i found another bad thing about ata security:
after reading the whole thread i was very confident about the ssd but bricking the hardware when changing the pass???
and i've got another question regarding the password hash. i have got a lenovo x200 and the password will be hashed by the bios and then stored at the disc. does the intel controller hash the password again or does the answer from that intel guy mean that password is hashed only if the implementation of the bios said so?
Truecrypt on Linux definitely supports TRIM passthrough, and will not have a negative impact on performance or wear-leveling (but the use of TRIM may limit some plausible deniability featuers of truecrypt.)
I am not sure if Truecrypt for Windows supports TRIM passthrough; BitLocker does.
Questions for Intel / SSDelightful,
- Does Intel 320 contain any mechanism or weakness that would allow access to AES-encrypted data (encrypted using ATA Password) on the drive with less effort than brute-force attack against the ATA Password?
- What algorithm Intel 320 uses to hash the ATA Password before it is stored as a hash to the drive?
- What procedure can be used to test that the ATA Password based AES-encryption is indeed internally enabled / working?
Question for Intel:
I have a Sony VGN-SZ670N laptop which has the BIOS Master and User password feature. By having this feature, can I assume that the laptop supports Secure-ATA commands and will work properly with the encryption feature of the Intel Series 320 SSD? By setting the Master and User passwords, can I assume that the passwords will be hashed/encrypted and stored on the SSD and used as expected?
Also, is there any way to tell of Secure-ATA is supported on my laptop?
BIOS master and user passwords usually do not have anything to do with ATA password support. Intel can't help you on this, check the manual or ask Sony.
The BIOS does not have any say in how the password if stored on the ATA device, so as long as ATA password is supported and you trust Intel's implementation you're good.
Thank you Desktop Man! I appreciate you taking the time to reply.
Just to be clear and I apologize for this. What I meant by BIOS master and user passwords was the BIOS Hard Drive master and user passwords. My laptop has those settings (the field is 32 characters long if that makes any difference).
You mentioned, "The BIOS does not have any say in how the password if stored on the ATA device..."
Does this mean that if a computer supports the BIOS hard drive master and user passwords, there is no guarantee that the entered BIOS hard drive passwords will be stored on the SSD hashed and used to encrypt the SSD's encryption keys? If yes, would you know who determines this? Is it the computer manufacturer or the Intel SSD?
Again, thank you for the info.
Ah yes then you should be good. Just to be sure you could try setting the ATA password and move the SSD to another machine. It should not be accessible without the password.
The intel SSD decides how to store / hash the password and how it relies to the encryption key, so the BIOS is not a weak point in that regard. You're guaranteed that the ATA password is used in whatever way Intel has decided to use it as long as the BIOS sends it to the drive using the ATA specification. This can be verified with the method above. Note that this doesn't guarantee that Intel's hash and/or storage of the password and key is secure. You'll have to trust them on that.
Wow, that was fast! Thank you again, DesktopMan. I appreciate the info!
Do you use any reliable tools to verify the security settings on the SSD like what security level it is at (High, Max), if security is enabled, frozen/unfrozen state, etc? Also, info on what those settings should be would be very helpful.
I assume the drive is always encrypting, so I don't have to worry about that. Is this correct? If not, is there any tool to verify if encryption is on or off?
There really is only one security level on the Intel 320-series SSDs, either the ATA password is set or it's not. As you say they are always encrypting, even out of the box.
Note that every Intel SSD ship with an encryption key set during production (random on each drive according to Intel),but you can generate a new one in the Intel SSD toolbox. I'm not sure if they allow you to do this without losing the data, I haven't tried. There are techniques to allow this, but I doubt they've implemented that.
"Do you use any reliable tools to verify the security settings on the SSD like what security level it is at (High, Max), if security is enabled, frozen/unfrozen state, etc? Also, info on what those settings should be would be very helpful."
Linux -> hdparm
In High Security Mode both user and master pass can fully unlock the drive.
In Max Security Mode only user pass can fully unlock drive. Master pass can unlock the drive only to perform Secure Erase.
Thank you, DesktopMan and Pit. I appreciate the info.
The Intel SSD Toolbox also seems to give a lot of info about the drive. I just ran it and noticed under Word 128, security status information is given about my drive. It lists info on Security Supported, Security Locked, Security Enabled, Security Frozen, Security Count Expired, Enhanced Security Erase Supported, and Master Password Capability.
Pit, I haven't had a chance to run hdparm under linux yet. But, if you have the SSD Toolbox, is this the same info returned by hdparm?
Also, I was wondering if Bit 1 and Bit 2 might be reversed. Should Bit 1 be Security Enabled instead of Security Locked and Bit 2 be Securit Locked instead of Security Enabled? If not, security is not enabled on my SSD because I get a value of 0 for Security Enabled. Can anyone confirm this? Anyone from Intel care to comment on this?
My 320 is currently in: Maximum Security Mode, unlocked with User Pasword and Frozen.
Toolbox gives me in 128 register: Bit0=1, Bit1=1, Bit2=0, Bit3=1, Bit4=0, Bit5=1, Bit8=1. Interpret it as you like.
A little warning for all you guys using boards with uefi-s.
I have Asrock Z68 Extreme4 and cannot boot if password protected intel SSD is connected to any of the SATA ports of the chipset ATA controller. The board locks in endless boot loop. I have to hotplug the drive to make the whole thing work. If the drive is password unlocked or security disabled motherboard boots without any problem.
UEFI in Asrock's case do not work with password protected drives!
Will try Asus P8Z68 Pro next week.