6 Replies Latest reply on Dec 28, 2011 12:01 PM by Gouge

    Intel 320 SSD: How to set the AT HD Password encryption correctly.

    Gouge

      I have recently bought the 80GB 320 and I am still trying to get a simple answer to the FDE AT HD password question and think it would be very helpful if the answer were included in the HD manual and the FAQ.

       

      If, as is the case, my pc has a bios and an HD password option and I set both of these when installing the SSD, have I in fact set up the bespoke password FDE, or do I need to, as the pdf intel guidance suggests, use the toolbox to then do a new secure erase on the same HD. It's just that the tablet PC in question only has one sata connection meaning that any secure erase would have to happen on a desktop PC with no HD password option enabled in the bios.

       

      Basically a simple step by step answer to how to set it up would be appreciated.

       

      I have assumed up until now that by setting an HD password in the Bios on first using the drive that the FDE is encrypted with reference to the HD password that was set but am increasing believing it isn't. I am therefore of the thinking that in order for the HD password to be relevant to the encryption of the drive a password has to be in place prior to then doing the secure erase and see no easy way to accomplish this.

       

      Noone seems to have a simple answer to how to do this

       

      TIA

       

      G

        • 1. Re: Intel 320 SSD: How to set the AT HD Password encryption correctly.
          Gouge

          I am also keen to know what happens if I have to move the drive to another computer.  Can I just set the same ATA password on it's Bios and the drive will allow it to work with the new PC or do I end up locked out of it.

           

          G

          • 3. Re: Intel 320 SSD: How to set the AT HD Password encryption correctly.
            Jeff_K

            IIRC from documents and various posts read many months ago, the information stored on the 320 is always encrypted on-the-fly when it is stored and decrypted by the drive when it is read.  When no ATA (hard drive) password is set, the decrypted data are always passed to the PC - the drive essentially acts like any unencrypted drive as far as the PC is concerned.

             

            I believe the encryption key is randomly generated each time the drive is securely erased, and is unrelated to the ATA password.  The secure erase simply changes the encryption key, rendering all previously saved data permanently unrecoverable.

             

            When the ATA password is set, the drive will not allow access to the data unless the password is provided each time the drive is powered on.  Since the data is encrypted on the chips, opening the drive and probing the chips can at best only provide encrypted data.  Changing the ATA password does not re-encrypt any data on the drive.

             

            The ATA password is not (in theory) ever stored in the PC's NVRAM - it is simply passed to the hard drive.  There is a long thread on this forum that (I think) suggests that it is securely stored as a hash in an inaccessible place on the SSD, though some questioned if it might be crackable.

             

            So the basic step-by-step is simply set the ATA password.  Remove the password before firmware updates, and set it up again after the update.  Also remove the password before moving the drive to another PC, as there is no guarantee that each PC's bios will handle the password string identically before passing it to the hard drive (some may hash it, some have been known to drop special characters).  Moving the drive to the same model PC with the same bios version should not require removing the password and setting it again on the new box. [Edit: Some Lenovo Thinkpads treat the string differently depending on a bios setting before supplying it to the hard drive - best to always remove the password when moving the drive to another PC.]

             

            Disclaimer: I'm not an expert - anyone please chime in if I've given bad info.

            • 4. Re: Intel 320 SSD: How to set the AT HD Password encryption correctly.
              Tobi_74

              The ATA password is not used for encryption. Does this mean that the ATA password is just used for unlocking the drive, or is it  also used to decrypt the saved data decryption key which is needed to decrypt user data?

              • 5. Re: Intel 320 SSD: How to set the AT HD Password encryption correctly.
                Jeff_K

                According to http://communities.intel.com/message/120689#120689, the ATA password IS used to encrypt the encryption keys.

                • 6. Re: Intel 320 SSD: How to set the AT HD Password encryption correctly.
                  Gouge

                  After a little bit of nosing around I have, I think, managed to answer some of my own queries.

                   

                  I enabled Bios and ATA passwords in one system and installed OS.  I then tried moving the drive to anther tablet PC (same model) and booted it up.  It asked form the ATA password even though it's Bios hadn't had one set on it and it also booted fine after password was entered.  This confirms if the PC dies the DATA and drive with the ATA password set can still be accessed via a similar PC that has the same Bios.

                   

                  I also managed, within the Intel FAQ to confirm that the ATA password can be removed and replaced or changed as required without affecting the drives operation.  This I tested and it worked ok.

                   

                  Therefore I can only assume that the drive data is not encrypted with reference to the ATA password, I appreciate that this point is still not clear from Intel guidance and other peoples comments.  Surely if it was relevant then the drive woudl not be readable if the ATA password was changed as the data would be only readable with the encryption password used.

                   

                  Hope this is of help to someone but still leaves the whole password encyption debate open and ultimately unanswered by Intel as far as I can make out and really warrants a comprehensive but simple answer by way of an explanation.

                   

                  G