Gillware completes SOC 2 Type II security audits
May 16, 2014
4 Things for MSPs to Consider When Building a Backup Offering
August 27, 2014

What you don’t know about your solid state drive (SSD)


By Scott Holewinski, President of Gillware Data Recovery

We live in a safety net society. Forgot the password for your bank account? No problem. Answer a couple security questions and just like that your password is reset. Locked your keys in the car? Don’t worry. Call the automaker and they’ll unlock your doors for you.

When it comes to today’s technology, people assume there is always a way out. But when it comes to modern storage devices, data is likely stored in a completely encrypted format with an encryption mechanism that can’t be turned off. If the device fails or the user forgets their password, the data is lost forever. When I tell people this, their reaction is usually disbelief.

They say, “There must be another way in,” or “Can’t I call the manufacturer to unlock it?”or “There has to be something I can download that will decrypt it.” My answer is always the same, “No, and that’s by design.”

There is no gray area with self-encrypting storage devices. The data stored within is encrypted. You either have what it takes to decrypt and access the data, or you don’t. Period.

The Pros and Cons of Self-Encryption

For some users the fact that self-encrypting drives are completely secure and locked down is a selling point. For others, it is an unnecessary characteristic of modern SSDs. Regardless of what side of the fence you fall on, it is important for you to understand the implications that self-encrypting drive technology have on the recoverability of your data in case the storage device fails.

Before you accuse me of blasphemy against the SSD gods, let me acknowledge that SSDs are no doubt more reliable than HDDs. With no moving parts, there are simply fewer failure points present on an SSD compared to an HDD. That being said, like any other complicated electronic device, SSDs can and do fail.

At Gillware, we see customers looking to recover data from self-encrypting SSDs every day. In rare situations, the SSD failure is caused by a discrete electrical component like a resistor, fuse or capacitor.  However, in the vast majority of cases, the issue has to do with an unexpected error occurring within the SSD’s operating system. In other words, the code responsible for running the SSD encounters a condition that the software developer didn’t anticipate and the device becomes inoperable.

Recovering data from devices in this state is extremely difficult and in most cases impossible because of the self-encrypting technology employed by modern SSDs. Self-encrypting devices have been around for quite some time, but they have become more prevalent as SSDs become the primary storage device in many of today’s computing applications.

The vast majority of SSDs being sold today are self-encrypting in order to comply with the Trusted Computing Groups (TCG) Opal specification. The Opal specification is designed to “protect the confidentiality of stored user data against unauthorized access once it leaves the owners control.” The specification includes guidelines aimed at protecting user data during normal day-to-day operation as well as end-of-life processing. Most industry experts predict that in the next couple of years, 100% of the SSDs being sold will be self-encrypting.

The Anatomy of a Self-Encrypting SSD

So what exactly does it mean for an SSD to be self-encrypting and how does it work?

Let’s think of a self-encrypting SSD in terms of a bank vault. When you save a file, your computer stores it on the SSD, like depositing money in a bank vault. For the purposes of this example, let’s assume that the walls of the vault are completely impenetrable and the only way for money to get in or out is through the vault door. No matter how secure it is, the vault door is rendered totally useless unless someone remembers to lock it.

The primary storage media within an SSD is a number of NAND flash memory chips, usually eight or 16. These chips are thin black rectangular wafers about the size and thickness of a couple of quarters laid side by side. Collectively, the NAND flash memory chips comprise the bank vault in which your files are stored. The last thing we need to understand is what serves as the vault door on an SSD. How does data travel in and out of the NAND flash memory? The answer is the SSD controller.

The controller is arguably the most critical component on a self-encrypting SSD. Without the controller, it’s like putting a brick wall over the opening to our bank vault. The controller has a lot of different duties, but the two most critical are handling the authentication of the device at boot-up and all of the encryption operations.

