Thursday, March 31, 2011
Intel SSD's have default AES encryption - worried?
Intel have announced their range of new SSD's with a range of security and data stability tools, the 320 range. The include sizes from 40gig to 600gig (if you have the money!) and my experience is that they are crazy fast. Putting your OS on one of these would make a huge difference to the speed of the overall machine.
However, Intel state that they come with a default AES 128 full disk encryption system which apparently successfully finds the trade off of speed and encryption/decryption. The thought of new machines coming already set up with an AES flavour is enough to make the average digital investigator hang up his mouse and go stack shelves in Salisbury's (small print - other supermarkets also offer shelf stacking opportunities) . Should we be worried?
It is true that the disk, out of the box comes running a AES 128 key providing full disk encryption. However, plug the disk into your machine and it will run with no seeming encryption involved at all? How so? Simply because there is no user key set up as default. To make the encryption 'work' as a security layer the user has to set up an ATA BIOS user password to secure the encryption key. Don't set up a BIOS password, no useful encryption. Excellent!
You can check out the security document here.
Knowing bad guys, and most of us have the misfortune of knowing their computers rather well, they are notoriously mistrusting of encryption and it is unlikely that the computer they buy will come with a big sticker saying how vital it is that they set a BIOS password. Indeed, many people believing that they are experts will read the drive specs, see AES 128 and believe that they are more secure than NASA. All which makes me think I should delete this blog post? Ah well, no one reads it!