Since this thread will be picked up by search engines, perhaps my thoughts and experience will provide some perspective.
1. Like you, I find it frustrating that consumer desktop motherboards lack hard drive password support. Also, they lack TPM security chips.
2. For the past 3 years I have purchased HP business desktops and workstations for my business and family primarily for these security features, including the TPM chip and hard drive password support. Usually I purchase them used and discounted on eBay, and then upgrade them.
3. I have at least 8 HP desktops with Intel G2 SSDs running Microsoft BitLocker (software encryption). Most have 8 GB RAM and hibernate multiple times daily (significant writes). According to the Intel SSD toolbox wearout indicator, none show signs of wear. This includes a SSD with close to 2 TB of writes.
4. The encryption does bring a performance hit, but the encrypted SSDs still seem faster than the unencrypted hard drives I used previously. The Intel SSDs are quieter and probably more reliable than hard drives, as well. All of this made them a worthwhile upgrade for my purposes even though I don't have the "amazing" experience that some SSD users report.
5. The computers with Intel CPUs with the AES-NI hardware feature (such as core i5 3200) do seem faster in some regards (bootup, application launch, virus scan) so I recommend that feature if BitLocker use is planned.
6. To sum up, my experience is that the Intel G2 SSDs handle BitLocker without problems. There is a mild to moderate performance hit, as expected, depending on useage. Of course I look forward to trying the hardware encryption of the Intel 320 series when it's time to upgrade.
I have to admit, that I still have some problems in understanding the secureness of the offered FDE in conjunction with the ATA password. Could somebody please clarify it for me? thx! (After thinking through the whole process step for step again -- as I write this post -- and because of the helpful comments here, it is clearer now, nevertheless two small questions still remain:)
Did I get it right, that the AES encryption uses a (private) key, that lies anywhere (of course unencrypted) at the SSD? And if I set a ATA password the private AES key will get encrypted by my ATA password (as cleartext). If I change my ATA password, the AES key will get reencrypted. So the level of FDE secureness is up to the secureness of the ATA password.
Beside that my BIOS has to offer me to enter a password longer than 8 characters and that I must make up a strong password, what's about all the tools to bypass the ATA password? Simply destroy/remove it wouldn't be enough, because the private AES key is encrypted with it, fine. But in this thread it was said, that there are tools to readout a ATA password. How can this be avoided?
If I got it right, Scott aka SSDelightful from Intel support stated, that the ATA password is not revealable, because it is hashed:
ATA Password is stored in media as a non-reversible hashed value. [...]
Well, absolutely no offence, but anybody could state that. What technic is used here? SHA-2 or something like that? Maybe I read it over, but I couldn't find any information regarding this point.
And the second, more practically, question: Can I use all this features (setting, altering and deleting of the ATA password) just with a adequate BIOS? I won't need any Intel toolbox, am I right? Because I couldn't find the Intel tools for Linux so far...(btw: are there plans to release a Linux version?)
thanks for every helpfull reply!
So let me get this straight, if I don't have the HDD password or SATA password function in my BIOS then I am not able to take advantage of the FDE encryption on the 320 series?
If true that is pretty lame, seeing as how a good number of people get these drives for their desktop computers, which are less likely to have that option in their BIOS settings. I checked mine earlier hoping that I did have it, but go figure, I do not. I only have User password and Supervisor password, even checking through every BIOS setting there is no mention of SATA password or HDD password.
So what are my options? Am I completely out of luck?
Search for ATA security eXtension (ATASX). This approach uses discrete LAN controller (its bootrom to be more precise) to add ATA password prompt during boot. It works only if disk is in IDE mode.
You can boot to one of the micro-linuxes or live-cds and use hdparm utility to manipulate ATA security state of the disk. This should work in AHCI as well as IDE mode. Security status (locked/unlocked/frozen) is preserved during warm reboot.
Thank you for the response Piy! I have been doing a lot of research to try and figure out what my options are since I have no obvious ATA/HDD password settings on my bios. Pretty much everything I have looked at has gotten me to a dead end, but I did find some interesting info on this blog
According to the writer, in the main article and comments section, he hints about how BIOS nowadays in PC's actually do the ATA/HDD password in conjunction with the regular BIOS password.
"It’s been a long time since I’ve bothered with BIOS passwords, since they’re trivially easy to defeat. So I never noticed that modern PCs also use the BIOS password as the ATA password."
In the comments section:
"If you want your drive to remain for your eyes only you’ll need to set an ATA password, which on PCs is forced by setting a BIOS password."
