OS and Data Encryption x220

Hi all, having just received my x220 and Intel 310 mSATA, I wanted to flesh out any flaws in preventing unauthorized access to data if the laptop were stolen. I've done a number of searches, and the information seems to be spread around and some of the responses seem less definitive than others. Ideally, I'd prefer the more secure solution, but if I can optimize performance while doing so that would be great.

I will be using an OS (mSATA) + data (stock hard drive) combination.

I am planning on using an ATA hard drive password for the Intel 310, and using Truecrypt to encrypt the hard drive. I have the i5 2500, which supports AES-NI, so that helps performance.

I've seen a previous thread here and numerous ones on Google regarding the security issues surrounding an ATA password and SSD with a lot of uncertainty. Is the following assumption correct?

Intel 310/320/510 and other SSDs that have device level encryption create a new key with each secure erase, and the ATA password is required to access the device, but is not involved in the encryption process? Even if the drive were moved to another computer, an ATA password would be required to access the drive, and direct read of the memory is not possible because the information has been encrypted. This would mean that software full disk encryption of the SSD is not necessary. I do understand that software FDE allows us to backup the encryption key whereas device level encryption does not, and I am fine with the tradeoff to gain a little performance since it's an OS drive, and I can re-image it.

Thanks for any responses. I know this has been talked about in the past, but this exact question did not seem to be directly addressed previously.

 

Where have you read that the 310 offers built-in encryption? I've only seen that in the 2.5" drives. If it is not available on the 310, the ATA password would be of little consequence. Even if it was enabled, I wouldn't trust it. No way to manage it, and it's worrying that while encrypted, it would forever be tied to this computer.

I've been running FDE with Truecrypt for the past month, and it's been plenty fine. Even with a CPU that has AES-NI, I've lost perhaps as much as 30% disk benchmark performance, but it hasn't been noticeable in practical terms. The Intel SSD Toolbox software has a utility that can effect TRIM on the 310, even with software encryption. Set it to run weekly or so.

 

You've lost 30% performance on a CPU *with* AES hardware support?

I have a tough time believing that, because my dm-crypt-ed drives (AES-256-CBC+SHA256) don't exhibit that sort of loss, and that's on machines *without* hardware encryption support...

Edit: Maybe on a benchmark, I can believe that there might be some benchmark that exhibits that sort of loss. But it doesn't reflect my experience at all. Odd.

 

We use truecrypt and encrypt the entire drive and dont notice much if any performance hit.

 

Two factors in that:
-I'm running an SSD. Look at the pic below -- those are the random reads in HDTune Pro. Even with running the Intel TRIM utility which does work with encrypted drives, I don't get all the performance back.
-Many CPUs that don't have AES-NI support can encrypt/decrypt AES fast enough to not degrade HDD performance, though not enough for SSD performance (though of course there is far greater CPU overhead with non-AES-NI chips)

But I'll reiterate that I don't notice the difference in daily use.

 

Now I'm curious what the hardware encryption options are (if any) for the Intel 310-series SSD.... in my case on a T420. And how does one enable the ATA password option?

 

That's what I was getting at in my first post... I've never seen mention from Intel that the 310 has a built-in encryption provision.

 

I guess that seems to be a pretty serious oversight on my part. I made the incorrect assumption that all of the 3rd gen Intel drives have device level encryption, but on going back to the reviews/specs the 320 has mention of device level encryption, but not the 310. Sorry for the mis-post! So the ATA password wouldn't provide any protection against direct access since the data isn't encrypted.

And yes, after encrypting both drives with Truecrypt, I've had a slight decrease in benchmark performance, but there hasn't been a noticeable drop in performance in normal usage.

From the responses, it seem full disk encryption with truecrypt or similar programs are the way to go. Thanks!

 

Exactly. I've seen a statement from Intel on their forums that 320 is the only Intel SSD that supports device level encryption. In particular, the in principle higher-grade 510 series does not support it.

 

Huh.

I wonder if it might be an OS or software-stack thing?

Some quick "back of the envelope" calculations/benchmarking on my current laptop (X25-M G2, C2D T8100) only shows about a 10% drop in random 4K performance. Now I'm using Linux and dm-crypt, so I'm thinking that might have something to do with it...

 

I use TrueCrypt and just encrypt my sensitive files. Note that I don't use a page file, however. This makes it easy to port my sensitive files to another machine, back up just those files in one big lump, etc. I don't see the benefit in encrypting the Windows directory and every other thing that I install on a machine.

 

It's a benefit because it encrypts:
-configuration files (local and network password caches, Wi-Fi passwords, and the like)
-application database files (MS Outlook, IM chat logs, etc.)
-pagefile/hibernation file
-browser cache, cookies and passwords
-and, adds a massive hurdle to anyone messing around without your permission

 

I just need to keep my sensitive client information safe. I'm not really worried about throwing up yet another hurdle to someone who's stolen my laptop; they won't get any sensitive data.

I guess the Wi-Fi passwords might be the only real issue. The "application database files" are not; you can store those wherever you like. I will have to rethink whether slowing down my entire system to additionally safeguard my Wi-Fi passwords is necessary, when I could just change the password if my laptop were stolen...

Actually, nah. It might be different if I had a large environment to protect and highly sensitive data available over wireless.

Seeing as how my data will be safe anyway, I don't think there's any reason to encrypt Windows and everything else on my laptop. Whoever steals it will be able to wipe the drive no matter what to fence it, and won't get anything sensitive out of my TrueCrypt volume. Plus, I've never had a laptop stolen because I'm careful.