[Cryptography] Security on TRIM for full-disk encrypted SSDs

Jerry Leichter leichter at lrw.com
Fri Apr 22 06:03:55 EDT 2016 

> ...Since files may be fragmented, and their blocks would be fully marked as used - even if they weren't filled - the best guess I would imagine an attacker could make - if there was no fragmentation, the data was completely contiguous, *and* the attacker already knew that - is that the file would be between 2,798,954,496 and 2,798,955,008 bytes long (if blocks are of 512 bytes). When fragmentation scatters a file's contents, I would guess all bets are off.
...and here we see another basic issue.  "Contiguous" has an obvious meaning for physical disks, but for SSD's it's something else again.  Sure, the file may be contiguous in the space of block number presented to the OS ... but in the space of pages on the SSD, it's pretty much always going to be randomly scattered.  *Maybe* if you started with a new, or completely erased, SSD, the internal algorithms would end up giving you contiguous SSD blocks ... but quite likely not even then.  There's really no need for them to, as physical location on an SSD makes no sense.

So stepping back a moment on the question:  The real concern here is that there is a level of metadata - the block to SSD page map - which is maintained inside the device, is outside of your control, is not encrypted, and which contains some information that correlates with the actual data stored, even if only at the level of *how much* data is actually being stored.  In effect, the TRIM operation takes the free block list, which in FDE would have been stored, encrypted, in the data of the device, and exports it out to the unencrypted SSD metadata.  The information is, at most, at the granularity of the TRIM operation (which is one block); but it is there.

Compared to other issues with SSD's - in particular, the impossibility (in current designs) of ever being sure you've securely erased anything short of destroying the device - SSD's are probably a bad technology for the absolute highest levels of security.

How relevant that is in what situations is a separate question.

                                                        -- Jerry

More information about the cryptography mailing list