this kind of resources.
user over 8 years

A sensible long-secure-erase process would start off by storing some sort of flag, which the firmware only clears once the process has successfully run to completion, and a counter indicating how far the erase has progressed. If the device is powered up and this flag is set, resume erasing where it left off. A quick first step can be to simply erase the flash block mapping table, which results in plaintext being available but no way of knowing which parts fit together. Lots of thieves are interested only in the money they can get from the hardware, and have little to no interest in the data.
Josef over 8 years

@MichaelKjörling that won't work at all. If you are really interested in the data you could just erase the flag. Or directly read the flash chips without using the controller.
user over 8 years

Except that most thieves are not interested in the data! They want the hardware that they can sell to get some money, and (unless you are, say, a journalist working with the Snowden documents) don't care about what's stored on the computer. Erasing the flash mapping table is also quite fast. And by the time we are talking about adversaries who are willing to desolder or manually reprogram the chips, we are way beyond almost any ordinary thief in the first place. If you have data that is sufficiently valuable that this figures into your threat model, you need to use a strong password.
Josef over 8 years

@MichaelKjörling in that case you can also just not erase the data at all, if the thief is not interested.
James over 8 years

@Josef, et al. You're not wrong, but you're also not right. You're using an inductive argument to prove your security. The assumptions are that there are no undiscovered weaknesses in AES and no computational advances (quantum computing, etc...). MD5 was collissionless, SSL was secure. The point is calling a feature Secure Erase when it doesn't erase is disingenuous at the least. If your life depends on data security, just spend the few hours performing a secure wipe and the NSA, et al can spend the next million years decrypting zeros.
bwDraco over 8 years

Let's keep things civil here. At this time, from what I've read, the NSA does not have the ability to decrypt AES. It's a work in progress, though, so the possibility cannot be discounted. It might happen in the next few years or few dozen years or few hundred years, but if you're an IT professional just trying to reuse the drive or if you're a consumer who doesn't have the sort of information that would be of interest to national security, it's not really an issue.
Tyler Durden over 8 years

Ok, so assuming this is true, and my drive controller failed, how is the data recovery company going to get the data back? Is the key stored in the controller? Do all controllers of the same type use the same key so that you can just replace one controller with another?
bwDraco over 8 years

@TylerDurden: The key is unique for each drive. However, it is probably stored in firmware separate from the controller itself, so recovery is likely still possible.
ganesh over 8 years

'because flash can break' is a nice story, but not the reason for only revealing part of a SSDs capacity. The [main] reason is performance.
alex.forencich over 8 years

The bits in modern flash memory are so small that there is crosstalk between them. Because of this, if too many adjacent bits are set the same way, it can cause more bit errors than if the bits were more random. Because of this, 'scrambling' or 'whitening' techniques are used to balance the number of 1s and 0s. This could be done with a simple linear feedback shift register. Or it could be done with an algorithm like AES that effectively scrambles the bits while also providing some nice security and fast secure erase benefits.
alex.forencich over 8 years

I will also note that self-synchronizing scramblers are also used in high speed serial protocols to give the encoded signal certain electrical characteristics (DC balanced, or at least statistical bounds). Most common examples are 64b/66b encoding in 10G ethernet and 128b/130b in PCIe gen 3.
Thalys over 8 years

@alex.forencich heh. I've been going nuts trying to find a authoritative source to how encryption is used for scrambling and how that helps. If you know one, it would be awesome.
user541686 over 8 years

It's not really encryption then, is it? I presume the drives support TRIM, which means that the zeroed cells are not encrypted, which means that this leaks information as to how much data was on the drive, and what the block allocation looked like. Doesn't quite seem like it'd have the same benefits as normal encryption (plausible deniability etc.).
alex.forencich over 8 years

You're probably not using the right search terms. I found soc.yonsei.ac.kr/Abstract/International_journal/pdf/…, which references a couple of US patents, google.com/patents/US8261159 and google.com/patents/US8713330 .
alex.forencich over 8 years

Here is a better one that relates specifically to using AES for scrambling: jstage.jst.go.jp/article/elex/11/13/11_11.20140535/_article
Thalys over 8 years

Linked back. Damn. Pity I can't offer a bounty for comments, since this fills some pretty big holes in my original answer.
alex.forencich over 8 years

Yeah, that is unfortunate. Anyway, that last paper I linked is probably the best one of the four - it explores the exact argument that you're making. It specifically explores completely replacing an LFSR based scrambler with AES. Figure 9 is the money shot, AES performs the same to slightly better when compared with LFSR based scramblers.
Luke over 8 years

SSDs can be almost instantly erased as it is by flushing the flash chips. This sets all cells to 0. As I understand it, you send a SATA command and it drains all the stored charge. I would guess the instant erase benefit of encryption is more for HDDs.
user over 8 years

@TechMedicNYC Quantum computation, based on what we know today, only reduces the effective security level to the square root of the key space. What this means in practice is that in the presence of quantum computing, AES-256 has an effective 128-bit security level, and we need to double symmetric key lengths. Compare security.stackexchange.com/a/6149/2138, crypto.stackexchange.com/a/21087/1142, crypto.stackexchange.com/a/25390/1142 and more generally Cryptography's tag post-quantum-cryptography.
user over 8 years

Of course, HDDs prefer magnetic domains that look semi-random when encoding long strings of similar bits, because it helps with maintaining synchronization while reading the platter as it's spinning under the read head. Thus, the on-platter encodings used by HDDs ensure that there is no direct mapping between bit values and magnetic domains.