PCie NVMe SSD and OS independent encryption in modern laptops ?
In terms of security BIOS ATA Password/TPC compatibility of regular SATA SSD Full Disk Encryption is most versatile option as it is OS independent.
However, now more and more PC makers installing blazing fast PCIe NVMe SSD storage in new laptops - like for example new series of Dell Latitude 5x70 or Precision M7x10 with Dell/Samsung SM951.
This storage type (PCIe NVMe SSD) no longer support BIOS based encryption probably because this encryption was tied to ATA protocol. Or maybe I am wrong at this statement ?
Of course some of PCIe NVMe SSD brands/models declare compatibility with so called OPAL encryption specifications, but for my understanding it is only some kind of support or compatibility with software based encryption not HW encryption (OS independent)
If you have any knowledge of real situation in this matter both actual and for the nearest future (maybe planned standards to be implemented for example on next 7Gen Intel Core processor platforms and BIOS) - let me know.
thanks in advance
However, now more and more PC makers installing blazing fast PCIe NVMe SSD storage in new laptops - like for example new series of Dell Latitude 5x70 or Precision M7x10 with Dell/Samsung SM951.
This storage type (PCIe NVMe SSD) no longer support BIOS based encryption probably because this encryption was tied to ATA protocol. Or maybe I am wrong at this statement ?
Of course some of PCIe NVMe SSD brands/models declare compatibility with so called OPAL encryption specifications, but for my understanding it is only some kind of support or compatibility with software based encryption not HW encryption (OS independent)
If you have any knowledge of real situation in this matter both actual and for the nearest future (maybe planned standards to be implemented for example on next 7Gen Intel Core processor platforms and BIOS) - let me know.
thanks in advance
ASKER
Our company security policy requires that all laptops should have full disk encryption. New laptops models like Dell Precision M7510 or Dell Latitude E5470 are delivered with PCIe NVMe. Our users use Ubuntu OS. Fast SSD are required due to specific of work where several virtualized systems are running on such mobile labs, and it need to be effectively secured in case been stolen or lost.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My own findings led me to following facts:
Most of PCIe NVMe SSDs installed by main brands was in fact Samsung family SM/PM 950/951/961.
- for 950Pro Samsung publish it as "OPAL compatible in future" and in fact never publish firmware with OPAL
- for 951/961 published datasheets says SED: N/A
Other SSD brands like Kingston (Predator), Toshiba/OCZ (RD400) or Plextor (M8) doesn't even mention about encryption as probably target audience are consumer laptops/PCs.
So in fact the problem was not in PC/BIOS but in SSD itself.
Hope that will change soon as PCIe NVMe SSD price droping very fast and it will be mainstream devices soon.
Of course any addition input will be appreciated.
p.s.
Similiar situation (regarding lack of information) was in Datacenter class PCIe NMe SSD in area of RAID/redundancy, but this is another topic.
Most of PCIe NVMe SSDs installed by main brands was in fact Samsung family SM/PM 950/951/961.
- for 950Pro Samsung publish it as "OPAL compatible in future" and in fact never publish firmware with OPAL
- for 951/961 published datasheets says SED: N/A
Other SSD brands like Kingston (Predator), Toshiba/OCZ (RD400) or Plextor (M8) doesn't even mention about encryption as probably target audience are consumer laptops/PCs.
So in fact the problem was not in PC/BIOS but in SSD itself.
Hope that will change soon as PCIe NVMe SSD price droping very fast and it will be mainstream devices soon.
Of course any addition input will be appreciated.
p.s.
Similiar situation (regarding lack of information) was in Datacenter class PCIe NMe SSD in area of RAID/redundancy, but this is another topic.
I wonder why you did not comment on the link. You could try the how to and see if it works with those drives, it's not complicated.
ASKER
Yes, but this solution require SSD with SED/OPAL support and as we have for now only SM951 without SED support we cant test it. This solution will be great in scenario where we have any SSD with OPAL/SED support in PC with BIOS that not supporting encryption.
Samsung doesn't have a SSD that has Opal support, so just forget them. Same is true with the SSDs others mentioned. It would be a waste of time trying to download McKnife's software he linked.
There are a heck of a lot of gotchas, like some motherboards will refuse to even boot if there is a NVMe device that is encrypted. You also are at extreme risk of making system unbootable and NEVER, EVER, EVER being able to get to your data. The deal is if you forget your password, or it changes then there is no back door. You can't even brute force because it basically self-destructs after so many (product specific) unsuccessful attempts.
I wouldn't even *think* about going with anything open source. If you want SED drives then you need to pay the big bucks and get something supported by your laptop/desktop vendor. Intel is working on some native add-ons for motherboards and HP among others are embracing them.
So bottom line, buy a turnkey solution if you want to be bleeding edge and get it from your motherboard vendor. Otherwise, stay away from it. Even a firmware update can break everything, and risk turning the system into a paperweight. Anything less than Opal 2.0 is too high risk to even consider, and even then I would never personally use the Opal (the SATA flavor) implementation of SED (this is for SATA devices). I would only use TCG (the SAS version of SED).
There are a heck of a lot of gotchas, like some motherboards will refuse to even boot if there is a NVMe device that is encrypted. You also are at extreme risk of making system unbootable and NEVER, EVER, EVER being able to get to your data. The deal is if you forget your password, or it changes then there is no back door. You can't even brute force because it basically self-destructs after so many (product specific) unsuccessful attempts.
