Hardware vs software based full disk encryption

[GS3]

[ split from support topic How secure is the encryption when installing linux mint, and what does it encrypt? ]

The best and simplest encryption is hardware based full disk encryption. It is transparent and everything is encrypted.

[xenopeek]

The best and simplest encryption is hardware based full disk encryption. It is transparent and everything is encrypted.

It's not. Security researchers at Radboud University in the Netherlands have found they can access data on several very popular Crucial and Samsung SSDs using hardware based encryption without needing to know the user chosen password: https://www.ru.nl/english/news-agenda/n ... -security/. Models that they demonstrated are vulnerable were Crucial MX100, MX200 and MX300; Samsung T3 and T5; Samsung 840 EVO and 850 EVO. Likely other devices are at similar risk.

Linux Mint doesn't use hardware based encryption and is not affected. Windows users using BitLocker to encrypt their disks are affected.

[GS3]

It's not. Security researchers at Radboud University in the Netherlands have found they can access data on several very popular Crucial and Samsung SSDs using hardware based encryption without needing to know the user chosen password: https://www.ru.nl/english/news-agenda/n ... -security/. Models that they demonstrated are vulnerable were Crucial MX100, MX200 and MX300; Samsung T3 and T5; Samsung 840 EVO and 850 EVO. Likely other devices are at similar risk.

That article does not say what or why causes the flaw so it is impossible to say anything but there is no doubt that conceptually hardware based disk encryption is superior to anything software based. And the reason is simple: you take the encryption program and put it inside the disk drive where it is less accessible and where it protects the entirety of the drive, including the boot sector. The fact that some drives have been found to be vulnerable does not detract from that.

I see the vulnerable drives are all SSD and no HDD have ever been found to have vulnerabilities (which is not to say it could not happen).

Linux Mint doesn't use hardware based encryption and is not affected. Windows users using BitLocker to encrypt their disks are affected.

You might be misunderstanding how it works. Linux, or Windows or any other OS do not "use" or even "know" or care about self encrypting drives.

My laptops use Seagate Momentus SED HDD. When I turn the power on the BIOS asks for the password which it passes on to the HDD. Until the HDD gets the correct password it is blocked. When it gets the correct password it is completely transparent to the BIOS. The system then boots but the OS, whatever it is, has no idea if it is dealing with an encrypted drive or not.

I suppose a vulnerability could be found where somehow the password does not totally disappear from the disk's RAM when the disk is powered down but that is similar to vulnerabilities discovered in computer processors and RAM where removing power does not totally erase all the data. In any case we are talking of CIA-level efforts to recover data, not amateur night time. And software encryption is just as vulnerable if not more.

I have had two laptops stolen with all my sensitive data and I rested easy knowing my data was safe.

Another advantage of SED is crypto shredding.

Seagate Self-Encrypting Drive (SED) hard drives are validated as FIPS 140-2 ... to U.S., Canadian or U.K. federal government organizations that require FIPS.

The American and UK governments use and require SED over software encryption. It's good for the American Government and it's good enough for me.

[xenopeek]

I see the vulnerable drives are all SSD and no HDD have ever been found to have vulnerabilities (which is not to say it could not happen).

As I read it, they just looked at highly popular storage devices.

Linux Mint doesn't use hardware based encryption and is not affected. Windows users using BitLocker to encrypt their disks are affected.

You might be misunderstanding how it works. Linux, or Windows or any other OS do not "use" or even "know" or care about self encrypting drives.

With BitLocker the SED drive can be managed by BitLocker and the OS will handle password prompt (through pre-boot authentication) instead of the BIOS.

My laptops use Seagate Momentus SED HDD. When I turn the power on the BIOS asks for the password which it passes on to the HDD. Until the HDD gets the correct password it is blocked. When it gets the correct password it is completely transparent to the BIOS. The system then boots but the OS, whatever it is, has no idea if it is dealing with an encrypted drive or not.

If you were able to confirm that works, great. When last I built a PC I wasn't able to find a (consumer) desktop motherboard that had a BIOS that I could confirm would allow to set an ATA password and would actually pass that password to the SED drive instead of only using it as an on/off switch in the BIOS itself. SED drives without a user set password were vulnerable to hot plug attacks, where just swapping the SATA cable of a powered on or standby system to another computer bypasses drive encryption. As I understand it, at least at the time, it was rare for desktop motherboards to correctly implement this. Perhaps that has changed but I have a hard time recommending this based on my experience over the years.

As I understand it ATA passwords don't apply to NVMe drives so for future builds I'm going to rely on LUKS + dm-crypt.

dm-crypt is sufficiently secure and also certified at FIPS 140-2.

[GS3]

With BitLocker the SED drive can be managed by BitLocker and the OS will handle password prompt (through pre-boot authentication) instead of the BIOS.

I have never used bitlocker so I did not know this but it seems kind of convoluted as it needs to load bitlocker before loading the OS and encryption and so I suppose there could be some vulnerability there.

When last I built a PC I wasn't able to find a (consumer) desktop motherboard that had a BIOS that I could confirm would allow to set an ATA password and would actually pass that password to the SED drive instead of only using it as an on/off switch in the BIOS itself. SED drives without a user set password were vulnerable to hot plug attacks, where just swapping the SATA cable of a powered on or standby system to another computer bypasses drive encryption. As I understand it, at least at the time, it was rare for desktop motherboards to correctly implement this. Perhaps that has changed but I have a hard time recommending this based on my experience over the years.

Quite some years ago I bought off eBay several Dell D620 and D630 which I believe were military surplus and had some fancy smartcard readers, security TPM modules etc. They came with no HDD but I bought some SED Seagate Momentus for them and as far as I can tell they do work as they are supposed to. If I plug the disk into another computer it does not recognize anything at all. When I bought them I wasn't really looking for SED capability; I just found all this security by chance.

OTOH, it is also my experience, as you say, that consumer mobos are not easy to find with SED support. I believe my HP Compaq Elite 8300 CMT system does support it and I bought it with that in mind but to tell the truth after I installed Linux Mint it never really became my main computer as I was hoping and so I never transitioned away from Win XP as I intended. I believe the HDD I installed for Linux is SED but I would have to confirm. And maybe the one with Win 7 is not. Dunno. I hardly ever use it.