We notice you are currently visiting the UK site. Would you like to visit our main site instead?

Hands typing on a laptop PC

What is SSD encryption and how does it work?

Side view of a laptop with person using a mobile phone in the background

From businesses and governments to individuals, there is one thing today that everyone around the world shares: the need and desire to secure important personal and private information. Whether it is being stored or transported, data protection is absolutely essential. The financial and reputational cost of data breaches, hacking, and lost or stolen laptops/PCs can be astronomical.

To protect against malicious hackers and organisational data breaches, it is necessary to encrypt in-flight data as well as data at rest. Encryption provides a fortified layer of protection just in case unauthorised access is somehow granted to a computer network or storage device. In this event, the hacker cannot gain access to the data. Throughout this article, we focus on software-based encryption, Self-Encrypting Drives (SEDs for short) and a basic explanation on how SSD encryption works.

What is encryption?

In layman’s terms, encryption converts information entered in a digital device into blocks of meaningless-looking data. The more sophisticated the encryption process, the more illegible and undecipherable the encrypted data. Conversely, decryption changes the encrypted data back to its original form, rendering it readable again. Encrypted information is often referred to as cipher text while non-encrypted is referred to as plain text.

Digital drawing of a circuit board with a padlock.

Software vs hardware encryption

Software encryption uses a variety of software programs to encrypt data on a logical volume. When a drive is first encrypted, a unique key is established and stored in computer memory. The key is encrypted with a user passphrase. When a user enters the passphrase, it unlocks the key and gives access to the unencrypted data on the drive. A copy of the key is also written to the drive. Software encryption operates as the middleman between the application’s reading/writing data to the device; when data is written to the drive, it is encrypted using the key before it is physically committed to the disk. When data is read from the drive, it is decrypted using the same key before being presented to the program.

While software encryption is cost effective, it is only as secure as the device it is used on. If a hacker cracks the code or password, your encrypted data is exposed. Also, since encryption and decryption are done by the processor, the entire system slows down. Another vulnerability of software encryption is that upon system boot, the encryption key is stored in computer memory, making it a target for low-level attacks.

Self-encrypting drives (SEDs) use hardware-based encryption which takes a more holistic approach to encrypting user data. SEDs have an onboard AES encryption chip that encrypt data before it is written and decrypts it before it is read directly from the NAND media. Hardware encryption sits between the OS installed on the drive and the system BIOS. When the drive is first encrypted, an encryption key is generated and stored on the NAND flash. When the system is first booted, a custom BIOS is loaded and will ask for a user passphrase. Once the passphrase is entered, the content of the drive is decrypted and access to the OS and user data is granted.

Self-encrypting drives also encrypt/decrypt data on the fly, with the onboard encryption chip responsible for encrypting data before it is committed to the NAND flash and decrypting data before it is read. The host CPU is not involved in the encryption process, reducing the performance penalty associated with software encryption. In most cases, the encryption key is stored in the SSD onboard memory on system boot, which increases the complexity of retrieving it; making it less vulnerable to low-level attacks. This hardware-based encryption method offers a high level of data security as it is invisible to the user. It can’t be turned off and does not impact performance.

AES 256-bit hardware-based encryption

AES (Advance Encryption Standard) is a symmetric encryption algorithm (meaning the encryption and decryption keys are the same). Since AES is a block cipher, data is divided into 128-bit blocks before encrypting it with the 256-bit key. AES 256-bit encryption is an international standard that ensures superior data security and is recognized by the US government among others. AES-256 encryption is basically undecipherable, making it the strongest encryption standard available.

Why is it undecipherable? AES is comprised of AES-128, AES-192 and AES-256. The numerals represent the number of key bits in each encryption and decryption block. For each bit added, the number of possible keys doubles meaning 256-bit encryption is equal to two to the 256th power! Or a very, very large number of possible key variations. In turn, each key bit has a different number of rounds. (A round is the process of turning plain text into cipher text.) For 256-bits, there are fourteen rounds. So, the chance of a hacker coming up with the correct sequence of 2 to the power of 256 (2256 ) bits being scrambled fourteen times is staggeringly low, to say the least. Not to mention, the time and computing power necessary to do the job.

TCG Opal 2.0 software-based encryption

TCG is the international industry standards group that defines hardware-based root of trust for interoperable trusted computing platforms. This protocol can initialise, authenticate and manage encrypted SSDs through usage of independent software vendors featuring TCG Opal 2.0 security management solutions such as Symantec™, McAfee™, WinMagic® and others.

In summary, while software-based encryption does have its advantages, it may not match its perception as being comprehensive. Software encryption adds extra steps because the data needs to be encrypted then decrypted when the user needs to access the data, whereas hardware-based encryption offers a more robust solution. A hardware-encrypted SSD is optimised with the rest of the drive without affecting performance. Depending on the application, you may be surprised by what is involved in securing your data. Not all encryption is the same but understanding the differences will play a key part in how effective and efficient your security is.


Related Articles