I wouldn't even *think* about going with anything open source. If you want SED drives then you need to pay the big bucks and get something supported by your laptop/desktop vendor. Intel is working on some native add-ons for motherboards and HP among others are embracing them.
So bottom line, buy a turnkey solution if you want to be bleeding edge and get it from your motherboard vendor. Otherwise, stay away from it. Even a firmware update can break everything, and risk turning the system into a paperweight. Anything less than Opal 2.0 is too high risk to even consider, and even then I would never personally use the Opal (the SATA flavor) implementation of SED (this is for SATA devices). I would only use TCG (the SAS version of SED).
Samsung has SSD's with opal2 support, for example the 850 EVO. dlethe, are you talking about the PCIe cards or classic SSDs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you say so... the 850EVO is not what the asker has, anyway. Its datasheet mentions Opal V2.0 at least for all, the m.2, the classic and the msata version, so I wondered if you can categorically say his NVM would not have that (there is no data sheet for that one).
That he would walk on thin ice is quite probable. It was just for a test, though, to see if there are ways on ubuntu.
That he would walk on thin ice is quite probable. It was just for a test, though, to see if there are ways on ubuntu.
ASKER
Thanks for your comments dlethe.
Data loss are acceptable situation as this data is either frequently backed up/replicated or not so critical to lost. Inacceptable is a loss the unencrypted information to any unathorised third party.
Of course encryption solution should be stable enough to not cause a problem in normal day to day work.
By the way - in official specification of Dell Precision M7510 in M.2 PCIe SSD section is a following statement "M.2 PCIe NVMe Solid State Drive (M.2 SSD): 256GB, 512GB, 512GB SED".
So there are probably some specific model of 512 GB SED M.2 PCIe drive supported by Dell (or its planned at least). I'm already asked Dell directly about this option and general policy regarding PCie SSD encryption. When they response i will share this info here.
p.s.
McKnife - Samsung 850 series are SATA/mSATA drives and has nothing to do with my question in general. My question is focused on M.2 PCIe NVMe drives in laptops. Thanks anyway for participation and msed info.
Data loss are acceptable situation as this data is either frequently backed up/replicated or not so critical to lost. Inacceptable is a loss the unencrypted information to any unathorised third party.
Of course encryption solution should be stable enough to not cause a problem in normal day to day work.
By the way - in official specification of Dell Precision M7510 in M.2 PCIe SSD section is a following statement "M.2 PCIe NVMe Solid State Drive (M.2 SSD): 256GB, 512GB, 512GB SED".
So there are probably some specific model of 512 GB SED M.2 PCIe drive supported by Dell (or its planned at least). I'm already asked Dell directly about this option and general policy regarding PCie SSD encryption. When they response i will share this info here.
p.s.
McKnife - Samsung 850 series are SATA/mSATA drives and has nothing to do with my question in general. My question is focused on M.2 PCIe NVMe drives in laptops. Thanks anyway for participation and msed info.
"McKnife - Samsung 850 series are SATA/mSATA drives and has nothing to do with my question in general" - I wrote the same, didn't I? My intention was to say "hey, there are a lot of samsung drives opal 2.0 compliant (at least they say so)". If you had a datasheet for yours we'd be able to tell. Since this PCIe drives seem to be the future in the high performance sector, it is hard to believe that they will not be compliant.
Again, I would like to point out, that the performance gain (hardware encr. over software encr.) is not as big as you might think. Look at http://www.anandtech.com/show/6891/hardware-accelerated-bitlocker-encryption-microsoft-windows-8-edrive-investigated-with-crucial-m500 for example, to get an idea.
Again, I would like to point out, that the performance gain (hardware encr. over software encr.) is not as big as you might think. Look at http://www.anandtech.com/show/6891/hardware-accelerated-bitlocker-encryption-microsoft-windows-8-edrive-investigated-with-crucial-m500 for example, to get an idea.
The opal / hardware encryption has additional benefits over software. For one thing, it is O/S agnostic. Once the zones are set up on the HBA, and a zone is unlocked, then one can read/write to the device. No patches, no drivers. You can't even READ the disk util it is unlocked. With software encryption you can still read the drive and it is not horribly difficult to circumvent protection, especially if you are able to boot the laptop to a USB drive.
The opal implementation locks the disk down and prevents any application from even reading the data.
The opal implementation locks the disk down and prevents any application from even reading the data.
"With software encryption you can still read the drive and it is not horribly difficult to circumvent protection, especially if you are able to boot the laptop to a USB drive." - If preboot authentication is in use, booting a USB based attack OS will have no way to get to the key but brute force. With for example bitlocker, you'd even need to know the recovery key (48 digits) - have fun breaking that.
ASKER
However this not solving the problem but brightens the topic.
dlethe comments increased my knowledge about SSD encryption standards and confirm observed facts.
McKnife your mention about msed are very interesting maybe not directly with the question but still valuable
Thanks for sharing your knowledge.
dlethe comments increased my knowledge about SSD encryption standards and confirm observed facts.
McKnife your mention about msed are very interesting maybe not directly with the question but still valuable
Thanks for sharing your knowledge.
I would ask myself instead:
->what OS' will I use? And can those use hardware encryption on that NVM?
Bitlocker for example makes use of hardware encryption if the device is Opal2 compliant and your OS is win8.1 or higher.