How Self-Encrypting Drives (SEDs) Work

SED means that instead of relying on the host processor and software for full-disk encryption (FDE), the encryption is done purely by the drive itself using Trusted Computing Group's (TCG) Opal standard. The Opal standard offers two major benefits over software based disk encryption: performance and security.

Instead of using the host resources (CPU and RAM) to encrypt the drive, the controller inside the SSD does the encryption, which provides higher performance due to the lack of CPU overhead and is also far more power efficient. In fact, the controller already encrypts all data on the fly regardless of whether encryption has been enabled by the user -- by default the encryption key in the drive is just not encrypted and thus the drive can be accessed by anyone. When enabling Opal encryption the password created by the user is used to encrypt the encryption key, making the drive inaccessible unless the correct password is provided. The encryption key is generated during the manufacturing process of the drive (although it can be regenerated later on) and resides in a small secured block of memory that is protected and isolated from other memory.

As for security, software encryption solutions do not generally encrypt the master boot record (MBR), which leaves the drive vulnerable to attacks using alternative boot medias (CD/USB). Hardware encryption does not have the same problem because every single bit that the drive receives will be encrypted, including the MBR. Basically, hardware encryption is transparent to the OS because the drive does not know or care what data it receives as all data is encrypted regardless.

Because even the MBR is encrypted, SEDs have a pre-boot OS that is essentially a very restricted version of MS-DOS or Linux. When the BIOS requests the MBR from the drive during boot, the drive instead returns the pre-boot OS that asks for authentication before allowing access to the MBR. Once the correct credentials have been provided, the drive allows the BIOS to access the MBR and the system will boot normally.

Testing Wave's EMBASSY Security Center

Every X300s includes a license for Wave's EMBASSY Security Center (ECS), which normally retails for $40. ECS can be acquired from SanDisk's SSD Dashboard under the Tools tab. ECS provides local SED management, and for IT administrators Wave offers EMBASSY Remote Administrator Server (ERAS) that allows central management of all SEDs in the organization.

Clicking the icon will lead you to the download site where you enter the promo code that comes with the SSD Dashboard as well as your personal details (name, address, email etc. -- no credit card is needed). Once you have entered all the information, you will be able to download the ECS and the serial key is sent to the email address you provide.

After installation and reboot, you will be ready to enable encryption. Drive management is found under the 'Trusted Drive' tab and at first everything is in the off state and the only option is to start the initialization process. For testing I used a very basic Z87 based system running Windows 7 in legacy mode with no TPM module.

The first step is to create the administrator for the drive, which will have the right to manage the drive. After the initialization process additional users can be added but I will look at that once we are there.

After creating the administrator, you will be given an opportunity to either print or save the administrator username and password to a USB drive. This step can be skipped but it is recommended since if the credententials are forgotten, you will be unable to access the drive and the only way to recover the drive is to perform a PSID reset (more on this later but it erases all the data in the drive).

After that you are done -- the drive is now fully encrypted. It only takes a few seconds to encrypt the drive because as I mentioned earlier, all the data in the drive is already in encrypted format and thus only the encryption key needs to be encrypted. You can check that the drive is really encrypted from the SSD Dashboard, which should now say that security is activated.

This is what the drive management looks like. The administrator has the right to un-initialize the drive, which will decrypt the key and make it accessible by anyone. There is also an option to disable drive locking, which is different in the sense that the drive will allow anyone to access the data but only the administrator can change the encryption settings (e.g. un-initialize or crypto-erase the drive). Additionally Wave can sync the drive's and Windows' passwords so there will be only one password, or you can enable single sign on that will eliminate the need to log into Windows separately.

Users can be added within the same interface to allow non-admin users to get through the pre-boot OS. Otherwise every user would need to use the administrator credentials, which would defeat the purpose of an administrator account as it is the only account with rights to manage the drive. In other words, normal users can use the system normally but administrator rights are needed to un-initialize the drive or change any settings related to security.

ECS also offers several options for Windows login. Aside from the typical password authentication, the user can login using biometric authentication (e.g. fingerprint), and smart cards are supported as well. Again, these settings can only be modified by the administrator, even though they are visible to the normal user.

SanDisk X300s 512GB - PCMark 8 Storage Test
  Storage Score Storage Bandwidth
No Encryption 4976 268.1MB/s
Wave ECS (Opal 2.0) 4974 265.1MB/s
Windows 7 BitLocker (Software) 4960 246.6MB/s

To compare the performance of hardware and software based encryption solutions, I decided to run PCMark 8's storage test on the drive with the two enabled (separately, of course) and with no encryption at all. Strangely enough, the performance difference is almost non-existent. When Anand tested eDrive with the Crucial M500 and PCMark 7, he found that software based BitLocker encryption resulted in a 14% decrease in performance, whereas my test data shows a mere 0.3% loss in Storage Score. It is true that the PCMark 8's storage bench is different and in my experience it tends to show very small difference between SSDs but nonetheless it is still interesting that BitLocker has such a minor impact in performance.

