External USB 3.0 SSD with Full Disk Encryption
ata encryption, aes256, ASM1053E, ubuntu, linux, external case, caddy, intel 535 series
Preface#
External USB drives are everywhere these days, used as storage extension, data transport facility or backup drive. If you need a reliable, schock resistent and secure solution an external SSD might be the best choice instead of an old fashioned hard drive.
Especially in case the drive got stolen, a SSD can protect your data by doing a full-disk-encryption! Modern drives support these possibility by using the ATA Security feature set. Compared to software solutions like LVM, cryptfs or TrueCrypt the build-in encryption is done in hardware without performance flaws. This means it will also work on embedded devices like routers, NAS Systems with maximum speed.
This sounds simple but in practice it becomes difficult, becasue the ATA Security Features are only working with native SATA devices and not even ready-to-use USB SSD Storage solutions. Therefore you have to build the external drive by yourself.
Some final words: this tutorial is subjected to Ubuntu 16, Debian 8 or any other modern linux distribution and requires some advanced knowledge – don’t try to do this as unexperienced user!
Before your start, please take a look into the References mentioned above.
Level of Security#
Generally, ATA Encryption of modern Solid-State Drives is a approved and commonly used feature. The encryption is applied transparently in between the sata interface and the internal flash storage using a build-in hardware encryption engine with AES256. The required AES Keys are generated by the Drive itself and got encrypted by the user password. This means, that the AES Keys (as well as the salts) are not exposed to any external device. Even if a user knows the ATA Password, it cannot be used the decrypt the content of the flash storage itself. If we assume this AES Key Storage is safe (hardware security module) your data cannot be decrypted in case the drive got stolen.
On the other hand, if the key processing is not done by a hardware security module but by a simple software implmentation in the drive’s firmware – your data is not very secure at all. An attacker can may create a custom firmware which allows him to read the AES Keys or enables the possibility of brute-force-attacks on the Key Storage.
The security depends on the vendor specific implementation of the underlying security features.
Hardware#
You have to take care of the USB<>SATA Adapter Chipset, because only a few chipsets are native SATA<>USB3 bridges which supports the full ATA Security Feature Set. For example, devices which are exposed as USB Storage will not work! I’ve tried it first with an ICY BOX IB-230StU3-G (Innostor IS888 USB bridge chip) and it does not work at all – it was not possible to access the drive again with this adapter after setting the ATA security feature.
After some dissatisfied hours, i’ve finallly found a chipset which worked (and it is very cheap too)!
Approved Components#
- Intel 535 Series SSD 240GB (ARK)
- USB 3.0 <> SATA Adapter with ASM1053E Chipset (Adapter on Amazon)
Setup#
First of all, attach the SSD to the adapter. USB 2.0 will also work (important for embedded devices).
It should be detected by your OS using a simple fdisk -l
Enable Protection#
In the following example, we assume that you want to protect /dev/sdb. Generally it is important to use the “maximum security” mode – this means that it is not possible to access the drive without a password – even with the master password! This solution has the benefit, that you can reset the drive by using the vendor specific, default master password. Otherwise the drive may be locked forever.
You have to do the following step directly after powering on the drive, otherwise it will go into “locked” state and its not possible to change the settings in this state!
# set user password with maximum security level
root@zeus: hdparm --user-master u --security-mode m --security-set-pass <PASSWD> /dev/sdb
# check drive state
root@zeus: hdparm -I /dev/sdb
Security:
Master password revision code = 65534
supported
enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
Security level maximum
4min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
Mount the Encrypted Drive#
This process should be automated using a udev script which detects the drive specific UID. In
