In case you missed it, last week a team of researchers from Radboud University in the Netherlands discovered a serious flaw in self-encrypting drives (SEDs). Luckily, it only affects drives from two manufacturers, Crucial and Samsung. They accomplished this task spending less than 100 Euros, by reverse engineering the firmware of the drives. You can find all the gory details in their report titled, “Self-encrypting deception: weaknesses in the encryption of solid state drives (SSDs)“. In the report, the researchers stated, “In theory, the security guarantees offered by hardware encryption are similar to or better than software implementations. In reality, we found that many hardware implementations have critical security weaknesses, for many models allowing for complete recovery of the data without knowledge of any secret.” So, why should you stop using native encryption in self-encrypting SSDs? Read on to find out more.
Hardware Encryption is More Secure… Really?
As the report points out, for years there have been arguments in favor of using SEDs. They usually center around protection against physical theft of the drives or, offloading encryption to a specialized co-processor because it is less computationally intensive.
Having the drives encrypted provides some level of protection, but only for the data-at-rest. It doesn’t do anything for your backups or disaster recovery sites. Also, no protection is afforded when the virtual machines are being migrated to another host or data center, as would be the case, for example, when using storage vMotion, unless you spent the money on purchasing drives for all of your data center servers/storage arrays. So, why not consider a software encryption solution?
HyTrust DataControl allows you to manage your encrypted data across different infrastructures with AES 256-bit encryption. DataControl works on-premises and with the leading public cloud platforms, including traditional and hyper-converged storage solutions. With DataControl, you get a centralized and scalable solution to control all your encryption keys and can be assured that your data is encrypted regardless of the hardware or platform it’s stored on.
Get Out Your Checkbook
This brings us to cost. Self-encrypting drives are more expensive than non-encrypting drives. This is especially true for enterprise drives. A self-encrypting enterprise-class hard drive can be up to twice as expensive as its non-encrypting counterpart. On top of that, enterprise drives aren’t necessarily any more reliable than non-enterprise drives. Don’t believe me. Go read the BackBlaze blog. Yes, the backup guys. There are other sources online to backup this statement. Keep in mind that SEDs, physically aren’t any different than traditional hard drives. The main difference is they have specialized chips to support encryption. So, why shell out up to twice the cost for a drive that isn’t necessarily going to provide you more protection and oh, by the way, doesn’t provide much more performance versus software-based encryption leveraging things like Intel’s AES-NI – but we’ll talk more about that later.
When you consider how many SEDs will be needed to fully encrypt the data in your primary datacenter and your backup datacenter and then add up the cost of all of those drives, you may think twice before proceeding with a purchase. The cost might be more than you can afford and will certainly raise eyebrows. HyTrust DataControl can come in at a price point that I think will be quite appealing to you. An added benefit is that you will receive the VMware Ready certified HyTrust KeyControl Key Management Server (KMS) for protecting all of your virtual workloads.
Computational Overhead Really Isn’t a Concern
There have been many SED vendors who have made claims that data encryption is essentially ‘free’ in terms of computational overhead. This is accomplished through the aid of a dedicated coprocessor on the hard drive that offloads the encryption. While this is true, today’s modern processors aren’t really struggling to keep up with the demands we are putting on them. Modern systems today also have encryption offloading capabilities via the AES-NI instruction set. This means that when using software-based encryption data encryption is still essentially “free” in terms of computational overhead.
By this point, I hope that I have convinced you to consider software-based encryption. Specifically, I hope I have convinced you to consider HyTrust DataControl. HyTrust DataControl can help protect your data on traditional hard drives for a fraction of the cost as a hardware-based solution. The encryption follows the data across clouds, uses strong AES-256 bit encryption with AES-NI offloading and there is zero downtime to encrypt and automatically re-key. The VMware Ready certified HyTrust KeyControl Key Management Server (KMS) is included for free, supports an active-active, high availability cluster configuration and can help you maintain control of the encryption keys even if you need to move your data to the cloud.