Full Disk Encryption on Solid State Drives
August 3rd, 2012I’m planning a system build and I want to use a SSD this time. TrueCrypt advises against using their crypto system with SSDs because SSDs use wear leveling routines to prolong the life of the memory modules. The problem is that, theoretically, the drive could write multiple versions of information, some of which could be recovered.
But… (And here’s the question for you guys who know more about this than me)
If I do a clean OS install on the SSD and then do full disk encryption on the (single volume) drive, wouldn’t that prevent the possibility of data leaks due to wear leveling?
If you decide not to follow this recommendation and you intend to use in-place encryption on a drive that utilizes wear-leveling mechanisms, make sure the partition/drive does not contain any sensitive data before you fully encrypt it (TrueCrypt cannot reliably perform secure in-place encryption of existing data on such a drive; however, after the partition/drive has been fully encrypted, any new data that will be saved to it will be reliably encrypted on the fly). That includes the following precautions: Before you run TrueCrypt to set up pre-boot authentication, disable the paging files and restart the operating system (you can enable the paging files after the system partition/drive has been fully encrypted). Hibernation must be prevented during the period between the moment when you start TrueCrypt to set up pre-boot authentication and the moment when the system partition/drive has been fully encrypted.
*IMPORTANT*
However, note that even if you follow those steps, it is not guaranteed that you will prevent data leaks and that sensitive data on the device will be securely encrypted.
*IMPORTANT*
http://www.truecrypt.org/docs/?s=wear-leveling
Mount/store on a 7200rpm drive? Just have to select the device. Some good info here:
http://www.tomshardware.com/forum/268261-32-full-disk-encryption
I don’t see how that thing can leak if the whole volume is encrypted and data is only added afterward. But TrueCrypt seems pretty clear there.
Oh well. Besides that info above, I can’t find a straight answer about doing this with SSDs. Opinions range from some thinking it works great to others thinking it will drastically shorten the life of the drive.
I have a 2TB 7200 RPM drive now. Maybe I should just use that.
I’m running FDE on an old 500GB 5400 RPM drive and it works fine.
Kevin,
I’d say you’re right. With the volume encrypted, the most it will leave behind is fragments of encrypted data, which may as well be noise.
Like True3magic mentioned, watch out for the pagefile and hibernation file.
I’m sure you’ve already read these, but for the rest of the audience:
http://www.truecrypt.org/docs/?s=hibernation-file
http://www.truecrypt.org/docs/?s=paging-file
http://www.truecrypt.org/docs/?s=system-encryption
It’s far less dangerous than what one guy I knew did. He had microswitches on the case, which would trigger on moving the computer or opening any panels. He also had a panic button on the case, so he could trigger it immediately. They hooked up to a battery powered ignition for cast thermite charges surrounding the drive. He was also a paranoid lunatic who didn’t think of possible hazards (like his kids touching his computer), and how many felonies he committed in doing that.
I have been running Truecrypt on my laptop with an SSD for almost two years now. Its runs fantastically.
If I run “SSDLifePro” on my SSD drive it says it will last about 8 years. My laptop runs every day for about 16 hours.
I also run Windows 7 with no pagefile. I’ve been doing this for over 3 years now with no issues.
I don’t see how its possible to recover ANY data if the SSD drive is FULLY encrypted. Provided you encrypted the drive immediately after installing Windows it should be fine. You only want to copy any data onto this drive once its encrypted. If done this way I can’t see how someone could recover anything.
If you’re worried about data being recovered from drives check out:
http://www.dban.org/
A reader called Uncle Remus sent this in, which is pretty interesting, and somewhat related to what we’re trying to hash out here:
Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?
Graeme B. Bell
Richard Boddington
—
In case you don’t want to read it all, here’s the short version:
Even quick formatting a SSD can cause a nightmare situation for computer forensics people. With a conventional HDD, on the other hand, 100% of data can be recovered after quick formatting.
More FYI:
I was reading about the outstanding Intel 520 series drives and learned that they run full disk AES-128bit in hardware by default. It works with the (almost useless) ATA drive password system. While I would definitely not recommend this if the attacker is a state, this solution looks pretty good for data protection in the event of run-of-the-mill hardware theft. At least, I can’t find any indication that anyone has compromised a 520 series drive that has had the passwords set.
Update: Good Luck Finding a Desktop Board That Supports AHCI and ATA HD Password
I’ve checked a few motherboards designed for the new Ivy Bridge processors and can’t find any that have the HD Password feature. Intel lists these boards as working with the FDE on the 320 series drives: DQ67SW, DQ67OW, and DQ67EP. HD Password in BIOS has been around for years on laptops, but remains pretty rare on desktop boards.
There are some absolutely ridiculous threads on Intel’s support site if you enjoy pain and confusion:
http://communities.intel.com/thread/20537
http://communities.intel.com/message/157235