Solidigm

Telbizov · ‎08-17-2020

Dear Intel Support,

I would like to understand better the Self-Encrypting functionality of the S3710 and S4610 SSDs that I have.

In short I would like to make sure that when power is cut off contents on the drive cannot be extracted and decrypted without supplying a password from outside.

Below are my understandings and I would like you to please explicitly confirm or correct each of those:

1. Drives that have advertised to have hardware encryption AES 256 bit, which include S3710 and S4610, continuously and transparently encrypt/decrypt contents written to/read from the drive, even if no ATA password is set. The Data Encryption Key (DEK) is regenerated upon a secure erase operation and there is always some key in use.

2. By default, if no ATA command is set the data is not really protected since it will be transparently decrypted.

3. In order for us to ensure protection at rest, against theft, etc we need to set an ATA password. For example in Linux this would be hdparm --user-master u --security-set-pass thepasswordhere /dev/sdb

4. Entering an ATA password causes the drive to use it as an Authentication Key for the DEK. In other words it encrypts the DEK thus requiring the entry of the ATA password upon subsequent power off/on from outside.

5. The ATA password itself is in fact stored on the drive itself, but is converted to a one-way, irreversible hash first thus it is required to be entered from outside in order to unlock the drive.

I would appreciate if you can advise on the above.

Thank you

BrusC_Intel · ‎08-21-2020

Hello, @Telbizov.

Good day,

Thank you very much for waiting.

After reviewing your questions, this is what can be provided for each individual statement:

This is correct. Each Intel® SSD self generates a key upon use. The user can simply start using the Intel® SSD and data is encrypted with that unique key. Note that if the Intel® SSD does not have a configured security interface (e.g. TCG Opal) the encryption function of the device does NOT provide confidentiality of user data.
Correct.
Correct
Correct.
Our experts confirm that the SSD does not store the password.We cannot go into specific implementation details, however for your question, yes, password is required to be entered from outside in order to unlock the drive.

Best regards,

Bruce C.

Intel Customer Support Technician

A Contingent Worker at Intel

View solution in original post

Telbizov · ‎08-19-2020

Hi @BrusC_Intel ,

Thanks for taking the time to look into this.

I would appreciate your answer to my initial questions.

Regards

BrusC_Intel · ‎08-21-2020

Hello, @Telbizov.

Good day,

Thank you very much for waiting.

After reviewing your questions, this is what can be provided for each individual statement:

This is correct. Each Intel® SSD self generates a key upon use. The user can simply start using the Intel® SSD and data is encrypted with that unique key. Note that if the Intel® SSD does not have a configured security interface (e.g. TCG Opal) the encryption function of the device does NOT provide confidentiality of user data.
Correct.
Correct
Correct.
Our experts confirm that the SSD does not store the password.We cannot go into specific implementation details, however for your question, yes, password is required to be entered from outside in order to unlock the drive.

Best regards,

Bruce C.

Intel Customer Support Technician

A Contingent Worker at Intel

Telbizov · ‎08-21-2020

Thank you for your time and answers.

JosafathB_Intel · ‎08-24-2020

Hello, @Telbizov.

Thank you for your reply.

You are welcome, it has been a pleasure to assist you.

Based on your previous post, we will proceed to close this inquiry now.

If you need assistance related to an Intel® product, please post a new question.

Best regards,

Josh B.

Intel® Customer Support Technician

A Contingent Worker at Intel®

Solidigm

S3710 and S4610 SED encryption questions