Update: This entry was based on preliminary information that turned out to be incorrect. Please see the following update.
One of the last knocks on SSD performance is that they don’t perform well with full-drive encryption. But on Sandforce 1200- and 2200-based drives, and the next-generation Intel 320 drives introduced today, that’s not an issue anymore. Encryption happens on the drive, in hardware, with no performance penalty.
The problem was that nobody talked about how it works. I found the details buried in Anandtech’s review of the Intel 320 drive. The takeaway is this: If you set your BIOS password, the drive will be unreadable if you remove it and put it in another system. Update: No it won’t. But you can add ATA password support, under some circumstances.
It’s been a long time since I’ve bothered with BIOS passwords, since they’re trivially easy to defeat. So I never noticed that modern PCs also use the BIOS password as the ATA password. Sandforce and Intel 320 SSDs already write everything with AES-128 encryption. AES-128, if you’re wondering, meets US Government standards for classified information up to the SECRET level. As far as the US Government is concerned, the difference between SECRET and TOP SECRET is “grave damage” to national security vs. “exceptionally grave damage” to national security. If you’re wondering, the diplomatic cables and other classified information published by Wikileaks in 2010-2011 were classified SECRET.
Put simply, AES-128 isn’t good enough for a government’s very deepest, darkest secrets, but it’s good enough for most classified information. So it’s probably good enough for you.
The AES-128 encryption in modern SSDs happens at the hardware level automatically, so there’s no speed penalty for using it, and you have nothing to gain by not using it. Simply set your BIOS password on your system, and your drive is encrypted, regardless of what operating system or operating systems you run. The only reason to use software-based encryption is if AES-128 isn’t secure enough for you for some reason.
If someone attempts to defeat it by the conventional method–clearing the password by using a jumper on the motherboard (or, perhaps, other methods depending on the system), the attacker won’t find a readable drive, and won’t be able to boot into the operating system. So, essentially, ATA passwords and the way they’re implemented on modern SSD drives really give teeth to the BIOS password. But since it’s not dependent on the host operating system, if a critical system file gets blitzed and renders your drive unbootable, a recovery CD will still work to salvage whatever data may remain on the drive.