Authentication is like locking and unlocking the vault door. After the SSD is authenticated, the vault door is open and data can flow in and out, being encrypted or decrypted as it comes and goes. On most self-encrypting SSDs, users can choose to set a boot-up password that must be entered to unlock the device. A properly authenticated drive is completely unlocked, and unencrypted data can be accessed from any computer the device is plugged in to.

Under Lock and Key

There are a handful of key takeaways from this rather verbose explanation of the inner workings of a self-encrypting drive:

  • The data on a self-encrypting drive is always being stored in an encrypted format, but the data is only truly secured when the user sets an authentication password which locks the device.
  • The SSD must be properly authenticated in order to access unencrypted user data.
  • The authentication of a self-encrypting drive may be controlled with a user-defined password entered at boot-up prior to the OS loading. Alternatively the user can choose not to set a password, but in this case the data stored on the device can be accessed in an unencrypted format from any computer.
  • The SSD controller literally and figuratively holds the keys to the kingdom. Without the controller, the data may be accessible through various means, but only in an encrypted format. This holds true regardless of whether or not an authentication password has been set.

Now that you have a fundamental understanding of how self-encrypting drives work, it should be fairly clear why the failure of a self-encrypting device is so catastrophic from a data recovery standpoint.

The Future of SSD Data Recovery

This raises a number of important questions about the future of storage technology. Is it possible to build storage devices that are both secure, but also allow for data recovery in case the device fails? Does the safety net society that we have all become accustomed to end with self-encrypting SSDs?

For the vast majority of self-encrypting SSDs being manufactured today, there is still no safety net possible in the way of recovering data from a failed drive, but Gillware is working hard to change this. The key to finding a solution is cooperation between data recovery labs, SSD manufacturers and security organizations like the Trusted Computing Group.

Gillware has been working hard to bring members from all three groups together for more than five years and these efforts are starting to pay off. In 2012, with support from a major SSD manufacturer, Gillware successfully recovered data from a self-encrypting SSD for the first time. Although the number of self-encrypting SSDs Gillware can recover data from is still very limited, the number is growing. With ongoing support from the SSD industry, Gillware is confident that this trend will continue.

Your SSD failed and you need the data back? No problem. Gillware has you covered.

UPDATE – April 2015: Gillware is proud to announce the formation of the Data Recovery/Erase Special Interest Group. This group is a part of the Solid State Storage Initiative (SSSI), which is housed under the Storage Networking Initiative Association (SNIA). This group includes experts from the data recovery industry, data erase industry and solid state storage manufacturing industry. Our goal is to collaborate and enable data recovery and erase functions on solid state storage in order to make them more feasible for our customers.

“Consumers are asking…Can data be recovered from solid state storage devices? Is it possible to selectively erase data from solid state storage technology? The questions are straightforward, the answers are not.
We are forming a new Data Recovery/Erase Special Interest Group within SNIA.org and are looking for individuals from the solid state storage industry, computer manufacturers, solid state storage consumers, solid state storage standards bodies, and data recovery and erase providers to participate.
The group’s goal is simple, work together to develop data recovery and erase solutions for solid state storage that meet the consumer’s needs. Learn more: http://bit.ly/1HrmMZ2

//

17 Comments

  1. […] He has a nice analogy about how the NAND flash memory chips are like a bank vault when encryption is enabled (in the case of most SSDs, it is on by default and just needs to have a password set).  You can read the entire article at http://legacy.blog.gillware.com/data-recovery/secret-of-self-encrypting-ssd […]

  2. Rudy Scott says:

    If I use BitLocker I can store the encryption key myself. Isn't there some equivalent with the SSD?

  3. Hi Rudy,

    SSDs do not have any software support to export the encryption key, unlike BitLocker and other software solutions. There is no way to externalize or backup the encryption key on a self-encrypting SSD.

    These drives use a hardware based encryption engine that cannot be turned off and the key cannot be backed up. The key never leaves the device and the only way to access the unencrypted data is through the host interface. This is, in fact, a "feature" according to the TCG/OPAL specifications.

