ATA Security Feature Set Guide With introduction to TCG Opal and SEDs with AES 256 Encryption

ATA Security Feature Set Guide With introduction to TCG Opal and SEDs with AES 256 Encryption

The US DoD, including all branches of the military, requires vast amounts of data to ensure operational efficiency and combat readiness.  Data must be protected regardless of how and where it is created, used, stored or transferred – physically and across networks.  All sensitive and top-secret data must be secure.

This paper provides a guide for the implementation and limitations of the ATA Security Feature Set.  It also provides an introduction to TCG Opal as an alternative to the ATA Security Feature Set and the requirement for SED’s (self-encrypting devices) equipped with AES 256 encryption.

ATA Security Feature Set

The ATA Security Feature Set is a set of commands which is part of the ATA specification. This feature set is used to allow the SSD to authenticate the user. It provides a password system to restrict access to data stored on ATA SSD devices.  If a user password is set in the BIOS of the system, this password must be provided each time the system is started before the system can access the data stored on the SSD.

Security Feature Set Commands

The ATA Security Feature Set provides the following ATA commands. These commands are also used by the BIOS (e.g. if passwords are set in BIOS to unlock a protected SSD during the boot process). These commands are divided into three categories:

Password manipulation commands

 SECURITY SET PASSWORD

The drive is initially usable. When a user password is set with the SECURITY SET PASSWORD command the drive is locked once powered on or after the hardware is reset.  In this locked state, it does not allow access to the data and accepts only a few commands such as Identify Device.

SECURITY DISABLE PASSWORD

Permanently deactivates the lock and makes the drive permanently usable. The drive accepts the command only in the unlocked state.   If the SSD is locked, it will not accept the command.

Access control commands

SECURITY UNLOCK

Temporarily unlocks the drive for normal use.  However, the safety function remains activated: After the next cold start, the drive is automatically locked again.

SECURITY FREEZE LOCK

The Security Freeze Lock command protects against unauthorized changes to the security settings of the SSD. This command is initiated from the BIOS of the host system. You can assign a password in the BIOS setup, which the BIOS then queries each time you power on the SSD.   Security Freeze freezes the security settings of the SSD, including the password

During the boot process, the BIOS unlocks the SSD for regular use, the BIOS then freezes the security settings so they cannot be changed.  It freezes the security settings and password before the operating system starts. This is to protect against operating system level attacks such malware which can change the security settings.  Once the SSD is powered on and is in a frozen state, it is impossible to carry out any further changes to the security settings and security state of the SSD

As an example you cannot secure erase a SSD which is in a “frozen” state.  BIOS protects the SSD if you have a password set.  The password and the frozen state of the SSD are controlled from the BIOS, not the operating system.

Media recovery command

SECURITY ERASE UNIT

This command tells the drive controller to irretrievably delete all the data on the device while taking the load off the CPU and PCIe bus by overwriting all addressable LBA sectors, mostly with null bytes. If DCO (Device Configuration Overlay) is running, that is, if the drive shows fewer sectors and therefore a smaller capacity than the maximum possible, and if it spoofs a different geometry to the operating system and the BIOS, then only this small area is cleared, because only this area is LBA addressable.

ENHANCED SECURITY ERASE UNIT

Ignores DCO (but does not reset it) and overwrites all sectors, including all de-allocated areas from the defects list with manufacturer-specific data. The defect list is a list of all sectors marked as defective and de-allocated in the past whose LBA addresses have been reallocated to reserved areas. The operating system cannot directly access these areas. Only the drive controller has access.  It does not reveal the contents, but it does delete them reliably.

 

Implementing ATA Security Key Management 

There are a number of tools for sending ATA commands depending on the operating system environment.  Some examples are STB Suite for Windows, customized programs, hdparm and smartmontools for Linux.

Since working directly with the BIOS can be difficult, it is recommended to use a third party tool like hdparm to activate ATA security and set both user and master passwords for the SSD. When working with the BIOS, you need to be aware of the limited allowable character set, the limited length, and the use of scan codes.

Hdparm  tool, which is included with almost all Linux distributions, lets you control the ATA security features by scripting or with manual commands. This section describes how you can control access to your SSD through ATA security using hdparm as a tool for sending commands.

The following figure shows the possible ATA security state transitions.

blog-pic-1
Fig.1 Example of state security transition of ATA Security Concept

To determine the security state of a SSD, a query with hdparm (e.g. hdparm –I /dev/sdb..) provides the initial security settings of the drive.

blog-pic-2
Fig.2 Initial ATA Security Setting – Features are not enabled

To prevent security-related manipulation of the SSD, such as disabling all I/O, either accidentally or by malware with root privileges, you can use the “Security Freeze” discussed earlier. It takes a hardware reset or power cycle to revert to the unfrozen state.

At root type: “# hdparm –security-freeze /dev/sdb”

blog-pic-3
Fig.3 Frozen Security State

To lock data, enable the security by “Security Set-Pass”

# hdparm –user-master u –security-set-passwd “Secret” /dev/sdb

security_password=”Secret”

/dev/sdb:

Issuing SECURITY_SET_PASS command, password=”Secret”, user=user, mode=high

The drive is now security enabled, unlocked, and not in a frozen state.

blog-pic-4
Fig. 4 Security Enabled State

The locked state is automatically enabled after reboot see Fig.5. The SSD does not allow any data I/O in this state until a “SECURITY_UNLOCK” command is issued stating the password.

blog-pic-5
Fig 5. Locked Security State

 

Secure Erase

The ATA standard supports the SECURITY_ERASE_UNIT command. This command tells the drive controller to irretrievably delete all the data on the device. The erase has two modes, normal and enhanced mode. The device must be in security enabled and unfrozen state (See Fig.4) to run the command. “SECURITY_ERASE_UNIT ATA” command is used to restore a drive to a pristine state.

