Data Security

Data Security

Data security can generally be divided into two categories, Data Encryption and Security Erase. This article will explain the current approaches in the market and analyze the advantages and disadvantages of each.

The best way to protect data stored on a server, PC or, laptop is by encrypting data while it is being written into a SSD. However, this method is often overlooked and even when encryption is used, it is usually done through upper-level software, which results in reduced system performance and the inability to automatically encrypt each file. Therefore, in recent years, data encryption is typically achieved via hardware.

Currently, the most common approach to data encryption is AES encryption technology. AES is an abbreviation for Advanced Encryption Standard (a high-level encryption standard) and is carried out via hardware. As a result, it can be activated at any time without affecting the transmission performance of an SSD. AES usually has two encryption lengths, 128-bit and 256-bit. Both require a key (i.e. password) to conduct encryption and decryption. As shown in the illustration below, the Host writes the data, encrypts data via the AES Encryption Engine built into the SSD controller, and finally writes the encrypted data into flash memory. As long as there is no encryption key, outsiders cannot decrypt and obtain the data. Some common cryptographic protocols, including TCG Opal 2.0, Microsoft eDrive, IEEE-1667, and the National Secret Algorithm, all use AES technology.

data security

At present, TCG Opal is the most common security protocol for SSDs. The TCG (Trusted Computing Group) is an international nonprofit unit that is responsible for the development of industry standards. Opal is a safety specification for storage devices, and is applied to enhance data confidentiality. Without undergoing Host-side software processing, all data in the SSD controller are encrypted or decrypted rapidly without affecting system performance. The main functions of TCG Opal are as follows:

data security

  1. Encryption: AES 256-bit Hardware Encryption Technology
  2. Drive Locking with Password Protection: Password Lock
  3. Range Based Locking/Unlocking: Function settings can be divided into multiple regions
  4. MBR Shadowing: Pre-Boot Authentication

The National Secret Algorithm (SM4) is a block cipher standard adopted by the Chinese government, which is mainly used for communication encryption and data encryption. Its algorithm is a public form and the lengths of both packets and keys are 128-bit. Consequently, upon encrypting and decrypting the data, when the data length is too long, blocking is needed; meanwhile when data length is insufficient filling is needed. In the future, SSDs sold in the China market will need to support the SM4 algorithm.

To protect data on an SSD without encryption, the only approach is to erase the data. However, even if the SSD overwrites the same disk area, there is no way to guarantee that old data stored in the flash memory is completely erased. This is because the SSD will run a re-mapping action when new data is written, only the mapping table is changed instead of overlapping the old data. Therefore, to ensure that data is not retrievable, only erasing or destroying the disk can ensure complete security. The main approaches are as follows:

  1. Quick Erase: In special circumstances, erasing cannot take too much time, therefore efficient erasing becomes very important. As shown in the illustration above, quick erase mainly erases the mapping table inside the SSD. Since only the table needs to be cleared, the erasing process can be done within a second. However, due to the data remaining, there are still risks that data may be retrieved. This function can be done either by the approach of short pin circuit or by giving the ATA command.
  2. Security Erase: This is the most common way to erase data. It's effective for erasing data from every corner of an SSD. The principle is to clear all user data chunks, the blue area shown in the illustration above. To finish erasing, it takes about a few to a dozen seconds to complete. There are two approaches to erase: a short pin circuit for Security Erase or giving the ATA command to conduct data erasing.
  3. Destruction: Destruction is the ultimate approach for erasing data. This approach not only erases all data stored in the SSD, but also completely removes the firmware program code for the SSD device, so that the device cannot be recovered, used or identified by the system. In addition to clearing tables and data chunks, the core block of the program code is also removed from the above image.
  4. Physical Burn-Up: Under the worst circumstances, some users will need to make sure that all the data on the SSD is completely destroyed. Consequently, the input of high voltage currents into the circuit board for conducting physical burn up can be used. Afterward, the flash memory will be impacted by high-voltage currents that result in the destruction of the internal structure, thereby completely destroying the data. The approach must be supported by hardware. In addition, the circuit board needs to be specially designed.

Advancing data security is a very important measure. If a secured SSD is adopted in advance, the risk of data leakage will be significantly reduced in case a computer is lost. It's believed that all SSDs in the future will have a built-in function as such.