SED and Software Encryption Performance Hit?

Discussion in 'encryption problems' started by RandomBit, Jul 31, 2015.

  1. RandomBit

    RandomBit Registered Member

    Jul 31, 2015
    I am about to receive A Lenovo ThinkPad T450s which will contain a self encrypting SSD (OPAL2.0). My question is will there be much of a performance loss if I were to use both the SSD's encryption and full disk software based encryption at the same time.

    I wish to do so as I'm not so happy with trusting all my data with a closed source firmware, not that I am wanted by GCHQ/NSA, and that if there is a malicious vulnerability I doubt they will burn it on me. But I like the ability to have the hardware encryption prevent cloning of the disk and being brute forced. (afaik the hardware chip would process the attempts)
  2. deBoetie

    deBoetie Registered Member

    Aug 7, 2013
    Not sure what FDE you're considering, assume it's Bitlocker? Given that, I'm not clear how you'd actually encrypt both in hardware/firmware and in software. In any case, you'd be dealing with a potentially confusing key management scenario. Other than increased latency, I'm not sure how the hardware encryption would be a big hit - after all, it's aimed at offloading that processing from the CPU anyway. Processing latency, given AES-NI and equivalent, is likely small, and in any case, much smaller than the ssd memory latency.

    My feeling is that the TLAs would find it far easier to own your data from the comfort and safety of their own desks by hacking your systems remotely (which FDE does nothing to prevent) - if you're that concerned, and if they show up physically, then they likely have a wrench. I don't think there's an easy answer to the evil choices between trusting your firmware or trusting the software, because there are pros and cons.

    I dream of an intelligent secure storage system (maybe mediated by a RPi or something), which included real read-only elements, plus optional demands for physical presence with a two-factor button press (e.g. on file open).
  3. mirimir

    mirimir Registered Member

    Oct 1, 2011
    Well, you could keep everything online in a Tahoe-LAFS grid, on a dozen or so inexpensive VPS, which are reachable as Tor hidden services. Then all you need is a Tails DVD or USB. Plus some working notes, with Bitcoin credentials, VPS account info, server hostnames, passwords and so on. That you could encrypt with GnuPG, and keep copies online in a few places. There's still some information that you must remember, but not all that much.