# hdparm –user-master u –security-erase “Secret” /dev/sdb

security_password = “Secret”

/dev/sdd:

Issuing SECURITY_ERASE command, password = “Secret”, user = user

0.000u 0.000s 0:39.71 0.0% 0+0k 0+0io 0pf+0w

or

# hdparm –user-master u –security-erase-enhanced “Secret” /dev/sdb

 

Master Password

The master password can be used as a fallback if the user password is not known.

The initial master password is unknown to the user but can be overwritten by the first call of the “SECURITY_SET_PASSWORD” command, this time using the –user-master m switch:

# hdparm –user-master m –security-set-pass “UltraSecret” /dev/sdb

security_password=”UltraSecret”

/dev/sdb:

Issuing SECURITY_SET_PASS command, password=”UltraSecret”, user=master, mode=high

All security settings can then be disabled either with the user or with master password using the “SECURITY_DISABLE_PASSWORD” ATA command:

# hdparm –user-master [m|u] –security-disable “UltraSecret” /dev/sdb

The ATA standard specifies two different security levels that are defined when setting the user password. These levels also define the scope and capabilities of the master password: HIGH and MAXIMUM. HIGH is the default (LOW would mean no security features are enabled). Set the MAXIMUM security level as follows:

# hdparm –user-master u –security-mode m –security-set-passwd “Secret” /dev/sdb

security_password = “Secret”

/dev/sdb:

Issuing SECURITY_SET_PASS command, password=”Secret”, user=user, mode=maximum

The hdparm output reflects the new status Fig. 6. In this state, you can no longer unlock the device with the master password or directly disable the security features. If you do not know your user password, a transition from initial state (i.e. Fig. 2) requires a “SECURITY_ERASE_UNIT”, which will restore the device to a usable, pristine state.

blog-pic-4
Fig. 6 Security Enabled Maximum Level

It is important to remember that the HIGH security level is usually sufficient, and that devices should be frozen to prevent malware from changing the security settings – whether security is enabled or not.  For highly confidential data, the security level should be set to MAXIMUM. At this level, loss of the user password is equivalent to loss of data.

The ATA Security Features Set of modern ATA drives offer useful protection against unauthorized data access provided they are applied correctly.  It allows the user to configure the security level on the SSD so that the SSD will remain locked unless the correct password is provided.

 

Limitations of the ATA Security Feature Set

The ATA Security Feature set is a password system that restricts access to user data stored on a device. In addition, access to some configuration capabilities is restricted. The ATA Security Feature Set provides a simple password system for granting access to a device. While the use of ATA password security to accomplish authentication prior to access to the device is a well-known security method, there are several risks that need to be considered:

  • It does not protect the data through encryption, it only restricts access
  • If the media is separated from the device, the data is available for access

In addition the following are examples of spoofing or bypassing ATA security password:

  • While read/write operations to the drive are restricted, firmware updates are not. Illegal firmware may be available that can remove or disable the ATA passwords.
  • Hardware devices and software applications are readily available that can break the password through brute force, vendor back door passwords, and other techniques.
  • Data recovery services can obtain a copy of the unencrypted data through direct device observation.

 

Introduction to TCG Opal and SED’s with AES Encryption
An alternative to the ATA Security Feature Set

The ATA Security Feature Set commands are used to lock and unlock drives by using a password.  It was a widely used method to restrict unauthorized access to storage devices such as SSDs (solid state drives).

But after the introduction of SEDs (self-encrypting devices), the ATA Security Feature Set, became less popular.  The ATA Security Feature Set can still be used to manage SEDs, but it can be cumbersome and complicated because it lacks ease of integration and many management features such as the use of recovery keys, management across a wide enterprise,  and Single Sign-On (SSO) user authentication.

An alternative method to controlling access to SED/SSDs is to use the Trusted Computing Group (TCG) Opal Storage Specification. Opal is a defined standard specifically created to manage access to SED/ SSDs and to fully take advantage of AES 256 encryption.  Moreover, the Opal standard provides a richer set of features than the ATA Security Feature Set and is easily used in combination with pre-boot authentication software that implements encryption key management and SSO.

Note on SEDs and Opal – A SED (or Self-Encrypting Drive) is a type of storage device, such as an SSD, that automatically and continuously encrypts the data on the drive without any user interaction. This encryption process is done internally through the use of a unique and random Data Encryption Key (DEK) which is hidden and never leaves the SSD.  The DEK is used to encrypt and decrypt the data. Data written to the SSD is encrypted according to the DEK and decrypted when read and delivered to the system. SEDs, such as compliant SSDs, adhering to the TCG Opal standard specification implement key management via an Authentication Key ( The AK is the user-facing password which decrypts the DEK so the data can be decrypted and read).

The Opal specifications provide a scalable infrastructure for managing encryption of user data on the SEDs.  The protocols associated with management of encryption capabilities provided by Opal and its subset specs, Opalite and Pyrite, range from light to heavy, with scalability to meet even fuller featured capabilities.  Opalite and Pyrite were designed as an alternative to the ATA Security Feature Set.

Note on NVMe -In addition to supporting SED/ATA SSDs, the scalability of the architecture and solutions embodied in the TCG specification provides an ideal match for the scalability provided by the NVMe specification.  TCG Opal aligns with the security management interface for SED/NVMe SSDs.

 

Requirement for self-encrypting SSDs (SEDs) equipped with AES 256 encryption

When considering the inherent limitations and risks of the ATA Security Feature Set for protecting sensitive data, a more secure approach is needed.  If possible, it is recommended to implement TCG Opal and SED/SSDs which support AES 256 encryption. In addition to the management and integration benefits of using TCG Opal, AES 256 encryption provides additional security:

  • Encryption keys remain encrypted and hidden within the SSD and are never exposed to the host memory, processor, or OS where they can be compromised.
  • Encryption keys keep the SSD locked even if the SSD is stolen or intercepted and installed on another host.
  • New firmware cannot be loaded on a SSD locked by the internal AES mechanism.
  • The data stored on the SSD flash media is encrypted with AES 256 and is unreadable.
  • Brute force is theoretically impossible with AES 256 encryption.
  • Vendor back door passwords do not exist.
  • Performance of the computer is unaffected as the encryption is hardware-based, done by the SSD controller and not at the operating system level.
  • Encryption is always on and cannot be disabled or bypassed.
  • All operating systems, platforms, multi-boot environments are supported.
  • Encryption is maintenance and error free.  Host system upgrades, repairs, security patches, and breaches have no impact on the encryption performed and data stored inside the SSD.

