This support statement is provided by the Product Management Team.
Updated:
August, 2017
DE
supports the use of Solid State Drives (SSDs) with best-in-class performance. There are no special settings or features that administrators need to enable for the optimized use of SSDs. However, there are certain points of discussion that need to be understood and considered in conjunction with SSDs and encryption.
Performance of Encryption on SSDs
DE encryption products make use of the hardware acceleration offered through the use of Intel AES-NI technology to enable near native performance. Without an AES-NI capable processor, near native performance cannot be achieved.
DE provides a vast improvement in the performance of SSDs over previous versions because of a highly optimized implementation and usage of AES-NI and driver architecture.
There are two broad types of SSDs:
- Drives that don't compress data before writing to storage (for example, Intel SSD 320 Series)
- Drives that compress data before writing to storage (for example, an Intel SSD 520 Series)
Tests show that on drives that don't compress data, encryption experiences near native performance in both read and write operations.
Drives that compress data show slightly different behavior depending on the test being run:
- Tests show that encryption experiences near native performance on read operations irrespective of the sample test data.
- For write tests that use random data, no compression is possible by the drive; therefore, encrypted write performance is close to unencrypted write performance.
- For write tests that use repeating (compressible) data:
- The drive can reduce the amount of real data to be written in the unencrypted case, thus appearing to increase the throughput of the drive.
- The drive can't reduce the amount of real data to be written in the encrypted case because encrypting the repeating data results in random data that cannot be compressed.
- These results give an apparent disparity in write speeds between an encrypted and unencrypted state when using repeating data.
- We recommend that, during testing of drive performance, random data should be used to ensure a fair comparison. This effectively removes the effects of compression from the test.
SSDs and Wear Leveling
The physical characteristics of SSD drives mean that each individual storage component has a limited number of erase cycles before it becomes unreliable. To extend the life cycle of an SSD, wear leveling is used by drives to ensure that the number of erase cycles is spread equally across the entire address space of the drive. The physical address space of an SSD may be larger than the logical addressable space to ensure some buffer for wear leveling when the drive is full.
There's a mapping between the logical address and physical address for data on the drive. As an example, logical page 0 is stored at address 20480. If logical page 0 is rewritten again, it's almost certain to be written to a different physical location. This mapping results in the possibility that both an unencrypted (legacy) and encrypted (current) version of the same page exist on the physical device, albeit at two different locations.
This has an implication for security because the unencrypted data at a given physical address can be forensically recovered from the drive until such a time that new data is written to that physical address. It's because of this fact that we recommend always fully encrypting all volumes on an SSD before any sensitive data is placed on the drive. If any sensitive data has ever existed on the drive before it's encrypted, there's always the theoretical possibility of data leakage.
When performing the initial encryption on an SSD, each storage unit (or block) is written once. Typically, each storage unit supports approximately between 3,000 and 10,000 erase cycles depending on the technology used. Therefore, the initial encryption of the SSD doesn't reduce the lifecycle of an SSD in any meaningful manner.
Modifying Data Files
The architecture of SSDs breaks the addressable space into physical pages (4 KB) that are grouped in blocks (512 KB). If a page is marked as empty, writing to that page is very fast. If a page contains some valid data along with some invalid data, and no more empty pages exist, writing to the invalid data blocks on that page is much slower because the drive needs to be perform the actions below:
- Read the valid block(s) into a cache.
- Erase the page that erases the invalid data block(s).
- Write the previous valid block(s) back into the page.
- Write the new data to the empty block(s).
To avoid the above sequence of slow writes, most SSDs keep a large area of spare blocks available to facilitate writing incoming data (new or modified) while managing a vigorous offline (no reads or writes occurring on the drive) cleanup of invalidated data blocks.
Trim Command
Trim is a command provided by SSDs that's used by operating systems to notify the drive when pages of the drive are no longer in use by the file system.
For example, when deleting a file, the file is simply removed from the file system index. On an SSD, unless the operating system notifies the drive that the pages that previously hosted the file are no longer in use, the SSD will not know that those pages can now be considered to be empty. Therefore, when writing to those pages, it would continue to treat the OS deleted files as valid data. As more of these OS deleted files accumulate, the slower the SSD performs. The Trim command performs an important service notifying the SSD that those pages listed by the OS in the Trim command are now considered as deleted data and are available for erasing and future writes.
IMPORTANT: We recommend that TRIM is always enabled regardless of whether the SSD is encrypted.
Encrypt used sectors functionality in DE 7.1.0 and later
This patch introduces a new feature to increase the speed of the initial encryption process by only encrypting the sectors that are in use by the File System. It will only be available with the Offline Activation feature and should be used with care on SSDs because of the data leakage issues mentioned in the Wear Leveling section above.
IMPORTANT: We recommend not using this encrypt used sectors only functionality on SSDs that have contained sensitive data. On completely new SSDs, this functionality can be used before sensitive data is written to the drive.