So I am not sure what to think, I have checked my BIOS over and over and there is some hope after looking at one of the features I have. See below:
HDD Security Freeze Lock (Disabled)
If this item is enabled, it prevents any external application from locking hard drive
except for BIOS.
Security Option (Setup)
If you have installed password protection, this item defines if the password is
required at system start up, or if it is only required when a user tries to enter the
This to me hints that my BIOS might be capable of PW locking my drive, and there is even an option to force the PW upon boot.. But I really do not know what to think, I am still trying to make heads or tails of this. Seems pretty lame Intel would restrict using the encryption only for computers that have the ATA/HDD password in BIOS.
That is easy to confirm.
Set your bios password. Boot to linux. In root type:
hdparm -I /dev/<your_ssd_drive> (I - capital "i")
When ssd is connected to sata1 port the the path most probably will look like: /dev/sda
hdparm returns drive info. Look at the security section and verify if the security is: enabled or disabled
But do not hold your hope as in all cases I came across bios password is unrelated to hdd passwords (note theat bios password can be reset by bios reset, just think a second about it) and Hdd Security Freeze Lock is used only to freeze all the drives against some malware attacks.
I hope it is allowed to revive this discussion as I have only found it yesterday.
I'm not going to shoot off 20 questions immediately but I do have some that I may ask later.
Firstly, can anyone explain how FDE authentication works? There is software like Winmagic and others that nest themselves in a special PBA (pre-boot authentication) partition. Essentially, it is a mini-linux OS that is (or should be) very secure. It is comparable to the TC bootloader but I'm sure the PBA for FDE drives has many more options. I have not seen anyone mention this type of software so you guys may or may not have missed it.
ATA password (so called HDD password) is the only authentication channel intel implemented. No pre-boot authentication as the whole drive area is encrypted. The BIOS/EFI should support HDD password. Other options beside BIOS also available (as stated above) but not so convenient and with limitations.
Yes, I understand. Seagate has both drives only implementing ATA-password and drives which have a special area capable of holding a pre-boot authentication OS. The OS is also capable of supporting a wide area of other authentication devices like a smart card reader.
I did read the entire thread but I'll have to re-read it to know what "other" options you are talking about. The PBA software suites (if anyone wants to know I've researched a list) are TCG Opal compliant.
At any rate, from reading different threads, I understood that ATA-password and SED encryption password/phrase are two different things entirely and that ATA-password (as said in this thread) is often easily defeated. It is safe to say I did not fully grasp the connection between ATA-password and the AES encryption key on the drive. Moreover, I'm still a bit confused as to how this AES encryption key is stored and how a new one (nobody wants to use the factory installed key, right?) is generated.
What good is encryption anyway if the authentication is bypassed easily...
No additional special areas or boot loaders in intel's case as all of them require some area being unencrypted (even if it is really small).
You are forced to use security ATA extension commands to authorize yourself.
Security ATA commands can be implemented in BIOS (hdd passwords - quite rare in desktops) or you can use third party tools: ATASX extension, hdparm utility in linux, HDAT2 in DOS etc. BIOS procedures have advantage of being executed without need of any operating system (quick, convenient), other solutions require OS (booted from other media of course - pendrive or another hdd) to unlock the intel ssd drive.
But all of these solutions are no more then different methods to deliver ATA password to the drive.
ATA password system is not insecure by design. The implementation part used to be an Achilles heel. It could be more secure than preboot authentication for instance as it is resistant to boot code switching hack methods. However only when executed properly of course.
Thanks for taking the time to explain further. I'm about to re-read the thread so I might get up to speed this time around..
I've read about the ATASX extension and its limitation and that is about the most convenient way there is.
ATA password might not be insecure by design, but do you trust it? There are no official details about how Intel has implemented this on SSD's. I hope they come forward with more details but, ATM, due legal implications, I'm obliged to provide strong protection for data at rest. Since Truecrypt isn't the best of friends with SSD's, I was hoping to find a good Intel SSD with encryption. I guess I'll have to go with a traditional Seagate drive for now.
Speaking of which, you appear to be very savvy on this subject, would you mind me asking a question about this PDF you linked too?
Intel SSDs do not rely on compression to increase performance so using TrueCrypt on an Intel drive is not a problem. I personally run this setup on two computers, one with an x25-m and one with a 320 model.
Trust is an entirely different issue all together. I would also appreciate more details on how the internals work.
i found another bad thing about ata security:
after reading the whole thread i was very confident about the ssd but bricking the hardware when changing the pass???
and i've got another question regarding the password hash. i have got a lenovo x200 and the password will be hashed by the bios and then stored at the disc. does the intel controller hash the password again or does the answer from that intel guy mean that password is hashed only if the implementation of the bios said so?