OCZ Vector 256GB SSD AES 256-bit Encryption Technical Details
After previously posting a summary of my research around the best options for a well priced high performance and secure 256GB SSD drive, I attempted to gather as much detail as possible around the encryption provided on the OCZ Vector 256GB drive.
The official documentation for the OCZ Vector 256GB drive used to state, “Data Encryption: 256-bit AES-compliant, ATA Security Mode Features”. This information has been removed within the last week and I inquired about this below. In addition, the previous official documentation was vague and didn’t provide much technical detail. With the help of Dr Charl Botha and his blog, SSDs with usable built-in hardware-based full disk encryption, I was able to hold a very technical conversation with an OCZ Technology Support representative, Eric Von Stwolinski, regarding the AES encryption implementation on the OCZ Vector 256GB drive.The full conversation is below.
In the end I’ve found the lack of technical details and current conflicting information to be confusing. The overall experience has been slightly frustrating as no definite conclusion can be drawn.
If you have any feedback or ideas, feel free to post them in the comments.
Apr 23rd, my original question:
“1. Does the encrypt its AES keys with the ATA password?
2. Is the ATA password stored as a non-reversible hash on the firmware?”
Apr 23rd, Eric Von Stwolinski:
“The drive does support 256-bit AES. It is enabled by setting an ATA level password.
Once a password is set the drive is completely inaccessible until the password is provided. There is no master password for the drive or any way to access the drive other than to supply the correct password once it is enabled.”
Apr 24th, my reply:
“Is the AES key, that is used to encrypt the data on the drive, encrypted using the ATA password?”
Apr 24th, Eric Von Stwolinski:
“It uses AES encryption, but this feature is enabled and used by setting the ATA password on the drive.
If no ATA password is on the drive then the AES encryption is inactive. Only when an ATA password is applied to the drive is the AES encryption used.”
Apr 24th, my reply:
“Unfortunately, your last response doesn’t directly answer my question. I’ll repeat and rephrase my question. Thanks for your assistance in clarifying this important point for me.
Repeat: ‘Is the AES key, that is used to encrypt the data on the drive, encrypted using the ATA password?’
Rephrase: I understand that the AES encryption is only activated once the ATA password has been applied. My question is about how the ATA password is applied in relation to specifically the AES encryption key. AES encryption requires a key to encrypt and decrypt the data. The handling of this AES key is the focus of my question. Is the AES key itself encrypted using the ATA password?”
Apr 25th, Eric Von Stwolinski:
“The ATA password is the AES key.
The key for AES is enabled, disabled, or set using the ATA level password function. If an ATA password is set then AES is enabled, and the key to unlock the drive is the ATA password.
This means the ATA password must be provided every time you want to access the drive or if you want to change/disable the password.
Any attempt to access the drive without providing the ATA password would require getting through AES 256 bit, which isn’t possible to do with currently existing computers.”
Apr 29th, Eric Von Stwolinski: “The notes about AES support are just on the product page for the Vector drive:
http://ocz.com/consumer/vector-7mm-sata-3-ssd”
Apr 29th, my reply: “Hi Eric,
I have two follow-up questions. I do appreciate your assistance is sorting the AES encryption on the OCZ Vector SSD!
1) The product detail page you linked is very vague only saying, “256-bit AES-compliant, ATA Security Mode Features”.
Is there a more detailed public resource that provides the same level of detail you’ve provided regarding the AES encryption key and relation with the ATA password?
2) Regarding your previous comment two responses ago, “The ATA password is the AES key.” If this is true, then changing the ATA password will change the AES key, since they are the same. The current data on the OCZ Vector SSD, which was encrypted with the prior key, can’t be decrypted with the new/changed key, rending the current data unreadable? To summarize, you’re saying if the ATA password is changed, the current data on the OCZ Vector SSD is lost?”
Apr 29th, Eric Von Stwolinski: “We have no further documentation about the drive’s security features. This is only a consumer grade drive. Our enterprise grade drives have much more documentation available. If you are looking for a high security drive I strongly recommend looking into an enterprise grade drive.
If you wish to destroy all information on the drive forever, that can be done using the secure erase function in the toolbox utility. This is the only way to reset and wipe the drive. A secure erased drive is not recoverable by any means.”
Apr 29th, my reply: “Hi Eric,
Thanks for clarifying the documentation. I’m still not clear on my previous follow-up question. I’ll rephrase and attempt to clarify.
Is it true that changing the ATA password will render the data on the drive unreadable or inaccessible?
This is based on your comment that the “ATA password is the AES key”. If this is true, changing the ATA password would change the AES key. Without the previous AES key (previous ATA password) that the data was encrypted with, the drive can’t decrypted the stored data.
Can you confirm that changing the ATA password makes all data, prior to the ATA password change, on the drive unreadable or inaccessible?”
Apr 30th, Eric Von Stwolinski: “Changing or removing a password will not wipe out all information on the drive. That can only be done by a secure erase using the toolbox.
Forgetting a password will render the drive inaccessible and all data is lost, but merely changing or removing the password (which requires that the correct password is first supplied) will not destroy any information on the drive.”
May 2nd, my reply: “Hi Eric,
Thanks for all the clarification and assistance. I was reviewing all the information you’ve provided and when I accessed the link you gave to the OCZ Vector Specifications page, http://ocz.com/consumer/vector-7mm-sata-3-ssd/specifications, I see the section that previously mentioned, “Data Encryption: 256-bit AES-compliant, ATA Security Mode Features” is no longer listed on the page. I can’t find any mention of AES-compliant or ATA Security Mode Features on the official page.
Can you confirm you aren’t able to view this on the official link you provided and help me understand why this was removed? Has official support for the 256-bit AES-compliant encryption and ATA security mode features been dropped?”
May 2nd, Eric Von Stwolinski: “I’m unsure why it was changed. It may have been changed due to firmware updates.
Please note that while the controller is capable of 256 AES, it is not intended to be a primary feature of the Vector drive.
Our enterprise grade drives are designed and built with a much wider range of features, including greatly increased write endurance as well as security and monitoring features.
http://ocz.com/enterprise”
Wow, just wow. After reading that I wouldn’t even trust the enterprise drives.
Hi,
Is it possible to taake an old OCZ and reformat it for use without the password?
Cheers