Thinkpads Forum

Hi.
Up until now I always had ATA password set on my hard drive. I moved to SSD and I wish to enable ATA password on it.
I heard some rumors about incompatibility between SSDs ATA password and T61 (t61p in my case) so I would like to know if I can safely enable ATA password on my SSD.

I am using middleton's BIOS, T61p, Samsung 840 pro SSD.

Thanks!

I don't have an immediate answer to your question, sorry. But I wanted to point out that hard drive passwords are not really secure and only give you a false sense of security. A better option would be full-disk encryption.

Thanks.
Good point. I actually thought that braking ATA password is very hard without replacing the controller/reading the platters. That was probalby true 7 years ago when I looked into it, it seems that now there are tools/backdoors out there that can unlock a drive...
My Laptop has T9300 CPU, so I guess it lacks the AES-NI...
Any recommended FDE tool that will not kill my drive performance?

Not really. I think by their very nature software FDE tools will have a negative effect on drive performance. I guess the question is whether you can live with the "slower" performance or not. My employer made me install Symantec PGP Desktop and I can't complain (but then again I do not complain much). I have not tried any other FDE tool.
I also don't have any comparison of before and after FDE installation as I installed the FDE when I installed the SSD (which btw, is mSata) in my W520.
I found this: http://anthonyvance.com/blog/security/ssd_encryption/ an interesting read.

GibsonLP wrote:...t61p ... I would like to know if I can safely enable ATA password on my SSD.

Yes, you can.
Separately, for now at least, one cannot do with software FDE what is accomplished with properly-implemented hardware FDE ... and the only "properly-implemented" drives today with hardware FDE are the Intel 320 or 520 Series. Probably best if I don't take up space here describing the reasons why this is the case, as a little research on the Web will point to many good articles on the subject, amongst which you might find useful the following summary:
http://vxlabs.com/2012/12/22/ssds-with- ... ncryption/

Thanks all.
Apparently the 840 pro has a built in AES 256 hardware encryption although it's not 100% verified.

I am just wondering how does the drive handle insertion of HD password in the BIOS (apparently the trigger for FDE and also the encryption key...) AFTER I already have data on the drive, does it mark the encryption/unencrypted portions to distinguish between them?

Having the password as the encryption key means that without a backdoor in the algorithm itself there is no way to read the encrypted data even with the ability to reset the password (you'd get access to a pile of scrambled bytes), however - when I think about it more: If the drive's "old" data is unencrypted. Does that mean that even if the drive IS encrypted - the old data will be accessible?
Is my assumption right? Is there a way to let the drive take some time at the first boot and encrypt the existing data? or am I totally not understanding how it works?

Thanks.

GibsonLP wrote:Is my assumption right?

Not if I understand you correctly. A drive with FDE always writes encrypted data onto the drive. It is not like encryption is enabled only when you add an HDD password, so that there would be partly plaintext and partly encrypted data, as you suggest.

Depending on implementation, the HDD password may be required for the drive to process I/O requests, or for the drive to decrypt the encryption key which may have earlier been encrypted with the HDD password ... but the data on an FDE drive is always encrypted, regardless of the presence or absence of an HDD password.

Thanks.
A partially encrypted drive is indeed illogical. However - Samsung claim that FDE is enabled once the user is setting the HD password so I don't really understand how can an encryption be enabled AFTER there is data on the drive. Either the data is partially encrypted or the existing data gets erased.
Another thing - if the chosen password is not a part of the encryption key this means that we are putting our trust in the drive manufacturer (that is - a backdoor password could still exist).

GibsonLP wrote:... Samsung claim that FDE // ... putting our trust in the drive manufacturer (that is - a backdoor password could still exist).

Better English teachers are needed! -- most likely, what is written in the Samsung description is simply the result of bad English ... or, perhaps, muddled thinking on the part of the tech writers. If that drive has encryption, then the data on it is always encrypted. The proof is simple -- does adding an HDD password erase all data? I bet not.

Separately, regarding a backdoor, indeed you ARE trusting the manufacturer. After all, what makes you trust that the 256-bit AES is even there?! Perhaps the whole thing is a "lie". I am not suggesting it is, but you get the point ... IF you trust the specs, and IF you trust that the specs are implemented, and IF you trust that the implementation is bug-free, and IF you trust that the bug-free implementation does not have a backdoor, either known or unknown to the manufacturer -- after all, Samsung did not invent AES! -- then, and only then ... and those are a lot of IFs strung along ... are things "safe". And so it goes ...

Lastly, you are absolutely correct about the problems of mishandling the encryption key. It is not clear that Samsung or Toshiba or anyone else other than Intel has done this "correctly" -- in fact, quite the opposite. Intel uses the HDD password to encrypt the encryption key. The others may be doing something similar, but good luck getting clarification, let alone proving it! If all they are doing is using the HDD password to fetch the encryption key, then that encryption key is discoverable by forensic tools. Unless you know for a fact that the encryption key is itself encrypted using the HDD password and only thereafter stored on the drive, you are dealing with "amateurs". Again, it is not in any way clear that the present lot of non-Intel drives handle the data encryption key properly.