Recently, a few SSD models have been introduced that support Full-Disk Encryption per the TCG Opal standard. Many older SSDs already support AES encryption and use the ATA password for this, which is settable in the BIOS. The advantage of Opal is that it divides the drive into a small read-only segment (technically not a partition) with a special boot loader (which prompts you for the encryption password and passes it to the drive) and the encrypted segment which contains your traditional OS and data partitions. These special boot loaders can do much more than a BIOS: for example, they can provide means for key reset and they can talk to a server on the network. They can also have multiple passwords for multiple users and they can be configured entirely from within the OS, which also allows for central management in enterprise environments.
The downside of course is that you need a piece of software to use Opal. This includes WinMagic SecureDoc (for Windows and Mac), Wave Systems Embassy Security Center (for Windows only) and several others, but also BitLocker/eDrive in Windows 8 (however, this requires IEEE-1667 support as well). This is also an advantage as it does not require hardware or OS support; so even Macs could use them:
WinMagic SecureDoc already supports supported Macs until October 2013, but a version for OS X 10.9 was never released. Secude has announced FinallySecure Enterprise Full Disk Encryption with support for OS X and Opal; it hasn’t been released yet and was recently sold to a company named EgoSecure.
Probably the first drive to support Opal was the Seagate Momentus FDE, which was a spinning disk. Toshiba, Hitachi and a few others also made HDDs with Opal support.
Later, the Samsung PM830 (but not the Samsung SSD 830) and the Micron C400 SED (but not the Micron C400 or the Crucial m4) came, which were only available to OEM.
The first Opal-compliant mass-market SSD was the Crucial M500 (it’s also OEM’d as Micron M500), which is also IEEE-1667 compliant. As the M500 currently offers the best GB/$ ratio of all SSDs on the market, it’s been selling superb in the five months it’s been on the market and I hope this drives more software companies to support Opal.
The just-announced Intel SSD Pro 1500 will also support Opal, but apparently not IEEE-1667.
As far as I know, these really are all TCG Opal drives on the market, currently and previously. I expect there will be more coming, but I am kind of surprised that it took this long.
If you know of any others, let me know in the comments.
Update Dec 2013: The Samsung 840 EVO also does Opal.
Update Jan 2014: Wave Systems has a list of Opal drives that work with their software. It lists some Adata XPG SX900 models, the Kingston KC300 (only certain part numbers) and some LiteOn models.
Update Mar 2014: The just-announced Crucial M550, which is very similar to the popular M500, still supports Opal 2.0 and IEEE-1667, and is explicitly advertised as Microsoft eDrive compatible. Same goes for the almost identical ADATA SP920.
Update May 2014: The SanDisk X300s also has both and includes a license for Wave Embassy in case your computer does not support eDrive. Glad to see that Opal and IEEE-1667 are finally making it into a significant proportion of new midrange mass-market SSD models.
Update June 2014: The Crucial MX100 is similar to the M550 with cheaper NAND and supports the same encryption standards. The ADATA Premier SP610 is supposed to get Opal 2.0 through a firmware update later this year, but not IEEE-1667.
Update July 2014: The Samsung SSD 850 Pro has TCG Opal and IEEE-1667. The Intel SSD Pro 2500 has TCG Opal 2.0 and IEEE-1667.
Update September 2014: The Crucial M600 has Opal 2.0 and IEEE-1667, just like its predecessors M500, M510, MX100, M550.
Update October 2014: The Adata SR1010 has Opal 2.0 and IEEE-1667.
Update December 2014: Samsung SSD 850 EVO has Opal 2.0 and IEEE-1667.
Update January 2015: The Crucial MX 200, which is quite similar to the MX 100, has Opal 2.0 and IEEE-1667. The BX 100 does NOT have encryption and is based on a different controller.
Update October 2015: The Samsung SSD 950 Pro is supposed to get Opal and IEEE-1667 with a firmware update at some point.
Update January 2016: The SanDisk X400 is supposed to get a firmware update for Opal in April.
