M.2 SSDs - do they have FDE yet?

J

johnnyscience

Limp Gawd
Joined
Nov 15, 2008
Messages
168
So I want to move from SSDs for my OS to M.2 SSDs but only if they have FDE.

Do they feature this yet?

Also my M.2 slot is under my video card on my Asrock Extreme 4 - do these have issues with overheating?

The video card currently has an aircooler on it, but I am getting ready to add a water cooler, so it will lose any air cooling that would have helped keep the M.2 slot cool

My current mobo only has a single M.2 slot, eventually I'd like to upgrade to a new mobo that has two so I can run a dual boot system with Ubuntu

And is Asrock still the only mobo manufacturer that allows access to set a full 32 character ATA password?
 
Last edited:
Looking at Samsungs website there isn't much difference between the 970 Pro & Evo these days. It's almost worth just saving the money and going with the Evo. I currently have two Pro 550s (I think)

I see that AES 256 is now a feature on the 970's, but are they supported and available for use? I remember when these M.2 Samsung drives came out they didn't support AES on them at the time.
 
M.2s do support FDE. My work laptop (HP Elitebook 840) came with a 512GB M.2 drive and it is hardware encrypted using Opal 2. You will have to confirm support between your motherboard / bios and particular drives. This is going to be very combo specific.

My gaming computer has the M.2 slot under my video card as well (MSI Tomahawk B350). There are no temperature issues. NVMe works better when it is on the warm side, anyway. It is the controller that may overheat. However, most NVMe drives come with a heatsink, some motherboards come with a heatsink, and even if you don't have a heatsink or much airflow the controller us unlikely to overheat unless you write a lot of data. I wouldn't really worry about heat. I did not bother putting the heatsink on my M.2 drive. It's not running hot.

Something else to chew on is that you don't need a motherboard to give you multiple M.2 slots. In fact, you can still use a full speed M.2 without any onboard M.2 slots. There are x4 PCIE riser cards that have one or two M.2 slots on them, and these can be added to basically any motherboard. You just need to make sure the motherboard has a second x16 or x8 PCIE slot (assuming the first is for your GPU) or a x4 PCIE slot. Here's a Vantec made x4 PCIE M.2 adapter that I bought and use. It works well.

Finally, you can boot Windows and Linux off one M.2 drive. You just need to make grub the bootloader and you can have an entry for each OS, with separate partitions.
 
You may want to consider something like Veracrypt if encryption is important to you. Device based encryption has shown it is not perfect, and in fact on many popular crucial and Samsung it is implemented improperly or is not truly secure. You can read here for more information.
 
johnnyscience said:
So I want to move from SSDs for my OS to M.2 SSDs but only if they have FDE.

Do they feature this yet?

Also my M.2 slot is under my video card on my Asrock Extreme 4 - do these have issues with overheating?

The video card currently has an aircooler on it, but I am getting ready to add a water cooler, so it will lose any air cooling that would have helped keep the M.2 slot cool

My current mobo only has a single M.2 slot, eventually I'd like to upgrade to a new mobo that has two so I can run a dual boot system with Ubuntu

And is Asrock still the only mobo manufacturer that allows access to set a full 32 character ATA password?
Click to expand...

or just use bitlocker (make sure you don't press the e-drive ready button in samsung magician or bitlocker might use SSD hardware encryption) i assume other manufacturers have e-drive disabled by default (or motherboard UEFI bios lacks the e-dive support requirements)

crucial unfortunately is enabled with e-drive set to full ready state and if the UEFI bios supports the requirements, bitlocker will turn on instantly (if bitlocker turns on instantly your using hardware if it has a progress bar after boot up its software)
 
I usually like to have my OS on physically separate SSDs in case one gets corrupted, the other is still safe and able to boot up. Putting them both on a single M.2 with partition and grub is a great idea though and I may do it for now since I've been using windows 99% of the time any more (sadly lol)

This is however all breaking news about this hardware issue for sure! We need to go deep on this discussion.

First and foremost when I set my system up I went with the absolute highest hardware FDE possible and added a bios-bootup, 32 character, multi-phrase ATA MASTER-password which is considered Class 0. I did this via a special bios that Asrock supplied me as they were the only motherboard manufacturer (at least at the time) that would provide customers with the special bios to enable a true, 32 character ATA FDE upon request.

Class 0 has to deal with the bios ATA masterpassword & TCG Opal is usually when you are utilizing some type of software. (someone please correct me if I'm wrong)

I also added a TPM (Trusted Platform Module) to the system for an even higher level of hardware security, however if the SSD is removed and tampered with like this article states, the TPM wouldn't be of any benefit.