Of course, my testbed is not exactly an ideal representation of an average corporate laptop since it is a Haswell based desktop with i7-4770K and 16GB of RAM, so the difference in lower performance systems might be larger as BitLocker will use the host CPU and RAM for encryption. Anyway, it looks like I will have to run some more tests to figure out a way to better characterize the performance benefits of hardware accelerated encryption because I believe the scores above do not give an accurate picture of the difference.

Crypto-Erasing an SED

Since SEDs are hardware encrypted, there is no way to fiddle with the drive without the administrator's credentials. However, what that also means is that in case you happen to forget the credentials, you will have a brick in your hands since SEDs cannot be secure erased using the standard ATA command like normal SSDs can. Fortunately, there is a way to revert the drive back to its factory setting by performing crypto-erase, or PSID revert as it is sometimes called.

The PSID can be found on the back label of every SED and it is a 32-character code.

To issue a crypto erase, a special utility is needed and SanDisk provides their Crypto Erase Tool for the X300s. It is very simple to use as the only thing you need to do is to enter the PSID and click erase now, which will deactivate encryption and secure erase all the data in the drive. I am not sure if SanDisk's tool supports other SSDs but in theory it should as there is nothing vendor-specific about crypto erase. However, there is also a third party freeware PSID revert tool available and I have confirmed that it works (tested with Samsung 850 Pro).

Final Words About Wave's ECS

Wave's ECS certainly provides a much smoother user experience compared to Microsoft's eDrive. It makes enabling Opal 2.0 encryption as easy as clicking a few buttons and it lacks the annoying hardware and software requirements that eDrive has. There is no need to play around with group policies if you lack a TPM module and what is best is that ECS is not limited to a UEFI-enabled Windows 8 Pro/Enterprise install like eDrive is. Basically, ECS should work with any system as long as you have an Opal-enabled SSD.

eDrive is a good (and free) alternative if you happen to have a system that meets the requirements, but otherwise it is a pain to get working, so I certainly see why corporations will gladly pay for ECS and other optimized encryption tools.

Introduction, The Drive & The Test Performance Consistency
Comments Locked


View All Comments

  • Kristian Vättö - Friday, August 22, 2014 - link

    That is not true. Windows 7 is still the dominant OS in the enterprise space with Windows 8 only having a marginal share:

    Yes, that is one-year-old data but it shows that enterprises are not very keen on W8 and are adopting it very slowly. That in turn leaves a huge market for solutions like Wave ECS since the BitLocker in Windows 7 does not support Opal.

    Besides, eDrive/BitLocker is the same for every drive. I don't see the need to revisit it with this drive because the process is not any different.
  • cbf - Friday, August 22, 2014 - link

    Well, that market share article is from June 2013.

    While, I don't think Windows 8.1 is taking the market by storm, I think it is creeping in. I've deployed it due to things like improved startup/hibernation, BitLocker improvements, etc. The start menu just isn't that big a deal for my users.

    In any event, it looks like we'll see Win 9 in the next six months, which I predict enterprises will deploy as fast as they've ever deployed any new Windows OS, so that should settle the issue.
  • jabber - Saturday, August 23, 2014 - link

    Maybe not.

    Windows 9 is too soon. A lot of corps are only two years into their OS refresh, they aren't going to change till maybe 2017 at the earliest and then 10 is round the corner. A lot haven't moved to 7 till this year so they are going to hang around till 2020. Windows 10 will be the one that fits the schedule better.

    9 will bomb probably. Plus anyone knows that 9 is purely a rushed damage limitation excercise.
  • devione - Thursday, August 21, 2014 - link

    Hi Kristian,

    Really appreciate your efforts. However would it be possible to see future reviews involving Enterprise-grade SSDs? Thanks for your time.
  • Kristian Vättö - Friday, August 22, 2014 - link

    Yeah, we have something in the works :)
  • jay401 - Friday, August 22, 2014 - link

    By the way, the Samsung 840 Evo in 256GB and 512GB sizes just dropped $20 and $50 in price on Amazon. $119 and $199 respectively, though the 500GB did just bump back up slightly to $212.
  • 7amood - Friday, August 22, 2014 - link

    I appreciate the SEDs but I think these aren't open source and can't be audited like TC which is being audited right now. How to know for sure that the SED encryption is secure and doesn't have backdoor code for the spying?
  • fk- - Saturday, August 23, 2014 - link

    I'm still a bit confused about one thing - with all that security software listed in the table, what are the motherboard requirements to use the encryption on this drive? Do I still need a motherboard capable of setting ATA password if I want to password-protect the data on the drive?

    Or, to put it straight, is there any [software] way to use the option to password-protect the drive (and being prompted to enter the password on startup) on an older motherboard without UEFI, without ATA password capabilities and without Opal certification?
  • Kristian Vättö - Sunday, August 24, 2014 - link

    Wave's ECS should do that as long as the drive is Opal certified. I tested without UEFI and it worked fine, and ATA password is just a BIOS feature whereas Opal is independent from the rest of the system (i.e. should work with any motherboard or system).
  • mike8675309 - Sunday, August 24, 2014 - link

    I assume that when you use the took to secure erase that when you enter the PSID that the drive is no deactivating the encryption, and then secure erasing the drive. Using that tool and that process must do something more complex so that avoids creating an attack vector.

Log in

Don't have an account? Sign up now