Note on AES 256 encryption: The Advanced Encryption Standard is a standard ratified by National Institute of Standards and Technology (NIST).  AES is approved as the FIPS standard and is included in ISO/IEC 18033-3.  AES is the only publicly available cipher approved by the NSA for storage and communication of top secret data.  AES encryption is available in different levels.  AES 256 is the highest level used to protect top secret data.  AES utilizes multiple blocks of highly complex algorithms to scramble data.  An “encryption key – DEK” is needed to unscramble or decrypt the data so it can be used. Currently, no weakness has been found in AES. This means brute force is the only existing form of attack that can decrypt AES encrypted data. Brute force can also be described as the method of trial and error.  Every possible “key” is tried until the correct one is found.  As an example, this could take a trillion machines, testing a billion keys per second, two billion years to discover the correct key.

Conclusion

The ATA Security Feature Set provides a simple, BIOS level, password system for granting access to a device. While the use of ATA password security for authentication prior to device access is a well-known, it does not fully ensure that the data will be secure.  The host system of the SSD can be attacked at the BIOS level and the SSD can be accessed.  Since the data on the SSD is not encrypted and there is no SSD level authentication mechanism, it is relatively simple to bypass or spoof the BIOS and freely use any stored data on the SSD.

To ensure data stored on SSDs is more secure, it is recommend to use SED/SSDs, with AES 256 encryption in conjunction TCG Opal.   TCG Opal manages access to SEDs (SSDs).  It is defined standard specifically created to manage access to SED/SSDs and to fully take advantage of AES 256 encryption.  Moreover, the Opal standard provides a richer set of features than the ATA Security Feature Set and is easily used in combination with pre-boot authentication software that implements encryption key management and SSO.

Hardware-based encryption on SED/SSDs is the clear choice to secure and protect top secret DoD data. AES 256 encryption, the advanced encryption standard, has been ratified by National Institute of Standards and Technology (NIST) and is approved as the FIPS standard.  AES is the only publicly available cipher approved by the NSA for storage and communication of top secret data and currently has no weaknesses.

Contact your BiTMICRO representative to learn more about our SSDs with Opal compliance and AES 256 hardware-based encryption, military grade data erasure and sanitization, and verified rugged certification for all DoD applications requiring SSDs.

 

Writer: Zophar Sante, Business Development

Date: 5/28/2018

Software-based or Hardware-based AES 256 Encryption for securing DoD data on SSDs (Solid State Drives)

Software-based or Hardware-based AES 256 Encryption for securing DoD data on SSDs (Solid State Drives) 

Over the next several years, the US DoD, including all branches of the military, will face regular and complex decisions regarding the complete protection of all digital data.  Data must be protected regardless of how and where it is created, used, stored or transferred – physically and across networks.  Data at rest and data in-flight may be intercepted and possibly compromised.  All sensitive and top-secret data must be encrypted.

AES, the Proven Standard for Data Encryption

The Advanced Encryption Standard is a standard ratified by National Institute of Standards and Technology (NIST).  AES is approved as the FIPS standard and is included in ISO/IEC 18033-3.  AES is the only publicly available cipher approved by the NSA for storage and communication of top secret data.

AES encryption is available in different levels.  AES 256 is the highest level used to protect top secret data.  AES utilizes multiple blocks of highly complex algorithms to scramble data.  An “encryption key” is needed to unscramble or decrypt the data so it can be used. Currently, no weakness has been found in AES. This means brute force is the only existing form of attack that can decrypt AES encrypted data. Brute force can also be described as the method of trial and error.  Every possible “key” is tried until the correct one is found.  As an example, this could take a trillion machines, testing a billion keys per second, two billion years to discover the correct key.  It would take the world’s fastest supercomputer, TaihuLight[1] in China with ~ 100 petaFLOPs, millions of years to characterize a single AES 256-bit deployment.

Software-Based Encryption

Deploying a software or hardware based encryption solution has different benefits and drawbacks.  Software encryption uses external software to secure the data before it is written to the SSD. Software encryption can sometimes be a lower cost alternative to hardware encryption.  But there are significant drawbacks to using this approach.

A software-based solution often requires numerous updates to keep up with attack threats.  It’s not that the encrypted data is threatened, but the system doing the actual encrypting may be compromised. The protection provided by software solutions is only as strong as the level of security of the operating system. A security weakness in the OS can easily compromise the security provided by the AES encryption. If any change or update is made to the system or OS, the encryption process may become vulnerable or inoperable and the keys used for data encryption may be compromised.  Attacks such as “Evil Maid” or “Cold Boot” can be used to discover the encryption keys.  Moreover, updating encryption software can be tedious, requiring complex driver and software installations.  In many DoD data capture environments, maintaining the latest software to perform encryption may be impossible.  This is especially true when the data being encrypted is created and stored on SSDs within satellites, drones, or submerged or buried sensor arrays.

Though software encryption is better than having no encryption at all, it may still be vulnerable to user error. Managing software encryption requires users and administrators to follow certain procedures in order to secure the data.  Not only do these procedures need to be documented and maintained, they also need to be followed.  The reliance on encryption for securing data can be compromised if procedures are maliciously or negligently forgotten and purposely avoided.

Another challenge of using a software-based solution is performance.  Performance degradation is a notable problem with software-based encryption.  A recent paper presented at the Data Storage Innovation Conference entitled “Encrypted Storage: Self-Encryption versus Software Solutions” concludes that performing AES 256-bit encryption with software vs. hardware has a significant impact of overall read and write performance.  When working with modest sized files, the impact of a hardware-based solution was barely noticeable, while the software-based solution degraded performance by a staggering 45%.  The performance degraded even further with large files.  The hardware-based solution degraded performance by roughly 5%, while the software-based solution degraded performance by nearly 60%.

