0

So I'm currently learning more about NVMe drives that ship with a feature called SED (Self Encrypting Drive). Take the Smasung 970 EVO for instance. It clearly states that it features SED.

The 970 EVO provides multiple advanced data encryption features. Self-Encrypting Drive (SED) security technology will help keep data safe at all times. The 970 EVO includes an AES 256-bit hardware-based encryption engine to ensure that your personal files remain secure. Being hardware-based, the encryption engine secures your data without the performance degradation that you may experience with software-based encryption. Also, the 970 EVO is compliant with various advanced security management solutions (TCG Opal and Encrypted Drive-IEEE1667).

Usually these drives come with an encryption key preinstalled from the factory that the Encryption Engine utilizes. And apparently older SSD's the normal 2.5" drives can utilize something called "ATA Sanatize" which is a feature that comes with software such as PartedMagic. And it's suppose to generate a new key. Not sure how and I would love for someone to explain how it does it.

Nevertheless..

Since NVMe drives don't support ATA Sanitization, how would you generate a new key? There is a feature that PartedMagic offers called "NVMe Secure Erase - Erase entire drive at the hardware level" and I'm not sure if that's the same.

John V Dole
  • 101
  • 1) SED is currently known to be insecure for the moment IMHO 2) the Secure Erase is a feature of the SATA, a good Tutorial can be found [here](https://www.thomas-krenn.com/en/wiki/Perform_a_SSD_Secure_Erase) – djdomi Jul 19 '21 at 09:21
  • [Do not trust self encrypting drives](https://www.ru.nl/publish/pages/909282/draft-paper.pdf). They're - as the comment above implies - known to be rubbish. – vidarlo Oct 19 '21 at 17:28

1 Answers1

0

Self Encrypting Drives (or Devices) always encrypt the data that is passed to them for storage. They use a key called the Data Encryption Key (DEK). This key is known only to the disk firmware. The key never leaves the disk. All data that is passed to and from the disk is encrypted and decrypted with that key. When the disk is powered off it becomes locked. When powered on it requires a password to unlock the DEK and start reading/writing again. If there is no password set then the disk doesn't appear to be encrypting/decrypting.

Now, when you set a password - an Authentication Key (AK) - the drive knows to prompt you for it and is unable to decrypt/encrypt anything until it is unlocked. [There are actually two keys, but that's more detail than is necessary here]

This is also the reason it's possible to change the password (the AK) without having to decrypt and re-encrypt the entire disk contents.

The Secure Erase feature present on many drives takes advantage of one of the side-effects of encryption. Encrypted data looks like random characters until you use the right encryption key (DEK) to decode it. So, to erase a disk you simply change the encryption key. None of the old data is now able to be decoded, i.e. it is erased.

Seagate produced a nice document detailing all of this in relatively readable language. https://www.seagate.com/files/staticfiles/support/docs/manual/Interface%20manuals/100515636c.pdf

Also, if you're on Linux, or can use a USB bootable linux distribution, you can try the suggestions in the answer to this question: https://superuser.com/questions/1530363/how-to-securely-erase-an-nvme-ssd

fishter
  • 101
  • 2