SM2, SM3, SM4 National Cryptography in SSDs: A Design Guide for Secure Storage
How hardware SM2/SM3/SM4 engines deliver Guomi-certified full-disk encryption in SSDs, and when to choose national cryptography over AES-256 and TCG Opal 2.0.
Last updated: July 2026
SM2, SM3, SM4 National Cryptography in SSDs: A Design Guide for Secure Storage
Bottom Line: SSDs sold into China's government, financial, and critical-infrastructure sectors increasingly need hardware SM2/SM3/SM4 encryption — the national "Guomi" (国密) cryptography suite — not just AES-256, because China's 2020 Cryptography Law and its GB/T commercial-cryptography standards require certified SM engines for regulated procurement. SM2 is an asymmetric, ECC-based algorithm that handles key exchange and digital signatures; SM3 is the hash function; SM4 is the symmetric block cipher that does the bulk full-disk encryption work. Controllers such as XITCORP's XT6110 embed hardware SM4 self-encryption alongside AES-256 and TCG Opal 2.0, letting one design satisfy both a Guomi-certified domestic deployment and a global FIPS/Common Criteria buyer without swapping silicon.
Design Considerations
What SM2, SM3, and SM4 Actually Do Inside a Drive
Each of the three algorithms plays a distinct, non-interchangeable role in a self-encrypting SSD's cryptographic stack. SM4 is a 128-bit block cipher, structurally similar in role to AES, and it is what actually encrypts the NAND-bound data path at line rate. SM3 is a 256-bit hash function used for firmware integrity checks, password verification, and key derivation, filling the role SHA-256 plays in an AES/TCG design. SM2 is a public-key algorithm built on elliptic-curve cryptography that manages key exchange, key wrapping, and digital signatures — the equivalent of what RSA or ECDSA does for certificate-based unlock and authenticated firmware updates. A controller that implements only SM4 for the data path but leaves key exchange on a non-national algorithm does not qualify as a "national cryptography" solution; regulators and auditors check the full SM2/SM3/SM4 chain, not just the bulk cipher. The three algorithms are standardized separately — SM2 in GB/T 32918, SM3 in GB/T 32905, and SM4 in GB/T 32907 — so a controller datasheet that cites only one standard number is describing a partial implementation, not a complete national-cryptography stack.
SM4 vs AES-256: Choosing the Symmetric Cipher for Full-Disk Encryption
The topic sentence for any full-disk-encryption (FDE) design decision is that SM4 and AES-256 protect data with comparable strength but are not interchangeable for compliance purposes. Both are block ciphers operating on 128-bit blocks, but SM4 uses a 128-bit key versus AES-256's 256-bit key, and SM4's round structure and S-box are defined in GB/T 32907. Performance-wise, a hardware SM4 engine placed in the SSD controller's datapath — ahead of the NAND flash interface, as in XITCORP's XT6110 SATA III controller — adds no measurable latency versus AES because both run at wire speed in silicon; the risk is only in designs that fall back to software SM4, which can bottleneck sequential throughput well below the drive's rated 560/520 MB/s. A common misconception is that AES-256's larger key size makes it strictly "more secure" than SM4; in practice, both are unbroken at their designed key lengths, and the choice is driven by which regulatory regime the deployment answers to, not by a security delta.
Key Management and the Role of SM2
The core design consideration here is that SM4 alone does not make a drive compliant — a Guomi-grade design needs SM2 for key exchange and signature verification around the SM4 data-path cipher. SM2's ECC-based asymmetric operations handle the unlock handshake between host and drive, wrapping the data-encryption key so it is never exposed in plaintext outside the controller, mirroring the role TCG Opal 2.0's authentication key does in an AES SED. Drives like the MP2000PRO self-encrypting NVMe SSD implement multiple unlock methods precisely so integrators can bind the SM2 key-exchange layer to whatever host-side credential model — PIN, certificate, or host-managed key — their deployment already uses. A frequent design mistake is treating the SM2 layer as optional "if SM4 is already running," which leaves the key-wrapping boundary undefined and fails Level-2 audit review even when the bulk cipher itself is correctly implemented.
