I wasn't specifically talking about EOL of the product, eg. you're silly enough to leave your laptop on display in the car or someone nicks your PC from home.-4wd
Then you're no better (or worse) off than with a mechanical drive
I thought one of the points of the article was that Secure Erase wasn't properly implemented in some controllers and there was no way you could verify it had done it.-4wd
Well, yes - that's the short version. There's some drives that don't support Secure Erase, and one that says it does but doesn't do anything. For the rest of the drives, you need to build custom hardware to get at the data - and you'll only be able to get at a (low) percentage. In other words: this isn't an attack you should fear as a normal person, people are only likely to launch an attack like that against really high-profile data.
“The danger, however, is that it relies on the controller to properly sanitize the internal storage location that holds the encryption key and any other derive values that might be useful in cryptanalysis,” the researchers wrote. “Given the bugs we found in some implementations of secure erase commands, it is unduly optimistic to assume that SSD vendors will properly sanitize the key store. Furthermore, there is no way to verify that erasure has occurred (e.g., by dismantling the drive).”
And that's even using drive encryption, at least with a HDD I can verify to a very high percentage that any data I wiped using one of the many secure wipe programs will indeed be unrecoverable to the general public.-4wd
Keep in mind that for the AES-encrypted drives, what the paper says is that they can't verify the AES key has been wiped from storage. Now, I haven't studied the ATA specs in detail, so I'm not sure how this is stored, but hopefully it's stored in encrypted for and unlocked with the passphrase you send to the drive... so this isn't something I'd lose sleep over as a normal user, but it definitely something drive makers will want to address ASAP to retain enterprise trust.
I'll have to fully read the pdf but do they specifically mention any SSD controllers to either use or avoid?-4wd
I only skimmed the paper, but as far as I can tell they don't drop any names
Sorry, I know the random access will give the SSD the advantage over the HDD, I was just wondering if it was worth it in my case.-4wd
Hard to tell - depends on what you do. Even without special needs, it does speed up everyday stuff a fair amount... the problem is that you get used to it, so after half a year it doesn't feel zippidy fast anymore, but all HDD based computers seem like slugs
Eóin: I don't think wear-leveling + TrueCrypt is a problem for us regular people, as even if somebody seized or systems, they wouldn't be subjected to heavy and expensive crytpanalysis. I dunno if there's even any public AES attacks that can utilize knowledge of multiple encrypted blocks, or if it's only in the secret NSA backdoor labs
. But it's definitely a valid concern as well.
It sounds likely that TrueCrypt can cause performance or even lifetime degradation of drives - consider that SandForce controllers emply compression to enhance both, and encrypt "has a peculiar tendency" (
) to make data uncompressable.
Recent Posts
