An Overview and Setup of Hardware Encryption on Crucial SEDs

by Moderator Moderator on ‎03-05-2014 02:10 PM - edited on ‎09-03-2015 01:34 PM by Moderator Moderator (38,625 Views)

 

SED technology provides verified and certified data security which offers nearly unbreakable pre-boot access protection for user data. Because SED access is pre-boot, there is no possibility of running an OS utility to break authentication codes. Following TCG Opal 2.0 specifications and IEEE-1667 access authentication protocols provide data security which meets government standards for data in banking, finance, medical and government applications. Support for Windows 8 eDrive provides the individual user with simple plug-and-play data security which can protect sensitive personal data, without having to modify BIOS settings, and without having to spend time to encrypt data already in place (as is the case for software encryption methods).

Windows 8 Professional, Enterprise, and RT editions all automatically support encryption key management of SEDs. Crucial SEDs support Microsoft’s requirements for eDrive capability. This provides security for data at rest with no loss of throughput performance. In other words, in order to active the password feature, to arm the security system if you will, all it takes in Windows 8 is to enable BitLocker. While BitLocker in older Windows Operating Systems does not support SED technology, you can still use BitLocker like on any other drive, it just won’t take advantage of the benefits of the hardware encryption on the SED. To help users on Windows 7 or other Operating Systems take advantage of the SED ability third-party software vendors, such as Wave Systems, WinMagic, and others provide advanced encryption and authentication management features for Opal 2.0 storage devices.

 

The majority of current Crucial SSDs are Self-Encrypting Drives (SEDs) which means all data is always encrypted by the controller when written to the NAND and decrypted when read. Windows 8 BitLocker, along with other products, can work with this built-in hardware encryption ability when you apply a password in Windows, provided the following requirements are met (solutions other than BitLocker may have further or modified requirements):

 

 

  • BitLocker only supports TPM version 1.2 and 2.0 (or newer). In addition, you must use a Microsoft-provided TPM driver (Please note, BitLocker can also work without a TPM, but it will need a USB flash drive to set the password instead)

 

  • The host computer should be at a minimum of UEFI 2.3.1 and should have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. This enables security protocol commands to be sent to and from the SED. Please contact the manufacturer of your host computer to ensure that this requirement is met.

 

  • Secure Boot must be enabled.

 

  • The system needs to support Opal 2.0 The Opal 2.0 standard is not backwards compatible; Crucial SEDs are not compatible with Opal 1.0

 

  • The host computer must always boot from UEFI. Any “compatibility” or “legacy” boot mode must be disabled. We recommend putting the system in UEFI-only mode before installing the Crucial SED.

 

  • The boot order must be set to start first from the SSD (not the USB or CD drives) 

 

  • The compatibility support module (CSM) must be disabled, if it is available.

 

  • The SSD must have two partitions (drives with Windows installed generally do anyway) and the main partition to be encrypted must be NTFS 

 

  • The drive must be in an uninitialized state with all security modes inactive. (This refers to the security state of the SED under the TCG and ATA protocols.) If the drive has been previously initialized, you may need to refer to instructions from the BIOS maker or any previous encryption software which may have been used in order to return the SED to an uninitialized state.  Windows 8 and 8.1 cannot manage encryption on SEDs that are attached to the host computer via a RAID controller.

 

  • Dynamic discs are not supported by BitLocker    

 

  • A trusted platform module (TPM) on the host computer is not required in order to run hardware encryption. However, a TPM can provide additional data security functions, such as mating the SED to the host system so it cannot be operated in any other host computer. Instructions for using a TPM should be obtained from the manufacturer of the host computer. Installation on a host computer without a TPM may require using a USB thumb drive as a key. (See Microsoft's Windows 8 documentation for more details.)

 

Configuring the Host System

It is recommended that the host system UEFI be configured to properly accept the SED before physically installing it, as outlined in the example below. Details of the system setup will vary from system to system, as will the names of various functions. However, they are similar enough that a single example should be sufficient. For details on specific UEFI setups, contact your computer's manufacturer.

 

Enabling Secure Boot

Microsoft Secure Boot is a requirement to run any Windows 8.x system. Any computer that has been configured from the factory for Windows 8 (as shown by a Windows 8 sticker) will already have Secure Boot enabled. If the host system was originally configured for Windows 7 or a previous operating system, check to ensure that Secure Boot is enabled, as shown below.

 

secure boot.png 

 

UEFI Boot Mode/CSM Support

The host computer system must be in UEFI-only mode, as shown below. Typically, the CSM will be automatically disabled in UEFI-only mode; however, this should be verified and the CSM should be disabled if necessary.

 

CSM.png

 

Installing Windows 8.x

The most straightforward method of implementing hardware encryption is to perform a clean, new installation of the operating system. BitLocker versions in the Windows 8.x Enterprise and Professional editions support hardware encryption on SEDs. No special steps are needed for this function; simply follow the normal OS installation process described by Microsoft.  After the OS is installed, proceed to the Enable BitLocker section.

 

System Cloning

Because Crucial SEDs support eDrive, activating BitLocker creates special partitions, which are required to put the eDrive features in effect. When an eDrive-activated SSD is cloned, these special partitions may not be properly copied to the target drive. The target drive may function, but this is not considered a valid process and it may cause latent performance problems. If the source disk has been encrypted using software encryption in Bitlocker, first ensure that BitLocker is turned off before initiating the image clone to a Crucial SED. If using BitLocker in software encryption mode on the source system, a decryption process will be required to turn off BitLocker. This can take several hours, depending on the amount of user and OS data on the drive.