Compliance Certification: China Commercial Cryptography Level-2
The topic sentence is that "SM4 support" and "certified national cryptography" are not the same claim, and the gap between them is Level-2 certification. Under GB/T 37092, commercial cryptography products are graded across four assurance levels, and Level-2 is the baseline most government, financial, and critical-infrastructure procurement specifications require for storage media. Certification is dual-issued: the National Cryptography Administration (国家密码管理局) approves the algorithm implementation, while the China Information Security Assessment Center performs the security assessment — a controller needs both sign-offs, not either one alone, to carry the Level-2 mark. PCIe and SATA controllers built on this standard, including XITCORP's RISC-V SSD controller family (XT6110, XT6160, XT8111, XT8210), are validated at the silicon level so downstream drive integrators inherit the certification rather than re-proving it per SKU. This matters for procurement timelines: a drive built on an already-certified controller can move straight into a Level-2 tender, while a design that bolts SM4 onto an uncertified controller has to restart the assessment process from scratch, which routinely adds months to a delivery schedule.
When You Need SM vs AES: A Deployment Context Decision Matrix
The design decision that should be made first, before any silicon is selected, is which regulatory jurisdiction the finished product will actually ship into. Domestic China deployments into government agencies, state-owned enterprises, banks, and classified-adjacent critical infrastructure require Guomi-certified SM2/SM3/SM4 under the 2020 Cryptography Law, and a drive that only offers AES-256 will fail procurement regardless of key strength. Export and multinational OEM programs, by contrast, are usually scored against FIPS 140-2/140-3 and Common Criteria, where TCG Opal 2.0 plus AES-256 is the expected baseline and SM4 support is invisible to the buyer. Hybrid programs — an OEM shipping the same platform into both markets — should specify dual-engine silicon up front, since retrofitting a second cryptographic engine into an already-taped-out controller is not realistic; this is exactly the gap XITCORP's controller family is built to close.
Recommended Solutions
Three integration patterns cover most SM-cryptography SSD design problems, from building your own board around a certified controller to specifying a drop-in drive.
Solution 1 — Controller-level integration for custom SSD boards. The XT6110 is a SATA III (6 Gb/s) SSD controller with an integrated 32-bit MCU, hardware SM4 encryption, and support for 2D SLC/MLC/TLC and 3D TLC/QLC NAND up to 8TB at 560/520 MB/s sequential. This fits OEMs designing their own PCB who need Level-2-certified crypto baked into the controller rather than bolted on afterward.
Solution 2 — Ready-built enterprise drives with SM crypto pre-integrated. For system integrators who do not want to lay out their own controller board, XITCORP ships the crypto engine inside finished drives: the SS6000SE (XT6160 controller, 2.5-inch up to 7.68TB or M.2 2280 up to 960GB, 560/520 MB/s) targets enterprise capacity tiers, while the 310C-Y and H10C-Y (both on the XT6110 controller, 256GB-1TB, 540/510 MB/s, 95K/42K steady-state IOPS) target standard enterprise SATA slots. All three carry the same dual-certified national cryptography as the underlying controller, so a drop-in swap does not require re-certifying the host system's crypto chain.
Solution 3 — Endpoint and removable secure storage. Higher-throughput or portable use cases need a different form factor: the MP2000PRO is a self-encrypting M.2 2280 NVMe SSD (PCIe 3.0 x4, 256GB-1TB) with full-disk hardware encryption and multiple unlock methods, suited to workstations and edge servers that need both crypto and NVMe-class speed. For field data transfer and removable media, the MU2500 Tianji secure USB 3.0 flash drive pairs a Guomi-certified, SSD-class controller with hardware SM4 encryption and a brute-force lockout mechanism, closing the gap that unencrypted USB drives leave in an otherwise-compliant storage chain.
| Solution | Product | Interface | Capacity | Crypto Engine | Best For |
|---|---|---|---|---|---|
| Controller-level | XT6110 | SATA III controller | up to 8TB (host NAND) | Hardware SM4 + 32-bit MCU | Custom SSD board designs |
| Ready-built enterprise | SS6000SE | SATA III (XT6160) | up to 7.68TB | SM national cryptography | Enterprise capacity storage |
| Ready-built enterprise | 310C-Y / H10C-Y | SATA III (XT6110) | 256GB-1TB | SM national cryptography | Standard enterprise SATA slots |
| Endpoint / removable | MP2000PRO | PCIe 3.0 x4 NVMe | 256GB-1TB | Self-encrypting, multi-unlock | Workstations, edge servers |
| Endpoint / removable | MU2500 | USB 3.0 | — | Hardware SM4, brute-force lockout | Field data transfer, removable media |
Common Pitfalls & Troubleshooting
Assuming AES-256 alone satisfies Chinese Guomi compliance. AES-256 is not a substitute for SM2/SM3/SM4 in any procurement spec written against the 2020 Cryptography Law; the correct fix is to specify a controller with a native SM4 engine, such as XT6110, rather than treating AES as a universal checkbox.
