Does full-disk encryption on SSD drive reduce its lifetime?

Think of encryption as an adapter. The data is simply encoded before being written or decoded before being read. The only difference is that a key is passed at some point (usually when the drive/driver is initialized) to be used for the encryption/decryption.

Here is a (rough) graphic I threw together to show the basic pattern:

Schematic demonstrating full—drive-encryption

As you can see, there is no need to perform extra reads or writes because the encryption module encrypts the data before the data is written to the platters and decrypts it before it is sent to the process that performed the read.

The actual location of the encryption module can vary; it can be a software driver or it can be a hardware module in the system (e.g., controller, BIOS, TPM module), or even in the drive itself. In any case, the module is “in the middle of the wire” between the software that performs the file operations and the actual data on the drive’s platters.


Short answer:
If the disk controller does not use compression, then Synetech's answer is correct and encryption will not change anything. If the controller uses compression then encryption will probably reduce the lifespan of the disk (compared to an identical disk where encryption is not used).

Long answer:
Some SSD controllers use compression in order to minimize the amount of data written to the actual flash chips and in order to improve read performance (SandForce controllers are a prime example, there may be others). This will work best if the data written to the disk is easily compressible. Text files, executables, uncompressed images (BMP for example) and similar can usually be compressed quite a lot while files that are already compressed or are encrypted are almost impossible to compress since the data will look almost completely random to the compression algorithm in the controller.

Tom's Hardware made a nice test about precisely this on an Intel SSD 520 which can be found at
http://www.tomshardware.com/reviews/ssd-520-sandforce-review-benchmark,3124-11.html

What they basically do is measure the write amplification (the ratio of the amount of data written to flash and the amount of data sent to the drive) of the drive when writing completely compressible data and completely random data. For completely random data, the write amplification is 2.9* which means that for every GB of data sent to the disk, 2.9 GB are written to flash. The article notes that this seems to be roughly the same number measured on drives that do not use compression. For completely compressible data, the ratio is 0.17 which is quite a bit lower.

Normal usage will probably end up somewhere in between unless the data is encrypted. The lifetime predictions in the article are somewhat academic, but shows that encryption could definitely affect lifetime on an SSD with a SandForce controller. The only way to get around this would be if the controller itself can do the encryption after compression has occurred.

*The article does not specify why 2.9 is considered a normal value and I have not really researched it. A logical explanation could be that most SSDs use MLC NAND which is a bit error prone (bit flips in other parts of erase blocks can occur while writing if I recall correctly). In order to correct for this, data is probably written to several places so that recovery or correction is always possible.


Full disk encryption does not increase the amount of data written to a disk, aside from any metadata that the encryption layer needs to store along with the filesystem (which is negligible). If you encrypt 4096 bytes, 4096 bytes are written.


The answer depends on what you mean by "full disk encryption".

If you simply mean that all files and filesystem metadata are encrypted on the disk, then no, it should have no impact on SSD lifespan.

However, if you mean a more traditional "The entire contents of the disk, including unused space, is encrypted" then yes, it will reduce the lifespan, perhaps significantly.

SSD devices use "wear levelling" to spread the writes across the device so as to avoid wearing out a few sections prematurely. They can do this because modern filesystem drivers specifically tell the SSD when the data in a particular sector is no longer being used (has been "discard"ed), so then the SSD can set that sector back to zero and proceed to use whatever sector has the least amount of use for the next write.

With a traditional, full-disk encryption scheme, none of the sectors are unused. The ones that do not contain your data are still encrypted. That way an attacker doesn't know what part of your disk has your data, and what part is just random noise, thereby making decryption much more difficult.

To use such a system on an SSD, you have two options:

  1. Allow the filesystem to continue performing discards, at which point the sectors that don't have your data will be empty and an attacker will be able to focus his efforts on just your data.
  2. Forbid the filesystem to perform discards, in which case your encryption is still strong, but now it can't do significant wear levelling, and so the most-used sections of your disk will wear out, potentially significantly ahead of the rest of it.