Although software-based encryption seems simple on the outside, it is riddled with possible security risks and opportunities for data theft.   It also places a large burden on the host system, causing significant performance degradation.  Moreover, a large amount of IT management resources are required to properly maintain, update and ensure the software-based encryption solution is working as expected.

Hardware-Based Encryption

Hardware-based encryption on SSDs is very different.  SSDs, with hardware-based encryption are SEDs (self-encrypting devices). Hardware encryption uses the SSD’s “on-board” AES encryption engine to perform encryption and decryption. It is self-contained and does not require the use of any additional software. Therefore, it is essentially free from the possibility of contamination, malicious code infection, or OS vulnerability.  The encryption process is intrinsic and automatic.  It cannot be forgotten or purposely avoided by the user.

With SSDs, the DEK (disk encryption key) is used to encrypt and decrypt the data. Unlike software-based encryption, the process of applying the actual encryption and decryption of data is done inside the SSD using the SSD’s controller chip and the internal DEK.  The DEK is never on the host system, but encrypted and hidden within the SSD.   All data stored on the SSD is automatically encrypted when written and automatically decrypted when read.

In addition to the DEK, is the KEK (Key Encryption Key) which encrypts and locks the DEK within the SSD so data cannot be freely written and cannot be freely read. When an SSD is first installed, the host authentication service creates a random KEK.  After the KEK is created, it is encrypted and stored on the SSD before any data is written to the SSD.  The SSD remains locked and any data on the SSD cannot be used until the SSD and DEK are unlocked by the KEK.

To unlock the SSD the user must first be properly authenticated. When the user is properly authenticated, the OS sends a KEK to the SSD.  The SSD receives the KEK (Key Encryption Key) from the OS.  The SSD matches the KEK against the original, internally stored, KEK.  The function of comparing the KEKs for authentication is performed inside the SSD. If the two match, the SSD is unlocked and the DEK can decrypt the data as it is read and allow new data to be encrypted and written.   The user credentials (original KEK) and the DEK are never in the “clear” inside the SDD.  They are encrypted and hidden.  The original KEK and DEK are never exposed in the memory, processor, or OS of the host computer.  The authentication service of the host provides a KEK only when the user is properly authenticated.

The actual authentication sequence is as follows:

  1. The host is booted.
  2. BIOS attempts MBR (Master Boot Record) read from the SSD.
  3. SSD redirects BIOS to hidden pre-boot area on the SSD
  4. SSD loads pre-boot system code to the host so a KEK can be provided
  5. User enters authentication credentials for the SSD to verify
  6. The host authentication service provides the KEK to the SSD
  7. The host provided KEK is compared to the hidden internally stored and encrypted KEK within the SSD
  8. If they match the drive is unlocked, the hidden and internal DEK is decrypted and encrypted data can be read and new data can be encrypted and written.
  9. If they do not match the SSD remains locked and the DEK remains locked. The SSD does not respond to read or write requests.

As you can see, because the original DEK and KEK are encrypted and remain hidden and secured inside the SSD, the OS, host system and SSD are significantly less vulnerable to attacks aimed at obtaining these keys.

Conclusion

Hardware-based encryption is the clear choice when using AES 256 encryption to secure DoD sensitive and top secret data.

  • Encryption keys remain encrypted and hidden within the SSD and are never exposed to the host memory, processor, or OS.
  • Encryption keys keep the SSD locked even if the SSD is stolen or intercepted and installed on another host.
  • Encryption is automatic and users cannot forget or purposely avoid the encryption process.
  • Encryption is maintenance and error free. Host system upgrades, repairs, security patches, and breaches have no impact on the encryption performed and data stored inside the SSD.
  • Encryption is OS independent, does not require software or even an OS to encrypt data.
  • Encryption is performed by dedicated hardware encryption engines with very limited impact on performance.

 

For DoD data created and stored:

  • – in the datacenter or in the field,
  • – in any environment or in any system,
  • – and in flight or at rest,

Using hardware-based AES 256 encryption is the clear choice to secure top secret data.

 

Writer: Zophar Sante, Business Development

Date: 4/30/2018

[1] Source: High Performance Computing top 10 list Nov, 2017 https://www.top500.org/lists/2017/11/

 

BiTMICRO E-Disk Altima II and Heptagon Release

BiTMICRO® Industrial NVMe SSDs
Pass Extreme Thermal Testing with High Performance at Heptagon Systems

FREMONT, Calif. USA, January 31, 2018 – BiTMICRO® Networks, Inc. has been shipping their latest military and industrial grade E-Disk® Altima™ II and Ace Drive™ II, NVMe and SATA 2.5″ SSDs since November 2017. Heptagon Systems, an embedded server manufacturer has been working with BiTMICRO to qualify their new Industrial SSDs.

“We have tested the BiTMICRO 2TB Ace Drive II Industrial SSD in our HQ-BOX – Xeon-D based compact fan-less industrial server while it’s operating in a temperature chamber” explains Stas Lapchev, VP of R&D of Heptagon Systems. “With ambient temperature ranges from -30°C to +72°C, the SSD continued to function properly with performance of 3GB/s read and 2.3GB/s write without degradation and has sustained temperatures even as high as 85°C (as measured on the SSD)”.

“We see strong demand” continued S. Lapchev, “for SSDs to withstand the same temperatures as our rugged HQ-BOX. We’re very pleased with the results we’re seeing from the latest BiTMICRO SSD”.

“BiTMICRO has been providing ruggedized and secure solid state solutions to leading customers in enterprise, industrial and military markets for over 17 years. And since our inception, we have had the passion for meeting the expectations of our industrial and military-focused customers, bar none,” said Stephen Uriarte, President of BiTMICRO. “We’re looking forward to supporting Heptagon Systems with our industrial solid state drives.”

