The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article provides information on using SafeGuard Device Encryption with SSD drives.
Known to apply to the following Sophos product(s) and version(s) SafeGuard Device EncryptionSafeGuard EasySophos SafeGuard Disk Encryption
Operating systems All supported operating systems
1. How to protect data on a solid-state drive (SSD) with SafeGuard Device Encryption
With SafeGuard Device Encryption (full disk encryption) entire drives or hard disks on your computer can be encrypted sector by sector. This guarantees that no plain text sectors remain. Your computer is fully protected.
To protect a solid-state drive (SSD) with SafeGuard Device Encryption, we recommend that you consider the steps described in this article. These are important due to the specific data managing mechanism of SSD keeping replicas of existing, and deleted data for some time which impacts encryption.
2. How to comprehensively protect data on an SSD
3. Why do solid-state drives (SSD) need special encryption precautions in the first place?
Solid-state drives are flash-based similar to USB flash drives. The drive’s internal controller writes data to pages (“sectors”) whose physical location is unpredictable from outside the disk. Also, if you delete data on an SSD, the pages with the relevant data are marked as invalid by the controller but are not necessarily erased immediately.
That means that on an SSD, a piece of external software does not have complete control over the data, and how or where it is physically stored on the drive. This is quite different from a hard disk drive, where a driver can control exactly what happens to the data at a specific physical location on the disk. The only way to make sure that all sensitive data is really encrypted at any time on an SSD is to make sure that it is already encrypted before it reaches the drive for the first time.
4. Technical details and background information
A recent research paper sheds some light on the sanitizing characteristics of SSDs (see also Chet Wisniewski's blog post). It answers many of the open questions in the context of SafeGuard device encryption:
An interesting view from the opposite side (this is, unwanted decay of forensic data on SSDs) is given in the aforementioned SSD forensics paper.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.