Protect Your Privacy - Samsung 840 White Paper

06

Protect Your Privacy

Security & Encryption Basics
In today's mobile world, security is a major concern for both individuals and businesses. With the 840 and 840 Pro Series
SSDs, Samsung is adding peace-of-mind through the implementation of hardware-based AES Full Drive Encryption.
Terminology
In order to understand the encryption technology built into the latest Samsung SSDs, it is necessary to understand
some basic security terminology.
AES
The Advanced Encryption Standard (AES) is an encryption standard approved by the National Institute of Standards and
Technology (NIST) for the safeguarding of electronic data. After being adopted by the US government, the standard
is now used worldwide. This cipher, usually implemented with either 128-bit or 256-bit encryption keys, is widely used
to protect sensitive information and is found integrated at both the hardware and software level. All 840 and 840 PRO
Series SSDs are equipped with a high-performance hardware accelerator that implements AES encryption with a 256-
bit key.
FDE
Full Drive Encryption refers to a storage device in which nearly everything is encrypted rather than encrypting only
certain files or folders. This solution is attractive for high-security environments because it makes it simple to destroy
all data on the drive by destroying and replacing the cryptographic key(s) that protect it. With this technology, the swap
space and temporary files are also encrypted, and, when implemented through hardware rather than software, even the
bootstrapping code is encrypted. By using a Trusted Platform Module (TPM), standardized by the Trusted Computing
Group, in conjunction with FDE, the integrity of the boot environment can also be verified.
SED
Self-Encrypting Drive (SED) is a term that refers to a storage device that implements hardware-based FDE. Therefore, an
SED is a special case of FDE. SEDs boast better performance, security, and manageability compared to software-based
FDE implementations, which commonly suffer severe performance degradation as a result of the encryption overhead.
Also, because the encryption key exists only inside the SED itself, it is impossible to access it via the host (operating
system). Software-based solutions are vulnerable to several types of attack because they must store the encryption key
in main memory. Finally, because SEDs provide drive-level encryption that is independent of the operating system and
any other data management tools (e.g. compression utilities, data loss prevention, de-duplication, etc.), users can easily
install an SED into any system without worrying about operating system or application interference.
OPAL
OPAL is the name for an SED storage specification developed by the Trusted Computing Group, the same group
responsible for the TPM microchip mentioned above. It defines a means by which to place an SED storage device under
policy control. Its goal is to protect the confidentiality of user data and prevent unauthorized access to the drive while
still maintaining compatibility with multiple storage vendors through a standardized management interface. Most
systems require 3 party software to utilize the OPAL Storage Specification, although Windows 8's BitLocker feature
rd
supports this functionality natively.