Implementing SM4 in software and skipping the hardware engine. Software SM4 works functionally but can cap sequential throughput far below a drive's rated speed under sustained writes; the fix is to source a controller where SM4 runs in the datapath in silicon, not as a CPU-cycle-consuming afterthought.
Building the SM4 data-path cipher without the SM2 key-management layer. A design that encrypts data with SM4 but exchanges keys with a non-national algorithm fails Level-2 audit even though the bulk cipher is technically correct; the fix is to verify the full SM2/SM3/SM4 chain end to end, not just the symmetric cipher in isolation.
Accepting a single-agency certification claim. A vendor citing only National Cryptography Administration approval, or only China Information Security Assessment Center testing, has not shown Level-2 status — both sign-offs are required together, and procurement teams should ask for both certificate numbers before specifying a part.
Overlooking physical security on removable form factors. A USB drive with hardware SM4 but no brute-force lockout leaves an offline PIN-guessing attack surface open; portable secure storage like the MU2500 needs the lockout mechanism treated as a first-class requirement, not an optional extra.
FAQ
What is the actual difference between SM4 and AES-256 in an SSD? Both are hardware block ciphers protecting data at rest with comparable real-world strength — SM4 uses a 128-bit key defined in GB/T 32907, AES uses a 256-bit key. The difference that matters for sourcing is regulatory: SM4 is required for China Guomi-certified procurement, while AES-256 with TCG Opal 2.0 is the expected baseline for FIPS/Common Criteria markets.
Do I need SM2/SM3/SM4 support if I am not selling into China? No — if your product only ships into markets scored against FIPS 140-2/140-3 or Common Criteria, AES-256 plus TCG Opal 2.0 is the standard buyers expect and SM support adds no compliance value there. It becomes necessary the moment a China government, financial, or critical-infrastructure procurement spec is in scope.
What does "China Commercial Cryptography Level-2" certification mean for an SSD controller? It means the controller has been jointly approved by the National Cryptography Administration and assessed by the China Information Security Assessment Center under GB/T 37092's four-tier grading, with Level-2 being the baseline most regulated procurement specs require. A controller carrying this dual sign-off passes compliance review without the drive integrator needing separate crypto certification.
Can a single SSD support both SM4 and AES-256 encryption? Yes — dual-engine controllers exist specifically so one hardware platform can serve both a domestic Guomi-certified deployment and an export FIPS/Common Criteria deployment without a board respin. Specify dual-engine silicon at the design stage; adding a second cryptographic engine after tape-out is not practical.
Is SM national cryptography as secure as AES? At their designed key lengths, both SM4 and AES-256 are considered cryptographically unbroken in current public research; the practical security of either depends far more on correct key management (the SM2 layer, or its AES/TCG equivalent) and hardware implementation than on the algorithm choice itself.
Conclusion
Choosing between SM2/SM3/SM4 and AES-256/TCG Opal 2.0 for an SSD design is a compliance decision first and a performance decision second — both algorithm families are secure at their designed strengths, but only one satisfies a given regulator. Start by identifying the deployment's regulatory jurisdiction, then specify a controller whose SM2 key-management layer and SM4 data-path cipher both carry dual National Cryptography Administration / China Information Security Assessment Center certification, not just the bulk cipher alone. FindMyChip curates XITCORP's full line of Guomi-certified controllers and drives — from the XT6110 controller through ready-built drives like SS6000SE, 310C-Y, H10C-Y, MP2000PRO, and the MU2500 secure USB drive — at the XITCORP Storage Hub collection. Search our verified distributor network for current stock, or request a quote to get sourcing and pricing from our 200+ verified distributors within 24 hours.
