More on the new Intel 320 SSD

A few weeks ago, my security go-to guy, Rich P., bought a new Intel 320 SSD for his netbook.  With my encouragement, of course. It finally arrived this weekend, and he installed it. Rich reports not only faster speed, but also a 30-minute improvement in battery life over the WD Scorpio Black it replaced.

He told me the secure erase function, to enable AES, had a snag. But he solved it. I’m documenting it here in case you ran into the same thing he did.

Basically, if the drive isn’t direct-connected to a motherboard’s SATA port, you can’t run the Intel utility that allows a secure erase. Intel Toolbox runs, but the secure erase function was disabled whether he had it connected via USB or ESATA. But direct-connected to the motherboard, the utility worked fine, and let him set a SATA password to enable the onboard AES-128 encryption. “Enable” is a bit of a misnomer, as everything is encrypted no matter what, but until you do a secure erase and set your own password, the encryption has no teeth. It’s like having a lock but gluing the key into it. So technically the door’s locked if you turn the key, but anyone can come and turn the key to open it.

As for the built-in encryption, Rich (who has a CISSP certification) and I came up with some questions that he subsequently sent to Intel. An Intel employee named Scott responded. Based on Scott’s answers, Rich believes it’s good enough for personal and corporate encryption, though it probably still falls short of US DoD standards for some types of classified information. The CIA wouldn’t be willing to rely solely on Intel’s AES-128 to protect its darkest secrets.

Scott confirmed the ATA password is stored on the drive as a non-reversible hash, so you won’t be getting the password off the drive. And the password is used to encrypt the encryption keys on the drive, so just bypassing the password, if it were possible, would yield gibberish.

If that’s not good enough, Rich reports that running AES-512 via Cryptmod in Ubuntu Linux doesn’t slow the drive down any more than it slows down a conventional drive, contrary to some reports floating around, such as the widely quoted blog post from November 2009 at http://www.madshrimps.be/articles/article/965/. The idea that encryption slows down SSDs to the point that they’re slower than platter drives is by no means universal–it depends on the encryption software and the SSD.

Not only that, the Intel Data Migration tool migrated his encrypted Ubuntu partition from his platter drive to his SSD with no issues. Impressive.

And not surprisingly, data migration is much faster between two drives connected to SATA than when one of them is connected via USB 2.0. He knows because he migrated his data, then had to do a secure erase to enable his password, which forced him to migrate it back, secure erase, and then re-migrate to SSD. So he did it three or four times.

I don’t have an Intel 320 (at least not yet) so it’s good to get a report from someone who does.

Much of what detractors have said about SSDs in the past no longer applies to the Intel 320. One thing to remember is that SSDs are still maturing very quickly, like hard drives were in the late 1980s/early 1990s. In 1989, you had to tune the drive’s sector interleave for peak performance, park the drive before powering off the computer, and low-level format the drive when you started seeing more bad sectors than you were willing to tolerate. No wonder some people were afraid of them. By 1992 or so, IDE and SCSI drives were taking care of all of that behind the scenes. Not everything you knew about hard drives in 1989 was true in 1992. Likewise, not everything you knew about SSDs in 2008 is still true in 2011.

If you found this post informative or helpful, please share it!

4 thoughts on “More on the new Intel 320 SSD

  • May 23, 2011 at 8:51 am
    Permalink

    I have a question, based on your previous entry here (https://dfarq.homeip.net/2011/03/ssds-and-built-in-encryption-and-how-to-enable-it/) I am confused about how I can set the password on my Intel 320 SSD

    I checked my BIOS and I do not have any ATA or HDD password settings, just the regular BIOS password (User password and Supervisor password). Reading the replies in the comments makes me think that by enabling my BIOS password this is actually doing the same thing as enabling a ATA password (one are two in the same?). Is this true? I am using a desktop computer by the way.

  • May 23, 2011 at 6:14 pm
    Permalink

    ITPython, I wish I knew the answer to that definitively. I have read claims that setting a regular BIOS password does the job, but have no way to test it myself, so I don’t know.

    Most laptop computers I’ve seen have a specific BIOS option to set the ATA password, but most desktops don’t.

    Maybe now that Intel is interested in selling SSDs for desktop use, and (hopefully) realizes the interest in AES-128 encryption (it’s a small minority, but judging from the traffic I get and the comments I get, it’s an exceedingly vocal and outspoken one), maybe we’ll start seeing ATA passwords in desktop motherboards.

  • May 23, 2011 at 9:51 pm
    Permalink

    Appreciate the reply Dave, I got my drive today and will be installing it tonight. I will do some tests to see if a regular BIOS PW locks the drive as a ATA PW would. I do have some options in my BIOS that mention locking the drive in the description, not sure if it’s the same thing though. See below:

    HDD Security Freeze Lock (Disabled)
    If this item is enabled, it prevents any external application from locking hard drive except for BIOS.

    I also have the option to make the BIOS PW required on boot, so perhaps it will serve as an ATA PW as well. Who knows for sure, but I will try my best to figure this out. If I come across any solid details from my experiments I will post them here for kicks.

    • May 24, 2011 at 7:56 pm
      Permalink

      Please do. Your experiments will help me and countless others.

Comments are closed.