NVMe SED (Self Encrypting) vs NVMe

[paleking]

Hi All,

 

This is my first topic on LTT forums, so sincere apologies if this is the wrong place to post this, or if it has been asked previously - I did attempt a search prior to posting!

 

I've been looking over specs released to me today by Dell for their support for NVMe drives for future Latitude laptops, and was curious if anyone has any experiences using Self-Encrypting (SED) NVMe SSD's, and whether there's a tangible real-world performance gain, over using existing software-based encryption methods with a standard NVMe drive. Not asking for specific experiences with Dell-only hardware, but just any interactions with SED; appreciate it's a brand new technology, but thought this would be the best community to hit for potential information.

 

Thanks in advance guys!

 

PaleKing

[Granular]

Software based encryption allows for a more fine grained approach.

I've set a drive password in the BIOS of my Latitude, which I don't know if it actually encrypts the drive, but when I boot, I get prompted for a drive password and upon entering it, I'm unlocking access to all of the drive, when I would rather be unlocking access only to the partition of the OS I'll be booting into.

I still use the hardware level setting because it's really simple to set up and doesn't tax the CPU.

[Granular]

I also haven't heard of hardware encryption allowing for things like plausible deniability i.e. being able to have multiple hidden volumes with different passwords so that if someone asks you to decrypt the drive, you can unlock one of the volumes and there's no way for them to find out/prove that there are others.

[SCHISCHKA]

i dont see a noticeable performance with software encryption vs not encrypting at all on my desktop. Modern CPUs do have acceleration builtin for encryption. I assume on a laptop it would save some battery life having the drive do the work

[paleking]

Hi Granular,

 

Yeah, no issues at all with using software-based encryption; it works and is well-supported, which are huge factors in day-to-day usage, but I'm curious about SED. My thought is more poised surrounding performance and effective usability; if there's a hypothetical 30% cost difference between a standard NVMe and a SED NVMe, but only a 1% performance benefit, then it can be easily dismissed, but if it's performance benefit is greater than it's cost difference, that's a conversation to be had...

 

Without knowing your specific laptop make and model, I'm only guessing here, but that sounds like a Bitlocker-style encryption method, which does encrypt and then de-encrypts the entire drive each time at startup. Not sure, but the speed of that may depend on the complexity and type of encryption used; less complex being quicker to 'solve' and vice-versa.

 

I believe that the reason that there isn't a hardware-level implementation as you described is because volumes are recognised at the BIOS level as different to whole drives, in a similar way as a parent folder is different to a child / sub folder. So I think that you always require a higher-than-BIOS level software to treat hidden volumes correctly, or in that use-case.

[paleking]

Hi Schischka,

 

That's exactly the thought - most performance benefits over time can be a huge saver on battery-life; hence why I'm interested with SED over standard NVMe.

 

To my understanding, encryption vs non-encrypted speeds can depend on a variety of factors, including encryption type, and complexity; but SED - at least on paper - seems to offer quite a significant performance benefit over software-encryption alone. But it is a shiny new technology, so few people may have any interaction with it.