SSD AES-256 hardware encryption – how to configure

Answering my own question, this is what I've found out after searching on the net for a couple of hours:

• The SandForce devices have AES encryption turned on by default, but there are issues with this (see below)
• If you zero out the drive using ATA Secure Delete, the key will be wiped and later regenerated and thus the old data will not be accessible anymore - making this an acceptable solution when you're about to sell or trash your SSD
• It is, however, not possible to set a user password that would prevent someone who steals your laptop with an SandForce SSD from reading your data
• The encryption key is not linked to the ATA security and/or BIOS
• Setting a user password would be possible if there was a tool for this. OCZ promised a program called their "toolbox" that would allow this very often on their support forums, but when it was finally released in october 2010, it still didn't have the functionality (and still not today)
• I guess even if you could set the password using the toolbox, it would not be possible to use the device as a boot device any more because you couldn't unlock it from the bios.
• Using software full-disk-encryption on an SSD seriously impacts the performance of the drive - up to a point where it can be slower than a regular hard disk.

Source for some of this information.

Update: If you're interested, I wrote a little more about the issues in a dedicated blog post.

I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.

I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012 but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...

But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:

Information on this is incredibly hard to find

In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.

That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(

Here's some red herring info I dug up, on the way to the conclusion above.

I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."

But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.

The brochure says:

Samsung offers Self-Encrypting Drives (SEDs) which are hardware-encrypted and automatically encrypt or decrypt all data transferred to and from the SSDs.

So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:

Invisible to the user, hardware encryption built directly into the drive electronics maximizes performance. In contrast, software encryption burdens the central processing unit (CPU) and lowers performance. Hardware-based SED encryption includes a built-in circuit in the controller chip that automatically encrypts all data transferred to the storage device. With hardwarebased encryption, the drive controller encrypts and decrypts all data

...

hardware-based encryption is performed in the actual hardware, and user authentication is performed by the drive before it unlocks, independent of the operating system (OS).

...

in collaboration with independent software vendors (ISVs) who provide security management tools for SEDs, Samsung provides SEDs that are compliant with the TCG Opal specification, developed by the Trusted Computing Group, and the IEEE 1667 standards, as supported (for example) by Microsoft BitLocker in Windows 8.

...

Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)

Wave Systems is an ISV that offers secure data access control on mobile platforms, access to the cloud and safe network logon with users’ personal devices. Wave System solutions augment Samsung SED security technology by Managing authorized users’ access to the drives and data is where Wave comes in.

So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:

While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.

Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.

Enabling AES Encryption

AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.

• Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.