I just realized - are there any internal drives with their own built-in encryption processor? I know NASs and some USB drives have some form of built-in encryption, but I think having a dedicated processor for disk encryption could come in handy. Depending how it was done, you wouldn't be able to boot from the drive, but having a secondary internal drive to store important data is hardly an issue for most people.

Seeing as mechanical HDDs are slow anyway, this could be a good market for them. The performance losses on such drives would be mostly negligible, except for small files.

Yes, most premium laptops come with drives that do that. Look at TPM (https://en.wikipedia.org/wiki/Trusted_Platform_Module) for some more information.

It's true some drives have internal encryption mechanisms, but you end up being left to whatever the firmware does, encryption-wise, and if there are any security holes they won't be fixed without a firmware update.

Also, such drives are subject to attacks by keeping them powered on while they're transfered between computers of you use the built-in encryption. Google TCG Opal and SED.

And enabling this functionality on Linux is not that easy... It requires booting into Windows, using some utility to enable that on the drive, doing a cryptographic secure erase (which requires either that you suspend the computer or power cycle the drive some other way during the procedure) and only then you can use the drive as SED with sedutil. And then you loose support to suspending the computer while running Linux from that drive...

Michael, what cipher did you use? I guess it was AES-256. Is there any way to use AES-128 or AES-192 instead? Not much of a security problem when compared to AES-256 and I've heard it could be much better in terms of CPU usage.

Well, I wouldn't trust my data with hardware encryption. You never know how it was designed.

TPM is not an encryption co-processor. It merely holds the encryption keys and hands them to the OS/PBA if everything is OK. It might be protected with a PIN as well but that's another thing.

All the encryption is done by the CPU.

Thanks for the good benchmark article on full disk encryption.

Samsung PRO SSDs have built in (AES-256-bit I think). Depends on if you trust their hardware or not, though, I suppose. Having had it before, though, I can tell you there is basically no overhead at all.

Not just Samsung Pros, I have two 850 Evos in Raid 0 and an MX300 that are all SED. I'm pretty sure every SSD shipping today supports SED, but again since they all are wholly proprietary implementations we have no assurances they are actually secure.

Less and less SSDs are coming out with native encryption. It used to be almost a standard when you went "pro".

Thank you for these benchmarks. They are very consistent with my own results. The extra CPU usage is irrelevant, the actual performance is only marginally impacted, and it's mostly transparent. I have both hardware and software encryption, and have seen only marginal (+/- 20% or less impact). And that's with aes-twofish-serpent software encryption, salted. To protect the data of my clients, this is nothing.

Michael! Did you ever test that ARM AMD board? The A1100 one? You got it, please test it.