I didn't want bitlocker or any other software encryption as ALL data stated that hardware encryption was the absolute best/highest level and all software potentially has a backdoor and not truly secure and made the drive less efficient. Of course there was always conspiracy theories whether Samsung or Crucial had a true "master password" or back door and could hack into it regardless, but they claim they do not. Others have stated Samsung could unlock the SSD if they had the serial # and may have an algorithm to make the key based on the serial # or has a database with the original keys. However I don't think any of this has been proven whatsoever at this point.

Either way, ATA enabled hardware FDE was touted as the most secure option for your data possible (at this time) because hardware based FDE is an almost perfect solution (no performance loss, no excess wear, easier to clone, OS independent, etc). The sole drawback is that hardware based FDE is invariably closed/proprietary, which is automatically suspect.

It is said to be good practice to have a SED SSD regenerate it's encryption key (by re-formatting through the secure-erase tool provided by Saumsung, it's like a bios interface I think, although I could be wrong on this, I'm a bit rusty) which I'm pretty sure I did also before setting the ATA master password in bios.

Can anyone shed some more light on this recent news, which is clearly a major problem for the state of hardware encryption's viability.

I've read the first link provided, along with this one in regards to the researcher work:

https://www.ru.nl/english/news-agen...oud-university-researchers-discover-security/

Their full research is provided in a 16 page white paper pdf within the article, however I haven't had the chance to read it (but will shortly).

Do they state if it matters how the hardware encryption was originally enabled before they tried to break it? ATA password (Class 0) or bitlocker (TCG Opal) etc? It was interesting to note that the article said even bitlockers hardware encryption method was unsafe.

Has anyone from the TCG (Trusted Computing Group) commented on this?

The researchers claim that "faulty ATA security and TCG Opal implementations." are the cause for this hardware FDE failure, but don't explain what those faulty implementations are & how they can be fixed?

The researchers also go on to say because the root of the problem resides in how vendors have implemented hardware-level encryption specifications, the two researchers have also advised the TCG working group to "publish a reference implementation of Opal to aid developers," and also make this sample implementation public so security researchers can probe it for vulnerabilities.

So I guess we need to know what these faulty implementations are for ATA & TCG Opal & how these major manufacturers plan on addressing & correcting this problem for all SSDs.

I was also reading that since NVMe's aren't SATA the ATA password access needs to be ported to it via BIOS? Is this correct? It even said edrive is a bigger problem since it has even less mobo & NVMe support than the Class 0 ATA does.
 
Last edited:
This thread on samsungs website about their 960's & 970's seem to state that all of the technology isn't in place for M.2 drives to take advantage of being a boot drive with hardware FDE Class 0 or Opal/edrive yet because of a BIOS update that most manufacturers need to push out. (which who knows if they ever will)

https://us.community.samsung.com/t5...ard-id/memoryandstorage/thread-id/188/page/16

It seems some have been successful in enabling Opal with non-boot drives, i.e. secondary data drives

But this is a motherboard bios issue that needs to be fixed so NVMe's can be utilized and encrypted as boot drives.

Someone in that thread stated this:

"BIOSes with full encyption capabilites for NVME drives, propably won't become available in the consumer market for awhile until NVME becomes the accepted standard for storage devices in the entire industry, I wouldn't expect a "solution" for this anytime soon, but this is just my personal input. This entire process is much more complicated than most people think, but again, this is just my personal input."

In the past, most Motherboard companies didn't even really allow bios access to set a ATA password for SATA SSDs, might take some time for us to see NVMe access to enable hardware FDE, if we ever do.
 
Last edited:
But the point of going hardware encryption via ATA password was because it was the absolute best, most secure option. Software is supposed to have a backdoor (I'm sure the hardware does too) and slow the drive down.

I'm going to reach out to the team that broke into the encryption and try to get more info.
 
thegreywizard said:
But the point of going hardware encryption via ATA password was because it was the absolute best, most secure option. Software is supposed to have a backdoor (I'm sure the hardware does too) and slow the drive down.

I'm going to reach out to the team that broke into the encryption and try to get more info.
Click to expand...

HDDs (the None SED HDDs) was more or less just storing the password as plain text and was super easy to recover (plug it in and access the parts of the drive that saved it), SED drives are supposed to be secure from the outset but recently seems if you have physical access to the SSD some SSDs can bypass the security and unlock the drive

i would like to assume intel SSDs are not like this

Software Bitlocker is secure even government can't break into them (unless they have the recovery key or password) veracrypt would be the same most likely as its open source so it's been looked at a lot
 
You must log in or register to reply here.
Back
Top