Visit with BiTMICRO at AFCEA West 2018 – Feb. 6 through Feb 8 2018, in San Diego, CA

About BiTMICRO
BiTMICRO®, headquartered in Fremont, CA, USA, was founded in 1995 and is a leading developer and manufacturer of SSD technology, products and solutions. BiTMICRO has been shipping SSDs with the company’s in-house developed patented technology uniquely designed for high reliability, durability, power efficiency and storage density. BiTMICRO is best known for delivering the extreme ruggedness, durability, and security required for all industrial and military environments.
Media Contact: Zophar Sante – zophar.sante@bitmicro.com

About Heptagon Systems
Heptagon Systems, headquartered in Melbourne, Australia is a startup which is dedicated to high-end embedded servers working in harsh environments. The company was established by veterans with many years of experience in the design of embedded PC. Heptagon Systems’ products can be used in a variety of industries and applications, such as IOT, MEC, Edge/Fog servers, mid-Storage servers, medical instrumentation, transportation, and industrial automation.
Media Contact: info@heptagonsystems.com

BiTMICRO® Announces NEW MAXio® S-Series NVMe Low Profile 8TB Add-In Card

For Industrial and Enterprise Applications at the International Telemetry Conference in Las Vegas. Oct 23 through 26.

MAXio S-Series NVMe Low Profile Add-In Card delivers up to 8TBs of high performance SSD capacity and can withstand the rigors of industrial environments

FREMONT, Calif., Oct 20, 2017 – BiTMICRO® Networks, Inc. today announced the NEW MAXio S-Series NVMe low profile PCIe industrial grade PCIe x8 add-in card that can support capacities up to 8TB today.

The MAXio S-Series employs multiple NVMe SSDs in the M.2 form factor and in sizes ranging from 2280 to 22110.  Because we aggregate the performance and capacities from one to four BiTMICRO M.2 SSDs, the MAXio S-Series is not limited to 8TBs of maximum capacity in one half-height, half-length x8 PCIe add-in card.  Instead, we can easily expand our performance and capacity ranges by selecting different M.2 capacities or adjusting the number of M.2 SSDs used.  We anticipate that when we release our 4TB M.2 SSDs, the MAXio S-Series will support up to 16TB of wide-temperature, highly reliable solid-state storage.  Applications requiring expandable and on-demand SSD upgrades can benefit by using the MAXio S-Series Add-In Card to increase performance and capacity easily and cost-effectively.

“BiTMICRO has been providing ruggedized and secure solid state solutions to leading customers in enterprise, industrial and military markets for over 17 years.  And since our inception, we have had the passion for meeting the expectations of our industrial and military-focused customers, bar none,” said Stephen Uriarte, President of BiTMICRO.  “The new NVMe PCIe 8x Add-In Card, not only delivers easy and affordable SSD expansion, but is the first of our MAXio S-Series line of SSD solutions. BiTMICRO MAXio S-Series solutions are based on our tried and true SSD products.  MAXio S-Series solutions will range from simple adapters and peripherals to complete systems.  Our new add-in card is only the beginning of this new line.”

Advanced flash management features such as wear leveling, error correction, over provisioning, garbage collection technologies with TRIM support extend the drive life and ensures the high level of reliability required for enterprise and industrial applications.

Visit us at ITC Booth 2242 Oct. 23 through 26, Las Vegas, Nevada, USA.

About BiTMICRO

BiTMICRO®, a privately-held California corporation, was founded in 1995 and is a leading developer and manufacturer of flash-based SSD (solid state drive) technology, products and solutions. BiTMICRO has been shipping SSDs embedded with the company’s in-house developed patented technology uniquely designed for high reliability, durability, power efficiency and storage density.  BiTMICRO is best known for delivering the extreme ruggedness, durability, and security required for all industrial and military environments. BiTMICRO is headquartered in Fremont, CA, USA.

http://www.BiTMICRO.com

BiTMICRO® Announces NEW Rugged and Secure NVMe and SATA 2.5” SSDs

For Military and Industrial Applications at the International Telemetry Conference in Las Vegas. Oct 23 through 26.

E-Disk® Altima™ II and Ace Drive™ II SSDs set the standard for secure, rugged and reliable data storage in extreme environments and offer BiTMICRO PowerGuard® and SecureErase® Technology

FREMONT, Calif., Oct 23, 2017 – BiTMICRO® Networks, Inc. today announced the availability of its new industrial and military grade NVMe U.2 and SATA 2.5″ SSDs, which are available for the E-Disk Altima II and Ace Drive II product lines, respectively.

These new SSDs offer BiTMICRO’s PowerGuard and SecureErase Technology.  PowerGuard technology protects all data in the SSD cache by immediately writing it to flash memory in the event of power fluctuations or ungraceful shutdowns.  SecureErase technology erases all data in the SSD quickly and irretrievably.  Erasure of data can be done automatically via a command through the system interface. The new NVMe SSDs are available with TCG Opal compliance, provide AES-256 encryption and meet a broad range of military security specifications.

“BiTMICRO is an industry pioneer, delivering ruggedized and secure solid state drives to leading customers in the industrial and military markets for over 17 years, and has continually strived to meet the expectations of our customers.  This level of customer support coupled with our experienced team and proprietary technology differentiates our product offerings from the rest of the market,” said Stephen Uriarte, President of BiTMICRO.  “NVMe and SATA are the leading interfaces for solid-state storage.  We’re very excited to offer our new U.2 NVMe and 2.5” SATA line of SSDs to our existing and new, industrial and military contracting customers.”

The new SSDs are available with MLC or pSLC flash, maximum pSLC is 1TB, and maximum MLC is 2TB.  The new SSDs support a wide range of temperatures, altitudes of up to 120,000 feet, and 1500 G of shock.

Visit with us at ITC Booth 2242 Oct. 23 through 26, Las Vegas, NV. USA.

