From businesses and governments to individuals, there's one thing everyone today has in common: the need and desire to secure important personal and private information. Data protection is very important, whether data is stored or transferred. The costs in material and reputational terms due to data breaches, hacking, and lost or stolen laptops/PCs can be very high.
To protect against malicious hackers and organizational data breaches, it is important to encrypt active data as well as inactive data. Encryption provides an additional layer of protection if unauthorized access to a computer network or storage device is granted. If this happens, the hacker cannot get access to the data. In this article, we'll focus on software-based encryption, SED (Self-Encrypting Drive) and a basic explanation of how SSD encryption works.
What is Encryption?
In simple terms, encryption turns information entered into digital devices into seemingly insignificant blocks of data. The more sophisticated the encryption process, the more unreadable and undecipherable the encrypted data becomes. In contrast, decryption changes the encrypted data back to its original form so that the data is readable again. Encrypted information is often referred to as cipher text while non-encrypted information is referred to as plain text.
Software and Hardware Encryption
Software encryption uses various software programs to encrypt data on a logical volume. When the drive is first encrypted, a unique key is generated and stored in the computer's memory. The key is encrypted with the user's passphrase. When the user enters the passphrase, it unlocks and gives access to the unencrypted data on the drive. Key copy is also written to the drive. Software encryption acts as an intermediary between the app's read/write data to the device; when written to the drive, data is encrypted using a key before it is physically put on the disk. When read from the drive, data is decrypted using the same key before being displayed to the program.
While cost effective, software encryption is only as secure as the device it is used on. If a hacker cracks your code or password, your encrypted data will be exposed. Also, because the encryption and decryption are done by the processor, the whole system is slow. Another vulnerability of software encryption is that upon system boot, the encryption key is stored in the computer's memory, making it a target for low-level attacks.
Self-encrypting drives (SED) use hardware-based encryption that takes a more holistic approach to encrypting user data. SED has an onboard AES encryption chip that encrypts data before it is written and decrypts it before it is read directly from the NAND media. Hardware encryption sits between the OS installed on the drive and the system BIOS. When the drive is first encrypted, an encryption key is generated and stored on the NAND flash. When the system is first booted, the custom BIOS is loaded and will ask for the user's passphrase. Once the passphrase is entered, the contents of the drive are decrypted and access to the OS and user data is granted.
SED also encrypts/decrypts data on the fly using the onboard encryption chip which is responsible for encrypting data before it is fed into NAND flash and decrypting data before it is read. The host CPU is not involved in the encryption process, which reduces the performance penalty associated with software encryption. In most cases upon system boot, the encryption key is stored in the SSD's onboard memory increasing the complexity of retrieval; making it less vulnerable to low level attacks. This hardware-based encryption method offers a high level of data security because it is invisible to the user. This encryption cannot be turned off and does not impact performance.
256-Bit AES Hardware-Based Encryption
AES (Advance Encryption Standard) is a symmetric encryption algorithm (meaning the encryption and decryption keys are the same). Because AES is a block cipher, data is divided into 128-bit blocks before encrypting it with a 256-bit key. 256-bit AES encryption is an international standard that guarantees superior data security and is recognized by the U.S. government and others. AES-256 encryption is inherently undecipherable, making it the strongest encryption standard currently available.
Why can't it be deciphered? AES consists of AES-128, AES-192, and AES-256. The number represents the number of key bits in each encryption and decryption block. For every bit added, the number of possible keys doubles meaning 256-bit encryption equals two to the power of 256! Or the possibility of a huge variety of keys. Plus, each key bit has a different number of rounds. (The loop is the process of converting plain text to cipher text.) For 256-bit, there are fourteen loops. So the probability of a hacker finding the correct sequence of 2256 bits scrambled fourteen times is extremely low. Not to mention, the time and computing power required to perform the hack.
TCG Opal 2.0 Software Based Encryption
TCG is an international group of industry standards that define a hardware-based root of trust for interoperable trusted computing platforms. This protocol can initialize, authenticate, and manage encrypted SSDs through the use of independent software vendors equipped with TCG Opal 2.0 security management solutions such as Symantec™, McAfee™, WinMagic®, and others.
In short, while software-based encryption does have its advantages, it may not match the perception of being comprehensive encryption. Software encryption adds an extra process as data needs to be encrypted then decrypted when the user needs to access the data, whereas hardware based encryption offers a more robust solution. Hardware encrypted SSDs are optimized with the entire drive without impacting performance. Depending on the application, you may be surprised at what is involved in securing your data. Not all encryption is the same, but understanding the differences will play a key role in how effective and efficient your security is.