Update February 2016: The Samsung SSD 750 EVO, apparently intended to replace the 850 EVO, has Opal and IEEE-1667.
Update April 2016: The Crucial MX 300 does TCG Opal 2.0, IEEE-1667 and thus also Microsoft eDrive.
Update June 2016: The Micron SSD 1100 was announced with TCG Opal 2.0 and eDrive support.
great article! btw. it looks like ADATA does not support both opal and IEE – http://www.anandtech.com/show/7908/adata-sp920-128gb-256gb-512gb-1tb-review
“The SP920 doesn’t actually support TCG Opal 2.0 or IEEE-1667. This seems to be a feature Micron is keeping to themselves”
Apr 2015 – for strange reasons there are NO enterprise ssd drives on the market with Opal 2.0 support that can be safely put in server. Only consumer ones.
btw, there is open source Opal 2.0 tool – http://www.r0m30.com/msed
Thanks for the msed link. I’ve been following that project on Github, but haven’t actually tried it yet. Also I’m waiting for the EFI pre-boot agent.
I never quite understood the point of full-disk encryption on servers. If you store the key in the TPM, the encryption is useless if the entire server is stolen. If the key is stored on the network, that machine could be stolen as well. If you don’t store the key at all, someone needs to manually provide it each time the server is rebooted.
So that’s probably why there are no Enterprise Opal drives: there’s no real use.
If you have unlimited access to hardware there is an easy possibility for accessing encrypted drive:
unlocked drive can be connected to another computer without power off. But in other cases it can be very useful.
There is another problem: most consumer drives can lost data in case of power-outages ( http://lkcl.net/reports/ssd_analysis.html ). So enterprise SSDs are desirable for valuable data. But in this case data will be unencrypted.
Intel enterprise drives S3500/S3700 and newer S3610/S3710 only support ATA passwords.
Consumer Intel 730 has power lost protection but no encryption.
Samsung 845DC (PRO) – no encryption.
850 PRO – no power lost protection.
Also maybe it’s just because of extra power required for encryption)
How does disk encryption protect you in any other scenario? If someone breaks in via the network, the data is transparently decrypted anyway. The only scenario where disk encryption is useful is on laptops that are lost/stolen while switched off.
As far as I’m aware, the encryption does not consume any significant amount of power. Have you looked at the Crucial M series? They have power loss capacitors and some posts on the internet claim that they do their job, though I haven’t seen a through analysis like the one on the website you linked to. I have a Crucial M500 and so far haven’t lost a single bit that I’m aware of.
Crucial M-series capacitors are not as good as advertised – http://www.anandtech.com/show/8528/micron-m600-128gb-256gb-1tb-ssd-review-nda-placeholder
it seems they only help to protect already written data due to MLC flash writing specificity.
Encryption scenarios on server are the same as you already mentioned:
– manual authorization on reboot (but reboots can be quite rare and scheduled!)
– authorization from network source (that can be protected and hidden!)
in both cases physical access to server and stealing will not give easy access to data.
In both of these scenarios, an attacker could break into your server room and just connect the (already authenticated) disk to his own laptop without powering it down. So physical access to the server does give easy access to the data.
It appears as if the open-source msed project has formed the DriveTrust Alliance, which promises something big for October 15th. We’ll see what happens. They already have a Github account, so it should continue to be free and open source.
Hi
I just want to let you know that I have it on good authority that the Sandisk X400 will NOT get OPAL via FW update. Either the drive ships with it or not.
Great article, thanks. Have you heard if the Samsung 950 Pro M.2 drives have received the promised firmware update to support Opal / IEEE-1667?
I’m waiting for the Opal support on the Samsung 950 pro too. Nothing yet.
Samsung better step up with that firmware. The 960 has already been released.
If they don’t it will be another Samsung product division that will be sworn off forever by me. I’ll never buy another one of their household appliances. Let’s not make it SDD too Samsung.
I wish some Linux distro could enable SED’s HW-based encryption just out of the box…