Have Basic Questions About SED

[ZzBloopzZ]

Hello,

I have been out of the loop. I have some questions about the SED (Self-encrypting Drive) feature on these newer SSD's, for a home user.

1. If I am upgrading, say cloning a older SSD to newer SSD with SED, can I start using SED right away or would I have to do a fresh install of the OS first?

2. Is SED dependent on anything, such as a specific OS, Chipset, SATA controller etc?

3. My understanding is you enable the feature through the BIOS. I believe the motherboard sends the encryption key to the SSD. Now, what if the motherboard goes bad and I have to replace it? Am I then SOL?

4. Is there any 3rd party software I will need to manage SED?

Really appreciate any feedback. I tried googling around and could not find specific answers.

Thanks!

 

[Avgas]

I've been researching this for the last couple of evenings, trying to pick parts for a new gaming machine and want to use a Samsung 950 Pro M2 SSD with the self encrypting function. (And a Skylake i5 and z170 chipset mobo.)

So, being a new [H] user, I can't post links... but if you google "techspot self encrypting drive" there's a great write up.

The gist is:
- New SSDs run everything through an AES encryption chip, to prevent too many 1's and 0's from hanging out together.
- It's encrypted using the DEK (Data Encryption Key) stored on the disk, and the disk alone.
- Without doing anything, your data will read and write after being encrypted with the DEK, but this offers no protection.
- Using _____ you can add an AK (Authentication Key). This is your password to unlock the DEK.
- On boot, you get a prompt from the BIOS for your AK. Once typed in verified, the drive is unlocked and the encryption is totally transparent to everything. (Including cloning operations.)

Apparently all you need to do is go to your BIOS and the Security tab and put in the "ATA Password" or "HDD Password". This is the AK. It seems there are ways to do it using Ubuntu terminal, Bitlocker, Samsung Drive Magician, and probably some other things. There's also provisions for a fast secure erase. It doesn't erase the data, it erases the key. (Not sure if DEK or AK.)

I've seen other references to the SED's having a shadow OS that loads to ask you for your AK.

Then there's the line "If your motherboard supports ATA passwords".

Now this is where I'm stuck. I can't find a gaming Z170 motherboard that supports the HDD Password. Every article I've found says "Find a mobo that works!". Well that doesn't help. I've checked the manuals for Gigabyte, Asus, Evga, etc. They all talk about the Supervisor and User passwords, but that's a different deal. The best references I've seen are to Asus Z97 mobos(?) and one guy contacted AsRock directly that sent him a modded BIOS.

Apparently the HDD password is common on laptop BIOS'es, but not for desktop units.

So, I could use some help too. =)

 

[ZzBloopzZ]

Thanks so much for valuable information Avgas! You are right, I have seen this feature in many BIOS laptops but havn't seen many Desktop's with it.

I will be sure to check out the techspot article later today, thanks for pointing me towards it!

For the lazy, here is the article: Self-Encrypting Drives: A Brief Introduction and Step by Step Guide

 

[izx]

There's also provisions for a fast secure erase. It doesn't erase the data, it erases the key. (Not sure if DEK or AK.)

The DEK.

If you are using the motherboard's ATA password to manage SED and it goes bad, you can make do with another motherboard that has that feature OR depending on mobo model/manufacturer, you may need the same exact model.

It's easier to just let the OS deal with this. Assuming Windows, Bitlocker will use the drive's hardware SED capability, and the keys (password) are stored either on the TPM chip on your motherboard or on a USB drive. In addition, you can set it up to also ask for a PIN upon Windows boot.

 

[Avgas]

The ATA password seems to be the old way of doing things. Going forward it's going to be TGC Opal...

Samsung says the 950 Pro M2 will support TGC Opal with a future firmware update, and seems independent of the motherboard and OS. Looks like you just need a utility to set the AK and PBA (Pre-Boot Authentication) image.

Use the hardware-based full disk encryption your TCG Opal SSD with msed

To setup the AK and install the PBA.
GitHub - Drive-Trust-Alliance/sedutil: DTA sedutil Self encrypting drive software
Executable Distributions · Drive-Trust-Alliance/sedutil Wiki · GitHub

TCG Opal is a new standard for communicating with supporting drives concerning their encryption functionality. Furthermore, it includes a really elegant way to have the user supply their authorization credentials.