About BiTMICRO

BiTMICRO®, a privately-held California corporation, was founded in 1995 and is a leading developer and manufacturer of flash-based SSD (solid state drive) technology, products and solutions. BiTMICRO has been shipping SSDs embedded with the company’s in-house developed patented technology uniquely designed for high reliability, durability, power efficiency and storage density.  BiTMICRO is best known for delivering the extreme ruggedness, durability, and security required for all industrial and military environments. BiTMICRO is headquartered in Fremont, CA, USA.

http://www.BiTMICRO.com

BiTMICRO® Announces New E-Disk® Altima™ II Line of U.2 NVMe SSDs for Industrial and Military Applications

E-Disk Altima II SSDs set the standard for secure, rugged and reliable data storage in extreme environments and offer BiTMICRO PowerGuard® and SecureErase® Technology

FREMONT, Calif., June 13, 2017 – BiTMICRO® Networks, Inc. today announced availability of its new E Disk Altima II line of industrial and military grade U.2 NVMe 2.5” SSDs.

The new E-Disk Altima II line offers BiTMICRO’s PowerGuard and SecureErase Technology. PowerGuard technology ensures that all data in the SSD cache are stored onto flash memory without being lost in the event of power fluctuation or ungraceful shutdowns. SecureErase technology erases all data in the SSD quickly and irretrievably. Erasure of data can be done automatically via a command through the system interface or manually through external jumpers. The SecureErase feature can also be configured so that data is completely erased from flash memory in the event of external power degradation or loss. The new line is TCG Opal compliant, provides AES-256 encryption and meets most military specifications.

The E-Disk Altima U.2 NVMe SSD has the performance you would expect from an NVMe device. Unlike M.2 NVME SSDs, U.2 NVME 2.5” SSDs are usually installed in drive bays on the front of the host for simple maintenance and do not require any motherboard space. They can be stacked in rows or vertically mounted in one or two drive banks to deliver up to 96TBs of raw capacity in a 2U enclosure. Power consumption and weight are also very low to promote operational efficiency and portability for military and industrial applications.

“BiTMICRO is an industry pioneer, delivering ruggedized and secure solid state drives to leading industrial and military customers and prime contractors for over 17 years. We have a reputation for being dependable and quality focused,” said Stephen Uriarte, President of BiTMICRO. “NVMe is becoming the leading interface for solid state storage. We’re very excited to offer our new U.2 NVMe line of SSDs to our existing and new, industrial and military customers.”

The E-Disk Altima II U.2 NVMe SSD is available with MLC or pSLC flash. It is available in various capacities. Maximum pSLC is 1TB and Maximum MLC is 2TBs. It supports a temperature range of -60 to 95 degrees Celsius, an altitude of up to 120,000 feet and 1500 G of shock.

About BiTMICRO
BiTMICRO®, a privately-held California corporation, was founded in 1995 and is a leading developer and manufacturer of flash-based SSD (solid state drive) technology, products and solutions. BiTMICRO has been shipping SSDs embedded with the company’s in-house developed patented technology uniquely designed for high reliability, durability, power efficiency and storage density. BiTMICRO is best known for delivering the extreme ruggedness, durability and security required for all industrial and military environments. BiTMICRO is headquartered in Fremont, CA, USA and has a subsidiary in the Philippines.

Media Contact:
Zophar Sante
http://www.bitmicro.com
Zophar.sante@bitmicro.com
M: 510-205-8425

Click here to view the E-Disk Altima II U.2 (2.5”) NVMe SSD product page.

4K Ultra HD requires Solid State Storage Arrays

4K Ultra HD requires Solid State Storage Arrays   

The broadcast industry is constantly being challenged with new demands. For example, formats like 4K Ultra HD require new equipment and infrastructures yet budgets continue to be constrained making it difficult to meet these new requirements. Creating, managing, and distributing broadcast content in the latest formats is complex from both the infrastructure and the budget perspective. However, falling behind is not an option.

A key element of any broadcasting infrastructure and budget is data storage hardware. More storage performance and capacity is required as: definitions continue to rise, more layers of color correction are used, and more graphic effects are added. Standard DV content requires about 13GB of storage per hour or approximately 217MB per minute. But with 4K Ultra HD, the raw production files are significantly larger. The cost of the camera pales in comparison to the cost of the storage hardware needed to edit, deliver, and archive 4K Ultra HD content. As an example, one hour of RAW 4K content requires close to 110GB of storage or approximately 1833 GB per minute. That’s nearly 8.5 times more storage for the same amount of time when compared to standard DV!

Storing Ultra HD is only part of the challenge in managing higher definition formats. Post-production processes, especially editing, require immediate access and playback for video editors. In many cases even standard DV content can bog down a system. You can only image what an Ultra HD file 8.5 times as large will do to the efficiency of creative video editors as they wait for files to be stored and played back. This problem becomes critical if the content is “on the fly” and is extremely time sensitive like sporting events or live convention coverage. In most cases, a significant system upgrade is required.

The 4K Ultra HD online editing and playback requires extremely fast random-access. Standard hard drive RAID systems can no longer support the performance required to edit and manage quantities of 4K Ultra HD within acceptable timeframes. To ensure efficient media production performance, use all flash arrays like the MAXio® All Flash Storage N1A6 or MAXio All Flash Storage N1C6 All Flash Storage Arrays.

The 12TB MAXio All Flash Storage N1A6 (iSCSI / NAS) or MAXio All Flash Storage N1C6 (FC) perform 20x faster on rendering production media and 26x faster on playback vs similar HDD arrays.

Writer: Zophar Sante, Business Development

Date: 1/13/2017

Classroom Heroes- integrate All Flash Arrays with Edu Apps

Classroom Heroes- integrate All Flash Arrays with Edu Apps   

Whether you’re a small college with a few thousand students or a large university with an enrollment of fifty thousand, IT infrastructures need to meet the demands of faculty, staff, and students. Patience is not a virtue for many users in higher education. Students, administrators, and teachers want immediate access to their applications and data. An IT infrastructure needs to improve capacity and performance to meet a diversity of needs such as new learning technologies, institutional analytics, and remote e‑learning.

Education is in the midst of a technological revolution. New platforms like mobile apps, tablet computing, game-based learning, and remote laboratories are becoming more prevalent across institutions. These technologies are intensive in terms of capacity and performance, and it’s frequently difficult to predict user demands. IT departments need to invest in extremely cost efficient, high‑performance storage to meet these needs while at the same time remain within constrained budgets.