# the parition will not become visible until the drive is unlocked - fdisk will NOT SHOW the device root@zeus: fdisk -l # instead, check your syslog for a new exposed block device # and of course...ignore the IO errors in this stage ;) the drive will block all IO to the storage without a valid password root@zeus: tail -f /var/log/syslog Sep 24 18:26:27 zeus kernel: [27959.619547] usb 4-1: new SuperSpeed USB device number 5 using xhci_hcd Sep 24 18:26:27 zeus kernel: [27959.636112] usb 4-1: New USB device found, idVendor=174c, idProduct=55aa Sep 24 18:26:27 zeus kernel: [27959.636117] usb 4-1: New USB device strings: Mfr=2, Product=3, SerialNumber=1 Sep 24 18:26:27 zeus kernel: [27959.636120] usb 4-1: Product: ASMT1153e Sep 24 18:26:27 zeus kernel: [27959.636123] usb 4-1: Manufacturer: asmedia Sep 24 18:26:27 zeus kernel: [27959.636126] usb 4-1: SerialNumber: 123456789667 Sep 24 18:26:27 zeus kernel: [27959.636801] usb-storage 4-1:1.0: USB Mass Storage device detected Sep 24 18:26:27 zeus kernel: [27959.638348] usb-storage 4-1:1.0: Quirks match for vid 174c pid 55aa: 400000 Sep 24 18:26:27 zeus kernel: [27959.638374] scsi host10: usb-storage 4-1:1.0 Sep 24 18:26:28 zeus mtp-probe: checking bus 4, device 5: "/sys/devices/pci0000:00/0000:00:14.0/usb4/4-1" Sep 24 18:26:28 zeus mtp-probe: bus: 4, device: 5 was not an MTP device Sep 24 18:26:28 zeus kernel: [27960.641039] scsi 10:0:0:0: Direct-Access INTEL SS DSC2BW240H6 0 PQ: 0 ANSI: 6 Sep 24 18:26:28 zeus kernel: [27960.641626] sd 10:0:0:0: Attached scsi generic sg2 type 0 Sep 24 18:26:28 zeus kernel: [27960.641710] sd 10:0:0:0: [sdd] 468862128 512-byte logical blocks: (240 GB/224 GiB) Sep 24 18:26:28 zeus kernel: [27960.643629] sd 10:0:0:0: [sdd] Write Protect is off Sep 24 18:26:28 zeus kernel: [27960.643637] sd 10:0:0:0: [sdd] Mode Sense: 43 00 00 00 Sep 24 18:26:28 zeus kernel: [27960.644001] sd 10:0:0:0: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA Sep 24 18:26:28 zeus kernel: [27960.645227] sd 10:0:0:0: [sdd] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE Sep 24 18:26:28 zeus kernel: [27960.645233] sd 10:0:0:0: [sdd] tag#0 Sense Key : Medium Error [current] Sep 24 18:26:28 zeus kernel: [27960.645237] sd 10:0:0:0: [sdd] tag#0 Add. Sense: Unrecovered read error Sep 24 18:26:28 zeus kernel: [27960.645242] sd 10:0:0:0: [sdd] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00 .... Sep 24 18:26:28 zeus kernel: [27960.646095] blk_update_request: critical medium error, dev sdd, sector 0 Sep 24 18:26:28 zeus kernel: [27960.646098] Buffer I/O error on dev sdd, logical block 0, async page read Sep 24 18:26:28 zeus kernel: [27960.646107] ldm_validate_partition_table(): Disk read failed. Sep 24 18:26:28 zeus kernel: [27960.646505] sd 10:0:0:0: [sdd] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE Sep 24 18:26:28 zeus kernel: [27960.646509] sd 10:0:0:0: [sdd] tag#0 Sense Key : Medium Error [current] Sep 24 18:26:28 zeus kernel: [27960.646512] sd 10:0:0:0: [sdd] tag#0 Add. Sense: Unrecovered read error Sep 24 18:26:28 zeus kernel: [27960.646516] sd 10:0:0:0: [sdd] tag#0 CDB: Read(10) 28 00 00 00 00 00 00 00 08 00 s# set user password to unlock device root@zeus: hdparm --user-master u --security-unlock <PASSWD> /dev/sdb # rescan device ! otherwise the partitions on the drive are not visible root@zeus: partprobe # mount first partition of the device root@zeus: mount /dev/sdb1 /mnt/media1
Benchmark#
Finally a few simple benchmarks using dd and hdparm – around 250..300MB/s in real world – not so bad at all
# root@zeus:~# hdparm -tT --direct /dev/sdb2 /dev/sdb2: Timing O_DIRECT cached reads: 506 MB in 2.00 seconds = 252.74 MB/sec Timing O_DIRECT disk reads: 896 MB in 3.00 seconds = 298.54 MB/sec # root@zeus:~# hdparm -tT /dev/sdb2 /dev/sdb2: Timing cached reads: 13698 MB in 2.00 seconds = 6853.67 MB/sec Timing buffered disk reads: 758 MB in 3.00 seconds = 252.50 MB/sec # root@zeus:/mnt/test# dd if=/dev/zero of=tempfile bs=1M count=1024 conv=fdatasync,notrunc 1024+0 records in 1024+0 records out 1073741824 bytes (1,1 GB, 1,0 GiB) copied, 3,75357 s, 286 MB/s # root@zeus:/mnt/test# echo 3 | sudo tee /proc/sys/vm/drop_caches 3 # root@zeus:/mnt/test# dd if=tempfile of=/dev/null bs=1M count=1024 1024+0 records in 1024+0 records out 1073741824 bytes (1,1 GB, 1,0 GiB) copied, 4,52051 s, 238 MB/s # root@zeus:/mnt/test# dd if=tempfile of=/dev/null bs=1M count=1024 1024+0 records in 1024+0 records out 1073741824 bytes (1,1 GB, 1,0 GiB) copied, 0,196972 s, 5,5 GB/s
References#
- Enabling ATA Security on a Self-Encrypting SSD [zeitgeist.de]
- Using the ATA security features of modern hard disks and SSDs [admin-magazine.com]
- ATA Secure Erase [kernel.org]