Is software encryption on a notebook with a Solid State Drive (SSD) a non-starter due to performance concerns?

This is a good question and I have heard it asked by some pretty smart people recently.

The reasoning behind the question is that with a normal spinning hard drive the typical performance bottle neck is the hard disk drive (HDD) itself. The HDD is the slowest component in any personal computer system. Yes, it takes significant CPU cycles to perform encryption but there is enough wait time while data is written to, or read from, the hard drive for the CPU to keep up. With software encryption and a HDD typically one would see only a small drop in an application based, system performance benchmark like SysMark that attempts to measure the other all performance of a laptop running an Office suite.

However, a SSD is usually much faster than a HDD (and much more costly too). Depending on the SSD and how you measure performance the numbers vary but a SSD can easily be twice as fast as a HDD. That would make the CPU the bottle neck; which, would also mean that much of the potential performance gain from a relatively expensive SSD would be lost due to software encryption.

Another problem with software encryption and SSDs is that during the initial encryption (conversion) full disk encryption software typically reads, encrypts, and then writes every sector to the SDD even if the space is not in use. This makes the SSD think that it is “full” degrading performance badly even though the OS and file system know the drive is mostly empty.

The above logic makes sense but there are mitigating factors:

1)     AES-NI (Advanced Encryption Standard – New Instructions): Most new laptops support the AES-NI instructions. There are 6 new AES CPU instructions plus a carryless multiply instruction that software encryption code can utilize to greatly speed up the AES encryption or decryption process. Make sure your encryption software uses these instructions.

2)     Quick vs. Thorough conversion: Full disk encryption software typically reads, encrypts and writes all sectors (Thorough mode) just in case some confidential data was written to the drive and then deleted from the file system before conversion. However, it is a best practice never to write unencrypted confidential data to a SSD and overwriting sectors on a SSD is not guaranteed to erase the original plain text data anyway. Make sure your encryption software has a “Quick” conversion mode that only converts the sectors that are in use. Use the “Quick” conversion mode before you write confidential data to drive and you will increase both performance and security. Also, your initial conversion will go much quicker too. If it takes 2 hours to “Thorough” convert the whole SSD but it is only ¼ full then a “Quick” convert will only take 30 minutes.

3)     Multi-core CPUs: If you have a laptop with multiple CPU cores then make sure your encryption software detects their presence, calculates how to best use them, and then utilizes them.

With a product that supports “Quick” conversion, AES-NI and multiple cores, software encryption on a SSD can be quite quick and outperform HDD Self- Encrypting Drives (SEDs) on the same laptop by a wide margin.  In the near future I think that we may see SSDs being the first to being all TCG Opal SEDs. This is the best of both worlds. Use enterprise class software to encrypt your existing SSDs today and use the same software to manage Opal SSDs as they come into the market with no loss of performance at all.

For more information, watch our SED video here.