Review: Encrypted solid state drives protect laptop data

Vendors are touting solid state replacement drives as a way to protect corporate data in the event of a laptop being lost or stolen, and to boost performance at the same time.

We tested five SSDs to determine if they, indeed, were encrypting data and if the encryption could be somehow broken. In other words, were they safe to use if the device were stolen from or with a notebook?

The answer is: summoning our best tools, we could not crack their encryption. Not only that, these drives delivered read and write speeds that were up to five times faster than the hard drives that came with our enterprise-grade laptops.

The products under test were 2.5 inch, SATA-3 replacement drives from Other World Computing (OWC), OCZ Technologies, Micron Technologies, Adlink Technology and Intel.

All of the drives passed the encryption test with flying colors. When it came to performance, the OWC Pro 6G was fastest, running at sometimes five times the speed of the 500GB Hitachi drive that came with our Lenovo laptop. While OWC took the prize, all of the SSDs worked at several times the speed of our baseline hard drive.

Storage smackdown: SSDs vs hard drives

Slideshow: Encrypted SSDs deliver security, speed

Encryption options

Notebook hard drives can be encrypted via either software or hardware methods.

For example, tools like Microsoft's Bitlocker offer operating-system level software encryption. With this method, the resident operating system can encrypt files, folders, whole disk partitions, or even the entire disk. However, this could leave file system information like names, ownership, and location intact or predictable.

If the master book record (MBR) is available and isn't encrypted, forensic work can start to attack the contents of the drive because much of the file and data formatting becomes known — although decryption is still difficult.

If the BIOS "HDD Master" and/or "HDD User" passwords are set, the drive's MBR becomes encrypted, and a usable forensic analysis path becomes unavailable.

There are also many third-party encryption vendors that use their own software-based encryption seed or methodology, while others may use Trusted Computing chip hardware resident in the machine to encrypt.

In addition, most PCs have BIOS settings that allow them to use SATA or SAS encryption that's been available for roughly the past dozen years. We chose drives that use the BIOS method (to make things operating system agnostic) to answer questions regarding the encryption safety of replacement drives. (See how we conducted our test.)

Each of the drives came encrypted with the SATA master and user encryption keys enabled and hashed, so that they weren't readable until a BIOS command was used to set the passwords for each.

SATA and SAS (Serial ATA and Serial-Attached-SCSI, respectively) drives, traditional mechanical drives, or SSDs, use a hierarchical command set to encrypt data on the drive. If the drive is removed and placed into an identical machine lacking the encryption key (set in the BIOS), the drive is unreadable, as though it were blank/filled with random data, with no partition table or other recognizable partitioning or boot sector information.

Behind Native SSD Encryption

The concept is that if a notebook is stolen, then a BIOS password could protect the machine from someone booting it in any way. In the bad old days, a thief or forensic expert would remove the drive from a stolen or captive machine, then boot it on another machine, where its contents would be potentially revealed. If files were encrypted, then small files would be attacked until the key was revealed. The key would in turn be used to reveal the contents of the rest of the drive.

Hard drives potentially had the encryption key stored on the controller logic board atop the hard drive mechanism, and by replacing the controller board with a fresh controller, the contents of the drive might be able to be revealed unless other, additional content encryption methods were used.

Much of the SSD encryption relies on the BIOS, and while we used a Lenovo T520 Notebook with a standard Intel i5 chipset, behavior of other BIOS software may vary from our results. That said, all of the SSDs we tested were fully encrypted, so far as we can tell, and we know of no forensic tools that can read either the factory-set Master or User passwords, so as to be able to decrypt the contents of the drive by any other means. Trust us, we tried.

RELATED: Making the best use of SSDs

Here are the individual reviews:

Other World Computing (OWC) Pro 6G

It arrived in a small blister pack, and worked as described. We installed it into our Lenovo T520 notebook, set passwords in the T520 BIOS, restored our test bed version of Windows 7 into it, and proceeded to test it with CrystalMark.

It blew the rest of the drives away, performance-wise. We then yanked the drive, and proceeded to test it in our other T520, which was identically configured, but without passwords. We used Linux hdparm to try to make the controller find hidden areas on the drive (there were none) and we could not find any pattern to the data on the drive. We saw no reduction method or pattern that would give us any clue as to the contents of the drive. We could only use the ATA Erase Unit after we unlocked the drive in the T520's BIOS.

This no-frills drive came with no additional software or cables or even a data sheet, but it out-performed all of the other drives we were sent, almost six times as fast as the native drive of the T520, the Hitachi 500GB TK500-500 conventional drive.

It's tough to argue its performance. The capacity of the drive, formatted, was about 460GB, as reported by Windows 7.

OcZ Deneva 2

Like the OWC, the Deneva 2 drive was very fast. It otherwise behaved almost identically to the OWC, save it was a tad slower. No additional software arrived with it, and it formatted to 230GB, as reported by Windows 7.

Micron Crucial M4

The M4 came more prepared to do work than the others. The box arrived with a USB-SATA3 cable and a CD that can be used to clone an internal drive, then transfer the data on to the newly installed M4. We tried this, and it went without a hitch, although the USB 2.0 interface and driver isn't blazing, so copying large drive capacities can take time. We timed about two hours for our artificial 120GB test drive load. The instructions for transferring data were sparse, but we figured out the Windows-only software.

AdLink Technology ASD25

Adlink's drive performed in the middle of the drives tested. No special software was sent with the drive, but it installed normally, and could not be decrypted, much as we tried. As this was one of the first drives to arrive, we paid it special attention and pounded it every way we could find. It remained a mystery, unless the BIOS HDD passwords were correct. It formatted to about 248GB as reported by Windows 7 and was sent as 256GB.

Intel 320 Series

The Intel SSD drive was fast, but in the midrange, still well more than twice as fast as the native conventional drive of our test unit, the Lenovo T520. Intel also has some online tools that "optimize" the drive, and recommends that the tools be run weekly; they take only a few seconds to run to completion. The Windows-only drive tool can also Secure-Erase the drive, which re-writes the SSD; the software also worked with the other drives we tested. The drive formatted to about 300GB as reported by Windows 7.

Overall, were we to pick one, it would be the fastest for the least cost, although we did appreciate the cloning tools sent with the Micron Crucial M4. We can't say if a three letter U.S. agency has a method that we don't know about that can decrypt a drive forensically, but we couldn't do it.

Henderson is managing director for ExtremeLabs, of Bloomington, Ind. Henderson can be reached at kitchen-sink@extremelabs.com.