The modern SSD’s dirty little secret: What you don’t know about your self-encrypting SSD

Came across an article from Scott Holewinski about SSD drives.

He has a nice analogy about how the NAND flash memory chips are like a bank vault when encryption is enabled (in the case of most SSDs, it is on by default and just needs to have a password set).  You can read the entire article at

The Anatomy of a Self-Encrypting SSD

So what exactly does it mean for an SSD to be self-encrypting and how does it work?

Let’s think of a self-encrypting SSD in terms of a bank vault. When you save a file, your computer stores it on the SSD, like depositing money in a bank vault. For the purposes of this example, let’s assume that the walls of the vault are completely impenetrable and the only way for money to get in or out is through the vault door. No matter how secure it is, the vault door is rendered totally useless unless someone remembers to lock it.

The primary storage media within an SSD is a number of NAND flash memory chips, usually eight or 16. These chips are thin black rectangular wafers about the size and thickness of a couple of quarters laid side by side. Collectively, the NAND flash memory chips comprise the bank vault in which your files are stored. The last thing we need to understand is what serves as the vault door on an SSD. How does data travel in and out of the NAND flash memory? The answer is the SSD controller.

The controller is arguably the most critical component on a self-encrypting SSD. Without the controller, it’s like putting a brick wall over the opening to our bank vault. The controller has a lot of different duties, but the two most critical are handling the authentication of the device at boot-up and all of the encryption operations.

Authentication is like locking and unlocking the vault door. After the SSD is authenticated, the vault door is open and data can flow in and out, being encrypted or decrypted as it comes and goes. On most self-encrypting SSDs, users can choose to set a boot-up password that must be entered to unlock the device. A properly authenticated drive is completely unlocked, and unencrypted data can be accessed from any computer the device is plugged in to.”


About datalossguru

I am a data recovery engineer by trade, attorney by license, husband, father and coach by choice.
This entry was posted in Data Recovery, SSD. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s