An Overview of Hardware Encryption

Labels (4)

If you are keen to protect your data and keep it secure then you should consider activating a form of encryption on your computer. Once the data is encrypted, you will need a secret key or password to decrypt it and have full access to it. We will focus here on Hardware Encryption but if you want to read up more on other types of security, then check out our article Different types of drive encryption and security.


What is hardware encryption?


Hardware encryption means the encryption happens within the drive. An SSD that has encryption built into the hardware is more commonly referred to as a Self-Encrypting Drive (or SED). The majority of Crucial SSDs are SEDs.


How does the hardware encryption on Crucial SEDs work?


 With an SED, the encryption is always on, meaning when data is written to the SED it is encrypted by the controller and then it is decrypted when read from the SED. The password security feature needs to be activated by encryption management software. If that is not done, there is nothing stopping a user from reading the data on the drive. In other words, the SED will generously decrypt all information for anyone who asks, unless security management software is installed to prevent that.


The easiest way to regard this is like a security system in a house. Until this is "armed" (through the use of a piece of 3rd party software for applying login credentials, for example) it is simply there but not actively protecting your data.


Advantages of Hardware Encryption?


SED technology provides verified and certified data security which offers nearly unbreakable pre-boot access protection for user data. Because the encryption is a part of the drive’s controller it provides pre-boot data protection. Running a software utility to try and break authentication codes is not a possibility since the encryption is active before any software has started to load. Another advantage of an encryption feature that is active at all times is that this makes it possible for the drive to meet the compliance requirements of government standards for data in banking, finance, medical, and government applications, by adhering to TCG Opal 2.0 specifications and IEEE-1667 access authentication protocols. Crucial SEDs also support the standard full disk encryption protocol through the ATA-8 security command feature set.


Also, since the encryption takes place on the SED and nowhere else, the encryption keys are stored in the controller itself and never leave the drive.


Hardware Encryption vs Software Encryption?


The main advantage to using hardware encryption rather than software encryption on SSDs is that the encryption feature is optimized with the rest of the drive. If a user applies software encryption to a storage drive this adds several extra steps to the process of writing to the drive, since the data needs to be encrypted by the encryption software while it is being written. That same data then needs to be decrypted by the software again when the user wants to access it, which slows down the read process. In other words, adding a layer of software encryption negatively impacts the performance of an SSD. 


The hardware encryption of an SED however, is integrated into the controller, which means there is no impact on SSD performance either in the short term or in the long run. The read and write speeds are already taking encryption into account, since it already happens on every write cycle and decryption happens on every read cycle. The encryption is simply a part of the drive’s normal operation.


How to activate Hardware Encryption?


All a user needs to take advantage of an SED’s encryption ability is a software utility that provides encryption key management for SED devices. Crucial SEDs are fully compliant with Microsoft’s eDrive standard, which provides simple plug-and-play data security through the use of Windows BitLocker. Since Windows BitLocker doesn’t need to encrypt the drive before it can be used (that has already been done by the SSD’s controller) there is no delay or wait for encryption to take place. Once Windows BitLocker is enabled the SED is instantly ready to use. All you have to do is let the Self-Encrypting Drive operate just the way it has all along, and enjoy the peace of mind and high performance of a hardware-based encryption drive.


To activate Hardware Encryption on your drive, please refer to our guide Setup of Hardware Encryption on Crucial SEDs via Bitlocker.