In the past, data within a school district, college, or university was kept at the department level.  Data was kept in silos and rarely used to support broad university or district-wide decisions. But without all the data, many of these decisions were inefficient and needlessly wasted precious resources. Institutional intelligence deals with gathering and analyzing all the data to understand what’s occurring across the entire district, college, or university and then acting on the results. Data analytics is an ongoing process and the results can be used to develop better programs, ensure more efficient resource allocation, and solicit funding and grants. But data analytics is processing and storage intensive and requires potentially many compute nodes and high performance storage. Selecting the best components at the best cost is very important.

E-learning continues to be an important technology for institutions and universities who are increasingly under more pressure to keep up with the latest trends. Not all students learn the same way and not all faculties teach the same way and many students are beginning to prefer e-learning courses. It’s a great option for students who are located in other states or have obligations conflicting with class schedules.  Some universities have dozens of e-learning courses while others have hundreds, all with a countless number of enrolled students. In order to keep content streaming and ensure student interaction with course material in real-time, high performance servers and storage is a must.

IT leaders in education need to take a new approach to address the delivery of these new technologies. To ensure that storage performance can meet new and upcoming demands, use all flash arrays like the MAXio® All Flash Storage Array. With up to 12TBs of useable capacity and 560,000 IOPs at the lowest cost per IOP in its class.  The MAXio All Flash Array will make you a hero!

Writer: Zophar Sante, Business Development

Date: 1/12/2017

 

HA is not enough – The Demand for 24 x 7 Continuous Access with Solid State Storage

HA is not enough – The Demand for 24 x 7 Continuous Access with Solid State Storage   

Storing data on hard drives with RAID protection has been the norm for enterprise data storage for a very long time. High availability (HA) means keeping the hard drive based system up and running even if a component within the system fails.  These components include the network interface, hard drives, power supplies and fans.

But in the new 24×7 world of millennials, HA is not enough. The demand for 24×7 Continuous Access is forcing storage system suppliers to have “100% system level redundancy”. In other words two or more 100% fully synchronized identical data sets each with independent controllers and network connections.

System availability is measured in “9’s”. The number of 9’s indicates the percentage of availability.    Standard storage systems with RAID can guarantee 99.9% of availability or “3 nines”. The current standard for high availability is 99.99% or “four nines 9’s”.  The current standard of continuous access is 99.999% or “five nines”.

(Below is a chart of availability downtimes)

ha-table-1

Note on six nines – 99.9999% availability. 

This generally refers to mirrored independent systems in different geographies. This type of infrastructure is expensive if the interconnect between systems is not within a private campus LAN or MAN and requires purchasing lines from commercial carriers.  Industries that require this type of continuous access would include banking, national security and defense.  They would maintain continuous access even if an entire data center experiences an outage or lose its network connection.

99.9% available storage systems generally offer only disk level redundancy using RAID. The next level, 99.99%, has RAID and also includes redundant power supplies, network interfaces and cooling fans. Five nines, also known as the “holy grail” of continuous access, moves beyond component redundancy and adds 100% redundant data where there are two or more copies of the data being stored, in real-time, on two or more independent RAID sets. 99.999% systems also include 100% redundant system controllers to manage the client requests and RAID supported data sets. A 99.999% system is basically two independent, synchronously mirrored systems within the same chassis. The only way a 99.999% system could fail is if the backplane or controller interconnect were to fail.

Hard drive storage system manufacturers were faced with a huge problem when developing 99.999% systems – hard drives were too slow. To give you an example, in a two controller configuration, with synchronous data mirroring between the two controllers and RAID

sets, the host would write to one controller within the system and that controller had to write the data to its hard drives and send a copy of the write to the second controller. The second controller would write the data to its hard drives and then acknowledge the write back to the first controller before a complete write acknowledgement could be sent back to the host. Although the data remained consistent between both systems and continuous access was greatly improved, the latency in writing to hard drives was far too slow.

Some hard drive systems use memory to cache the writes. But during spikes or continuous heavy workloads, the cache is quickly overrun with write and read commands and becomes slow and unusable.

Hard drive systems are simply too slow to reliably support real time (synchronous) data mirroring across two or more storage controllers each with their own set of hard drives and data sets. To make 99.999% availability practical, especially under heavy workloads, a much more responsive storage technology is needed.

Solid State Drives and All Flash Storage Systems were the Answer

SSDs have been around for over 18 years and have become one of the most trusted technologies for storing data. SSDs are found in all environments as the preferred data storage technology when performance is critical.

In contrast to traditional hard drives which can handle about 300 I/Os per second, SSDs are able to handle up to 450,000 random I/Os per second. Solid state drives are also more energy efficient, consuming only one-half to one-third of power compared to HDDs. They also have extremely low latency and can deliver over 1000 times more I/Os per second, greatly improving operational efficiency by transacting substantially more client requests in a fraction of the time.

“SSDs – They will continue to rapidly replace HDDs into PCs and notebooks, and up to high-end storage systems. Without moving parts, they are more and more reliable, much faster, now even offering more capacity than HDDs in smaller form factors —-,  StorageNewsletter, January 9, 2017)

All flash arrays, sometimes referred to as Solid State Arrays (SSAs) are magnitudes faster than hard drive based systems. The typical write latency for an enterprise hard drive storage system is roughly 10ms (millisecond – thousandth of a second) but for a Solid State Array, the write times are measured in microseconds. SSAs have been tested to have a latency of approximately 50μs (microsecond – millionth of a second),   200 times faster on writes when compared to a similar hard drive system.

With its amazing low latency, solid state is the only practical technology for delivering real time 99.999% continuous data access under any workload. Solid state can deliver 99.999% availability across two synchronously mirrored independent controllers and mirrored data sets without compromising performance.

Note on the Interconnect between Controllers and Mirrored Data Sets

In addition to using solid state, it’s also important to use a low latency interconnection between the independent controllers. Most 99.999% mirrored solutions use GbE to perform synchronous mirroring between controllers and data sets. But there is a better choice.

