2

I'm considering purchasing a SSD that has built-in hardware encryption / self-encrypting drive that provides its own full drive encryption.

What can I do to check that the BIOS on my machine will support it?

Background research so far

Research on self-encrypting drives - good article below, but I would need to know if the BIOS can support it: http://www.computerweekly.com/feature/Self-encrypting-drives-SED-the-best-kept-secret-in-hard-drive-encryption-security

ᄂ ᄀ
  • 3,875
  • 1
  • 19
  • 18
therobyouknow
  • 4,016
  • 17
  • 59
  • 88

2 Answers2

1

The BIOS doesn't matter, because this is handled by the software on the "shadow disk" which the BIOS sees when the drive is just powered up and not yet unlocked.

Michael Hampton
  • 13,635
  • 4
  • 45
  • 76
  • Yes (thanks) the BIOS would boot into the small shadow disk to execute the built-in encryption software on the drive which would ask for a password to make the real drive (the main, full-size disk visible) but the would the drive need to restart the BIOS (and would it need support from the BIOS to support restart). What about folks who decide not to have self-encryption but then change their minds - how would they get back to the shadow disk if they had chosen to have it ignored in the first place. – therobyouknow Sep 28 '12 at 12:41
  • +1 and accepted. I would think that your answer should work with most BIOSs. Your answer seems to me like a hardware-based preinstalled equivalent of truecrypt whereby a password was asked for at startup, and is run when the BIOS is booted. Well, I'll know for certain when I get a self-encrypting drive in a few weeks. – therobyouknow Sep 28 '12 at 15:29
  • @therobyouknow So, did you get a sed drive? It's interesting to know how well it performs. I'm considering buying it, too. – Display Name Apr 19 '14 at 23:52
  • I'm not using a drive in SED configuration, but I have bought a Samsung 840SSD Pro for the sole purpose of improving performance of the machine and that it does very nicely. It can be securely wiped very quickly as it uses encryption for that. But I haven't linked that self-encryption to a password prompt on boot-up such that the password would decrypt the entire drive. I don't know if this is possible. – therobyouknow Apr 21 '14 at 01:01
0

What you need is a BIOS that allows you to set the ATA disk password. This is not the same as the "boot password" or the "setup password". Most modern SSD's have built in on-the-fly FDE but it's only effective if you can set this password. For a very detailed explanation see this post or this discussion on Tom's Hardware.

Community
  • 1
rusty
  • 109
  • 3
  • SEDs have nothing to do with ATA password. – ᄂ ᄀ Oct 22 '18 at 11:09
  • You've made a blanket statement but provided no evidence for it. If you'd bothered to check my first link you'd have seen that "The ATA password locking is an optional feature of the ATA standard supported by the Samsung 840 and later series drives, as well as thousands of others.". I had a Dell laptop that worked this way. It may be true that they aren't technically the same thing but there are absolutely BIOS's out there that setup SED via the ATA password. – rusty Oct 25 '18 at 01:42
  • What evidence do you need? ATA Security Feature Set doesn't address encryption. It's a fact. Device encryption is covered by TCG Storage SSCs (like Opal). ATA `SECURITY SET PASSWORD` only prevents unauthorized access to a drive (that can be circumvented, BTW). Particular BIOS _could_ interact with particular drive (via proprietary or standard protocol) and employ what is commonly known as ATA/Hard Disk Password in the drive's encryption scheme. But that goes beyond ATA Security. Having ATA password set up in BIOS doesn't mean it is used for SED encryption. – ᄂ ᄀ Dec 21 '20 at 13:52
  • I pointed out that I used to own a laptop that worked this way. You acknowledged that a BIOS could work this way. Your original assertion that ATA has nothing to do with SED was incorrect (even if most BIOS don't work this way). – rusty Dec 22 '20 at 22:06
  • _> I pointed out that I used to own a laptop that worked this way_ No, you _think_ it worked that way. I won't take it for granted unless you provide a reference that confirms the drive was actually encrypted and describes the encryption scheme. _> Your original assertion that ATA has nothing to do with SED was incorrect_ No, it was absolutely correct. To make it incorrect you need to show what ATA facility is used to _encrypt_ storage devices. – ᄂ ᄀ Dec 23 '20 at 08:04
  • I provided two sources in my original post. – rusty Dec 24 '20 at 12:21
  • Those sources are irrelevant to the questions raised. If you think otherwise, reference the exact places that address the questions raised: description of the encryption scheme and in which way it is related to ATA (as you claim). – ᄂ ᄀ Jan 16 '21 at 22:10
  • ”Setting a HDD password(s) to the drive is what takes your security level from zero to pretty much unbreakable." – rusty Jan 17 '21 at 23:06
  • What is the purpose of this quote? It says nothing about how "pretty much unbreakable" is accomplished. Neither it shows the role of ATA specifications in that. – ᄂ ᄀ Feb 19 '21 at 21:51
  • 1
    I upvoted you, because I've seen several other mentions on the web of using an ATA password in combination with self-encrypting drives (sorry, not sure why the other commenter was so negatively adamant about this). Doing so seems to require a BIOS that supports it. I have also, however, seen that it's possible (at least with recent Opal 2.0 drives) to use something like `sedutil` to install a bootloader onto the drive so that you don't need BIOS support. I suspect Opal might be the recommended method going forward. – Simon E. Dec 05 '21 at 03:22
  • @SimonE. The answer you have upvoted is outright misleading. Specifically, the claim _most modern SSD's have built in on-the-fly FDE but it's only effective if you can set this password_ is plain wrong. Encryption capability of modern SED SSDs doesn't depend on ATA passwords at all. Too bad you choose upvoting things you don't understand instead of educating yourself. – ᄂ ᄀ Aug 20 '23 at 12:51
  • @ᄂᄀ So how do you enable the encryption features on these modern drives, like Samsung SSDs, for example? – Simon E. Aug 26 '23 at 00:51
  • @SimonE. Use any Opal 2.0-compliant tool, such as [SEDutil](https://sedutil.com/). Note that there are several forks of this utility, original repo is https://github.com/Drive-Trust-Alliance/sedutil/ – ᄂ ᄀ Aug 26 '23 at 06:16