  4. Dave says:

    Can the typical SSD be accessed if it is not the boot drive on the typical Windows PC? If so, how does the authentication process work?

    • Ashley Toy says:

      Hi Dave,

      It all depends on what security features, if any, are enabled on the SSD. If none of the security features are enabled, the fact that device is self-encrypting is irrelevant and it can been attached and accessed just like a regular drive. If the SSD is protected with an ATA password, the drive will appear but not allow any data access until unlocked with that password. Most PC BIOSes will prompt for a password at boot time if they notice any drive is password locked, regardless if it is the boot device or not. This can get tricky, though, if the machine unlocking the drive isn’t the one that originally set the password on the drive. Some BIOSes add an extra layer of “security” by hashing or otherwise scrambling the password you type before applying it to the drive. The advantage of this is that the drive is locked with a very strong password, even if what the user types is relatively simple. The major concern with this feature, though, is that you never know the password that is actually being used to lock the drive, so if that machine dies you’ll find yourself locked out of your own data.

      Many computer manufacturers integrate a Trusted Platform Module (TPM) on systems sold with a self-encrypting disk. When enabled, only the TPM has the actual credentials unlock the drive and may be configured only to do so under certain conditions (i.e. an external hardware key is attached). If a drive secured in this fashion is attached to a different PC, gaining access to the data would likely require vendor-specific software and special emergency recovery credential generated from the original system.

      -Ashley at Gillware

  5. […] storage devices do not even allow this (most see the inaccessibility of the decryption key as a “feature”. A sigh of relief echoed through the lab as the drive produced the keys to the kingdom. Mr. […]

  6. Briana says:

    No offense, but SSDs ARE NOT MORE RELIABLE THAN HDD’S. I’ve seen more SSD failures in the last year than I have in 15 years of doing PC work with HDD’s. They just decide to up and die, no warning, just poof, gone. And it happens frequently.

    • Ashley Toy says:

      Hey Brian,

      From a mechanical standpoint, we find that SSDs are more reliable in the case of a drop or a fall, or being moved around a lot, which are some of the most common reasons we see traditional HDDs in our data recovery lab. As far as seeing more SSD failures without warning, I think you make a strong case for why keeping a reliable backup is all the more important!

      -Ashley at Gillware

  7. […] storage devices do not even allow this (most see the inaccessibility of the decryption key as a “feature”. A sigh of relief echoed through the lab as the drive produced the keys to the kingdom. Mr. […]

  8. […] Software is unlikely to work if the hard drive is not being detected in the BIOS, the drive is fully encrypted or the drive is part of a RAID configuration. Signs of mechanical failure include clicking, beeping […]

  9. […] Software is unlikely to work if the hard drive is not being detected in the BIOS, the drive is fully encrypted or the drive is part of a RAID configuration. Signs of mechanical failure include clicking, beeping […]

  10. […] fact, many Solid State Drives come self-encrypting out of the box now, with many consumers clueless that their drive is […]

  11. […] even started the Data Recovery/Erase Special Interest Group (listed in the update at the end of the article) with data recovery labs, SSD manufacturers, and […]

  12. nsaleaks says:

    You can recover these with a scanned tunneling sensor based on single X-ray photon interference. Similar principle to how an APD works but due to the time factor it is only ever used to recover individual small files whose location can be determined from the file allocation table or equivalent. Also only works with intact chips as voltage and IO needed to induce enough of a change to detect.

  13. […] AES encryption, if any of the SSD controllers had died, its assigned SSD would have gone with it. Self-encrypting SSDs are devilishly hard to recover data from with manufacturer assistance, and impossible […]

  14. […] fact, many Solid State Drives come self-encrypting out of the box now, with many consumers clueless that their drive is […]

  15. […] storage devices do not even allow this (most see the inaccessibility of the decryption key as a “feature”. A sigh of relief echoed through the lab as the drive produced the keys to the kingdom. Mr. […]

Leave a Reply

Your email address will not be published. Required fields are marked *