In its default state, the main disc area is completely locked and inaccessible. However, when the system is booted, the encrypted disc exposes a fake disc from its firmware, called the shadow MBR (master boot record), 128MB in size. Usually this shadow MBR is flashed with the pre-boot authorization (PBA) image, which is in essence a small operating system (including MBR, boot sector, filesystem) that asks the user for their drive password, which it then communicates to the disc via OPAL commands. If the password is valid, the disc unlocks itself, and then the real operating system is loaded up.

From the HP white paper.

SED Setup and Boot Process
During the provision process of the SED, the following occurs:
• Password (AK) is established.
• Shadow Master Boot Record created on SED.
o This allows the use of a pre-boot OS to allow the entering of the password (AK) to unlock the drive, enabling access to the data stored on the device.

After completing the setup process for the SED, the boot flow of the Workstation is as follows:
• System BIOS attempts to read Master Boot Record of the SED.
• System BIOS is redirected and loads the pre-boot OS.
• The user authenticates by entering the password defined during the setup process.
• If authentication is successful, the pre-boot OS passes control to the original MBR and the OS on the SED loads.
• If authentication is not successful, the machine is unable to boot

Trusted Computing Group - Commonly Asked Questions and Answers on Self-encrypting Drives

How is the access to the drive secured to allow only the Authorized user to access it? Is there a boot- up password that is entered via a BIOS dialog?

A: When the BIOS requests the Master Boot Record from the drive, the drive instead returns the pre-boot record to the user. This pre-boot record is a complete, though quite restricted OS, usually something simple like MS-DOS or LINUX. The pre-boot image requests the Authentication Credentials from the user, which are passed to and checked directly by the drive logic. If accepted, then the drive returns the MBR and the OS is loaded. Important point: This pre-boot authentication is the FIRST thing that happens and is controlled by the drive directly. This has the added advantages of not modifying the MBR, which many software encryption products do, and allowing the MBR to be encrypted like all other user accessible data.

My SED is incorporated in a laptop that includes a system TPM. How does the SED interact with the system Trusted Computing software and hardware?

A: The TPM and the SED are not required to interact. However, depending on the software authentication, secrets held within the TPM could be used to authenticate or to help authenticate to the SED. Note that there is also a disadvantage to using a TPM to participate in SED authentication. Should the laptop fail and the user want to move the SED to a new model, the management software would have to support moving it from one TPM to another. Otherwise the SED could not be unlocked, as it is in part controlled by the TPM in the dead system.

 

[staticlag]

The BIOS TPM method utilizes an onboard storage chip for the decryption key. It is found in enterprise motherboards and laptops. My laptop from 2010 has it. When you enter your BIOS password it allows the chip to send it's own key to the drive that was generated during configuration. If the motherboard and drive are separated it is impossible to access data on the drive because the necessary decryption key is on the motherboard, your password being entered allows the motherboard to sends it to the drive. Really this feature is so someone cannot physically pull your machine's hard drive and use the Windows toolkit to disable security without having the Windows password also.

Bitlocker can store it's key on your motherboards chip also or it can do full software raid, or I believe it also has a key backup option.

 

[izx]

The ATA password seems to be the old way of doing things. Going forward it's going to be TGC Opal...
...
To setup the AK and install the PBA.
GitHub - Drive-Trust-Alliance/sedutil: DTA sedutil Self encrypting drive software
Executable Distributions · Drive-Trust-Alliance/sedutil Wiki · GitHub

I found the same thing yesterday and it really seems the way to go - truly OS/BIOS-independent HW encryption. The only caveat is the PBA requires you to disable secure boot (which shouldn't be a problem for most of us "enthusiasts" )

 

[RadAway]

I've been trying to get some answers in this area also.

I did get a reply from AsRock a few days ago.
The board I was asking them about was the Z170 Pro4S.

Here is what they sent:

"Actually, your current BIOS already support ATA-password.
We provide some hint for you to set in BIOS:

1. Please reboot the system then press[Delete] to enter the BIOS setup.
2. In BIOS main screen, please press[Ctrl]+[Shift]+[F3].
3. Afterward, press[F10] to save the setting and exit.
4. Reboot the system then enter the BIOS setup again, you can see the HDD security Configuration in Security tab. "

It is likely this feature may exist in the other AsRock Z170 boards also.