SPCR

Apparently some Intel SSDs can encrypt data in hardware so that you don't have to use software like TrueCrypt. Does anyone know which SSDs and motherboards can support this feature?

Sounds like an enterprise feature. Micron markets theirs as "SED" versions, Self Encrypting Drives.

AFAICT no mobo support required, as it's all on the drive. Intel has some stuff going with CPUs under "vPro", but I'm not too familiar with that.

According the following video, Intel's drives requires you to set two passwords in the BIOS, a master password and a drive password: http://www.youtube.com/watch?v=DV5zuDF6MIw#t=2m42s

The video isn't very clear on which models support this feature though.

I'll update this post when I find the proper links, but the Intel 320 (older), 330, and 520 series consumer SSDs support AES128 encryption on the NAND. This means that the controller encrypts the data actually being written onto the NAND, so if somebody theoretically pulled one of the NAND chips off the drive, they would just see gibberish.

In normal usage, the controller automatically uses the decryption key to pass the data along to the computer transparently; However, if you set a hard drive password in the BIOS, it will hide the decryption key until the drive is unlocked, in effect making the drive unreadable without the hard drive password. The only annoying thing about this is you have to input the password at every bootup.

Thanks -- how do we determine if a motherboard supports this password system, is there a name for this specification?

Also, is this the same thing as "self encrypting drives"?

Here is a good place to look regarding the Intel implementation.

Usually, the feature in a motherboard BIOS is called "hard disk password" or something similar. A more official name for it is "ATA password" support. Since it's an optional feature, many motherboards forgo support, or are otherwise flaky in their implementation. Yes, this is very similar to "self encrypting drives".

I trust Truecrypt because it's open. I doubt Intels own solution is.

Well TrueCrypt and similar (eg. Bitlocker) operate at the file system level. I use Bitlocker on my laptop since it has a TPM module and allows for single sign-on (I don't have to put a password to boot the computer and another to login to my computer), but each have their advantages and disadvantages.

One reason why someone might not want to use a file system level encryption suite with the Intel 330/520 series is because they use the Sandforce SF-2200 series controller. Because Sandforce controllers owe a lot of their performance advantages to performing realtime data compression, dealing with encrypted data (which is very nearly incompressible) will cause quite a large performance loss. Anandtech's bench results help illuminate the difference you will see when enabling TrueCrypt or Bitlocker.

Lastly, performance wise, the encryption provided by Intel SSDs is completely free. If you have to rely on your CPU to encrypt data at the file system level, you may see higher CPU usage and lower read/write rates. Then again, if you have a relatively recent CPU that supports AES-NI, this point is moot.

Vicotnik wrote:I trust Truecrypt because it's open.

Seconded. Open Source, very popular and more than 10 years old. This means that almost everybody who's been interested in encryption will have taken a look at it, trying to expose weaknesses. There are no backdoors, as sometimes found in proprietory software. It is most likely the most secure solution on the planet.