InfiniBand (IB), is a computer-networking communications standard used in high-performance computing. IB features very high throughput and very low latency. It is used for data interconnect both among and within computers. InfiniBand is also utilized as either a direct, or switched interconnect between servers and storage systems. InfiniBand is the clear choice for interconnecting mirrored controllers and data sets. As you can see on the chart below IB is magnitudes faster than GbE.

ha-table-2

With IB, interconnect latencies are greatly reduced by a factor of 10x.

SSD storage systems combined with IB overcome the challenge of synchronous mirroring across multiple independent controllers and mirrored data sets. Clients and data center managers are ensured 99.999% continuous access without severely impacting overall system responsiveness under different workloads.

Writer: Zophar Sante, Business Development, BiTMICRO Inc.

Date: 1/05/2017

 

Business DBs Demand All Flash Storage

Business DBs Demand All Flash Storage   

An SSD (Solid State Drive) can deliver over 1000 times more performance than an HDD (Hark Disk Drive) depending on the application, NAND type, system, SSD interface, SSD model and manufacturer. ­Databases are performance hungry environments and are usually mission and business critical. A poorly performing database can negatively impact employee efficiency, customer satisfaction and revenue generation. It’s no wonder more and more companies are using all flash storage to host their database applications. Databases need to perform or the entire business suffers.

Hosting a database on a hard drive based system is usually out of the question. On average, HDDs deliver up to 400 IOPs while SSDs deliver up to an astounding 450,000 IOPs of random reads. This has an enormous impact to database performance.

We recently put together an Oracle performance benchmark to compare a server with 20 internal SAS RAID’ed HDDs to a 20-drive external iSCSI connected SATA SSD RAID storage system. We used HammerDB. HammerDB is a graphical open source database load testing and benchmarking tool for Linux and Windows to test databases running on any operating system. HammerDB is automated, multi-threaded and extensible with dynamic scripting support.

HammerDB includes complete built-in workloads based on industry standard TPC-C and TPC-H benchmarks as well as capture and replay for the Oracle database. HammerDB includes transaction and CPU monitors to complement the rich feature set that makes HammerDB the loading tool for benchmarking, testing and comparing the leading databases worldwide.

The 20-drive HDD system managed fewer than 480,000 transactions per minute, approximately 400 transactions per second per drive. While the 12TB SSD system, using mid-range 2.5 SATA SSDs that were saturated, managed nearly 2,400,000 transactions per minute. The SSD system could easily manage an Oracle DB workload which is 5 times larger than what the HDD system could support.

(NOTE: It is well known that SSDs lose performance overtime.  An SSD saturated with data will be much slower than a new SSD.  Most midrange SATA SSDs use trim and garbage collection technologies to maintain maximum performance.  Trim allows an operating system to inform a solid-state drive (SSD) which blocks of data are no longer considered in use and can be wiped internally.  Garbage collection works in the background with trim and systematically clears these blocks of data during off-peak times.)

database-pic-1   database-pic-2

A quick note about hybrid systems for database applications

Hybrid systems use SSDs as cache and HDDs to store the majority of the data. This makes write operations more performant. Read operations are also more performant since recently written or frequently accessed data is kept on the SSD cache. But only the most expensive hybrid systems support this feature. In many other hybrid systems the SSD cache needs to be defined as a separate volume. Write and read caching now requires special virtualization software and a great deal of management by the IT staff. There is also the problem of a cache miss where the database application needs a certain block of data that is not on the SSD cache. This greatly degrades performance since the data needs to be retrieved from the much slower HDDs.

In order to have high and predictable performance, more and more companies are adopting an all flash array solution over a hybrid solution. And with the prices of all flash storage dropping (now only $5 to $6 per usable GB) it’s much easier to justify all flash storage for mission and business critical database applications. Moreover these systems are easy to configure and manage.

Supporting Business and Mission Critical Databases requires 24 x 7 x 365 System Availability

We live in a 24 hour a day world where data must be available around the clock. Mission and business critical databases need to be online to service a global community that needs access to data to complete their tasks.  Other applications, like data analytics, need the same level of uptime for segments such as security, trading, transportation, travel, emergency medical, national defense, social media, entertainment…the list goes on and on.  Databases need to be continually available to service the needs of clients and employees worldwide. Therefore the infrastructure and storage systems they rely on need the same level of 24 x 7 x 365 availability.

Some All-Flash Arrays, like those from BiTMICRO, are now featuring complete high availability. There is no single point of failure, everything is redundant: network ports and adapters, SSD drives, power supplies, system controllers. In fact even the storage is redundant.  There are two independent data sets on separate SSD RAID sets, each has a separate controller. The data is mirrored using InfiniBand. Even if an entire enclosure would go off line, the data would still be available. The only thing that is shared is the physical rack mountable chassis and backplane.

Moreover this level of high availability provides for more predictable performance. As an example, the database application does not have the added burden of providing protection such as mirroring data to ensure business continuance in the event a storage enclosure suffers a catastrophic failure. The database application can be focused on performance. Second, because any failure does not impact performance, user response times are always consistent even during a component failure.

In addition all flash arrays provided by BiTMICRO offer software RAID and performance enhancing technology.  All data and parity are evenly distributed across all the SSDs in the RAID set. To maintain performance during a drive rebuild, the SSDs are divided into two groups. If an SSD fails in the first group, this group will not accept any writes. All the writes and associated parity will be directed to the second group of SSDs within the enclosure. Although both SSD groups will continue to respond to read requests, only the SSD group not restoring a drive will be given writes. This provides the group restoring the drive with more resources to quickly bring the replacement SSD online with virtually no impact on performance.

HDD arrays are being replaced by SSD All-Flash Arrays to meet the ever increasing demands of performance hungry databases. There is no better time than now to discover the operational benefits of using solid state storage to accelerate your business, improve employee efficiency and greatly increase customer satisfaction.

Writer: Zophar Sante, Business Development

Date: 12/12/2016