We currently have Endpoint Encryption for PCs 18.104.22.1684 installed, with a plan to upgrade to the latest Drive Encryption version in the next few months.
We are looking into buying devices with self encrypting SSDs, namely the Intel 540S 2.5" http://www.intel.com/content/dam/www/public/us/en/documents/product-specifications/ssd-540s-series-s...
I've got a couple of questions:
1. Does anyone know if the Intel 540S conforms to the OPAL standard?
2. If the Intel 540S does not conform to the OPAL standard, is it still compatible with EEPC or DE? Page 9 of https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/24000/PD24425/en_US/... talks about drives that conform to the OPAL standard, but what about self encrypting drives that don't conform to the standard? Are they automatically supported or automatically not supported?
Note, if I look at the supported Opal drives for DE 7.1, this Intel 540s isn't in it https://kc.mcafee.com/corporate/index?page=content&id=KB81136
Further, if you look at https://kc.mcafee.com/corporate/index?page=content&id=KB75045 it does say that self encrypting drives that support the opal standard are supported. Does it follow then that self encrypting drives that DO NOT support the OPAL are not supported?
If a drive is not explicitly listed on the article it is deemed 'unsupported'. In other words, it may or may not function as it was not explicitly tested for compatibility. What the documentation is alluding to is that drives that meet the TCG OPAL standard should function; however, they would still be unsupported if not on the list. If you would like to have the drive added to the supported list there is a compatibility tool that can be run which will need to be provided to support (linked in Supported OPAL drives articles).
I think the current list is here
I must admit I don't track it anymore since in my experience, OPAL seems more effort than it's worth. It's generally no faster than software encryption, and much harder to recover from.
As you'll see in this article - there is a compatibility tool you can run to see if the drive can be supported or not.
So your suggestion is to avoid self encrypted drives altogether? That's another option we are considering as we haven't chosen which drive to buy yet. What sort of issues have you had recovering from SEDs?
The main problem with recovering SEDs is that the only thing MDE has access to is the PIN to unlock the drive. The actual encryption key is still on the SED. Essentially, the recovery tools are only capable of passing the PIN to the disk to attempt to unlock and/or recover data but if the PIN fails to unlock the disk (for whatever reason) the data on the drive is then at the mercy of whatever recovery tools the hardware vendor might be able to provide.
To SafeBoot's point you are gaining very little in the way of a small disk I/O benefit (the majority of chipsets these days support AES-NI which MDE will utilize to offload the encryption to the processor). Excerpt from the MDE FAQ that discusses this is below A link to the full FAQ as well which goes into much more detail on other benefits of systems that fully support AES-NI:
Do all users in my organization need an Opal drive?
No. Software Encryption will suffice for most users. Most productivity workers will not notice or be impacted due to software encryption. With DE 7.1, the impact of software encryption on systems with Intel CPUs that support AES-NI is negligible, making software encryption comparable in performance to Opal drives.
Unless there is a business need that the end user requires the insignificant amount extra of disk IO, there isn't really good reason to use OPAL. Furthermore, with software encryption, if the processor has the AES-NI instruction set, the overhead is lowered significantly and pretty much undetectable by the end user.
To expand on what Safeboot said, if you manage an unsupported OPAL drive, it may turn into a brick with no possibility of data recovery. In these cases, the drive must be RMAed to the manufacture to receive a replacement. If the drive is damaged, you cannot simply move the platters to a new drive as the encryption key lives on the chipset of the drive. Drive Encryption only manages the PIN used to unlock the drive and does not have access to the encryption key. If the PIN is reset by some third party tool or software, MDE recovery tools will be unable to recover the drive. All of these scenarios have occurred.
With software encryption, unless the drive is physically damaged beyond repair, there is always a path forward to data recovery. Although our recovery tools are only designed to decrypt healthy drives, third party data recovery specialists such as OnTrack can recover data from damaged drives with software encryption.
MDE also has additional requirements for using OPAL other than just being a supported OPAL disk. Systems must be Win7SP1 and above , the SATA mode must be in AHCI, the storage drives must be installed, and for UEFI systems the drive must be installed in the system by the system manufacture. If the drive did not come from the factory in the system, the system must be in Legacy BIOS mode.
Thanks everyone for the good information. Based on what I've read here I'm thinking we should keep it simple and stay away from self encrypted drives.