 

Enable BitLocker

Follow the steps below to enable BitLocker.

  • Press the Windows key (usually between <Ctrl> and <Alt>); then type “This PC” and press Enter.
  • Right-click on the icon for the system drive and select Turn on BitLocker from the pop-up menu.

 enablebit.png

 

  • Next, a status box confirming that BitLocker is configuring will display, along with a status bar. This will complete momentarily.

 

  • Select one of Microsoft's options for saving your recovery key. While Crucial has no preferred option here, do not neglect this step. In some circumstances, this may be the only way to recover data from your SSD. Crucial has no factory backdoor methods by which to recover data if an authentication key or password is lost. Once the key is saved, select Next to continue.

 

savetofile.png 

 

  • BitLocker will ask, "Are you ready to encrypt this drive?" After you click Continue, a system restart will be required to complete the process.

 

encryptdrive.png

 

  • After the reboot is complete, you will see from the BitLocker padlock icon on your system drive that BitLocker is enabled.

 

 lock.png

 

The video below illustrates the process in full.

 

 

 

Comments
DexterG
Kilobyte Kid

The above list of requirements is VERY helpful, but you left out one crucial piece of information: the drive must be in an uninitialized state before Bitlocker will recognize it.

 

This can be a little bit tricky, because simply reformatting or deleting the partitions will not achieve it. You must run the Clean command from Diskpart (which you can do from the Windows 8 installation process by pressing F10).

 

Another helpful tip: if all of the above requirements are met Bitlocker will not ask you if you want to encrypt the entire drive or just the existing data, it will just be encrypted instantly; if you get that message the eDrive failed to initialize properly.

jamez
Kilobyte Kid

are you kidding?  sluffing off built-in encryption to third-party software?  if the controller can encrypt the data, let it do it by itself!  that way no software is slowing anything down and wiping the drive is an instantaneous process of simply regenerating new keys.

but instead, we're relying on microsoft?  and securely erasing my mx100 will now take several passes of overwriting the entire drive, causing unnecessary wear and costing unnecessary time.

no thank you.  i'll be going through the hassle of using truecrypt and luks instead.

please tell me you'll upgrade the firmware to properly implement pre-boot fde.

Moderator Moderator
Moderator

On an MX100, just as with any other Self-Encrypting Drive, all data is always encrypted by the controller when written to the NAND, and decrypted when read. Using Windows 8 BitLocker with the SED feature of the MX100 enables the user to put a "lock" on the drive, to protect the data against unauthorized access. Basically, once Windows 8 BitLocker has been activated and configured to use the drive's built-in hardware encryption, the data on the drive can only be accessed after the user puts in their BitLocker credentials. However, all the encryption is still done by the controller, just as it was before BitLocker was configured to work with the drive's SED ability. You can read more in this article, The Advantages of Hardware Encryption

jamez
Kilobyte Kid

i'm very glad to read, from the article you referenced, that there's no performance hit.  but that's only 1 of 2½ issues.  i have some follow-up questions.  perhaps we should take this to a forum instead of the knowledge base?
-what about prior issue #2 (securely wiping the drive)?  is this easily and instantly doable?  we'll ignore #3 (relying on microsoft gets ½ a point).  Smiley Very Happy
-with the encryption keys stored on the controller, doesn't using third-party encryption software mean the keys themselves aren't encrypted by a user pw, making it that much easier for someone with physical access to the drive to extract them from the firmware?
-if the controller is doing the encryption, why bother with bitlocker?  is it so slightly-more-savvy-than-average joe can easily enable it, or so you don't have to write it into the firmware?  (i'm being serious, not snarky--i'm a software developer myself.)  personally, i'm dual-booting win7* and ubuntu 14, which means i need 2 separate encryption methods instead of just supplying my credentials at boot to decrypt the hd and then choosing which os to load.
-also, if i upgrade the windows os, ms requires the os volume to be decrypted first.  this would obviously not be the case if windows was unaware that it was encrypted.
*last, what about those poor silly saps who are running win7 (or earlier)?  i just read that win7 bitlocker doesn't support self-encrypting drives--it was an update as of win8.  we're just out of luck?  i realize you can't support everything, but win7 is still a ms-supported os, and it seems like a better service to (more of) your customers to enable full-disk encryption all the time.
thank you!

Moderator Moderator
Moderator
Hello again, Yes, if you have a large number of questions it would probably be easier for you to receive swift and accurate answers if you ask the community in the SSD Forum. You can also contact our support, there is a link to their contact info in the footer of the article. Smiley Happy
maslo
Kilobyte Kid

Hi,

 

we changed from HDD to M500 SSDs on our HP 4540s. But we have two devices where we cannot activate drivelock as it is telling us "HDD is HW encrypted". Other work, but these two not ...

Any idea on how we can fix this issue? Notebooks are running Win 7 prof x64.

Rabinovitch
Kilobyte Kid

I haven't found even single word about Linux. Have Linux users a chance to enable the Hardware Encryption?

MichelMerlin
Memory Leak Geek

How do I DISABLE sed?

The essential security is to KEEP ACCESS to MY data. I don't mind others seeing them (provided they can't alter them). Too much "security" is against this essential security. In particular SED, while NOT really protecting me, exposes me to loss of all my data, under various circumstances and external intents and attempts.

What I want is to disable SED, reliably and for good. No word about this in this article; anyone has an answer? TIA,

Versailles, Thu 15 Jun 2017 16:27:25 +0200