How SSD encryption can protect enterprise data

It's easy for an SSD to fall into the wrong hands. Encryption, which is common in SSDs, is a powerful tool to protect mission-critical and personal data.

Encrypted SSDs have existed for more than a decade, but many end users and some sys admins don't fully understand them.

Most SSDs are self-encrypting drives (SEDs) that support internal encryption. However, there are various levels of encryption, reasons for using it and vendors that supply it, so organizations have a lot to consider.

How SSD encryption works

SEDs use Advanced Encryption Standard (AES) to encrypt data. Most use AES-128 or AES-256 encryption. These standard encryption algorithms have passed many security tests. There's no need to put a lot of thought into the type of SSD encryption.

An SED scrambles data as it is written to the drive, using a unique disk encryption key (DEK) set at the factory. Only users who hold another key, the authentication encryption key (AEK), can command the SSD to descramble data. It would consume an unrealistic amount of time and resources to unscramble the data without the key.

The organization can simply discard a decommissioned SSD because it's unlikely a future user will recover the AEK. In addition, the organization can invoke a special command to deactivate the drive's internal DEK, which makes it impossible to recover the scrambled data.

Chart of AES algorithm encryption process

In addition to encryption, there are SSD protocols, managed by the Trusted Computing Group, that verify the most sensitive data with even greater security.

Why SSD encryption is important

Customers of a medium to large data center that hosts systems expect the data center to safeguard their data.

But the data center experiences hardware failures and also upgrades its systems every so often. Either instance might result in the replacement of an old SSD with a new one.

Most of today's enterprise SSDs already provide encryption in the SSD's controller chip.

If the old SSD still works and it falls into the wrong hands, that customer data could be compromised. Without SSD encryption, financial databases, patient medical records or trade secrets would be available to someone who might cause harm to either the data center's customer or that customer's clients or patients.

In addition, data recovery services can retrieve the flash chips from a damaged or failed SSD. They perform data recovery to get everything back the way that it was prior to a crash, though it can be expensive. If the data on the failed SSD is encrypted, then the recovery produces encrypted recovered data, which can't be used without the AEK, so the data is still safe.

That's fine for the data center, but what about smaller systems, like PCs? Would an SED benefit a PC user? Consider this: Is there any sensitive information on your PC? It may be your personal finances or private email. Whatever it is, know that anyone who steals your PC has access to all this data without SSD encryption.

You might be surprised by what other systems are targets for data theft. For example, a criminal operation bought decommissioned digital photocopiers from a copy service provider and examined all the data stored on the copier HDDs. The copy center's customers weren't aware the copiers had HDDs. The criminals recovered images of hundreds of tax returns with Social Security numbers and other sensitive information because the HDD data encryption was not turned on.

Products that offer SSD encryption

Most of today's enterprise SSDs already provide encryption in the SSD's controller chip. These products include the following:

  • All Kioxia enterprise SSDs.
  • Micron's 5400, 6500 ION, 7450, 9400 and XTR series.
  • Seagate's Nytro line of SATA and SAS SSDs.
  • All of Samsung's SSDs.
  • The majority of Solidigm's data center SSDs.
  • Western Digital's four encrypted data center SSD lines: Ultrastar DC SN640, 650, 655 and 840.

Dig Deeper on Flash memory and storage

Disaster Recovery
Data Backup
Data Center
and ESG