Hitachi 7K200 Bulk Disk Encryption

Message

ScotchDiver · #1 Post by **ScotchDiver** » Thu Aug 02, 2007 4:11 am

Now that the 7K200 has been out for about a month, has anyone figured out Bulk Data Encryption? At first I was just happy for the extra space, but now I plan to wipe it and upgrade to Vista. This seems like a good time to look into BDE and do some speed tests to see if it's worth using (compared to TrueCrypt). HGST has a few white papers and marketing fluff pieces, but no utilities or documentation that tell you how to actually enable the feature or set and clear a password.

I did find one note at the bottom of a tech sheet that mentions having the feature enabled at the factory. I sure hope this doesn't mean Hitachi expects us to send them the drive with a password on a sticky note.

Also, if you download the specification document (page 57) you'll see it contains commands for enabling and configuring security. I have to assume that this means the drives are field programmable and Hitachi just hasn't released the updated FeatureTool software to handle it yet.

http://www.hitachigst.com/tech/techlib. ... 0_Spec.pdf

nurio · #2 Post by **nurio** » Thu Aug 02, 2007 9:51 am

Not all Hitachi 7k200's support encryption. Unfortunately the Hitachi docs are quite cryptic when it comes to that subject.
The Hitachi drives that support encryption have the following SKU #'s:
80GB - 0A53066
100GB - 0A53067
120GB - 0A53068
160GB - 0A53069
200GB - 0A53070

I personally couldn't find the 200GB one in any store. The SKU on one's in zipzoomfly or newegg is 0A50940...
Anyway, I was told by a support rep that in order to enable the encryption you only need to enable the hard drive password in the BIOS.
And in order to render the data useless on the drive you need to remove the password.

Keep in mind that if you enable the encryption you will need to type your hard drive password every time your system starts.

smartins · #3 Post by **smartins** » Thu Aug 02, 2007 10:10 am

I had the exact same doubt and when I asked over at notebookreview got the following answer:

The Bulk Data Encryption feature comes with the E7K200 model NOT the 7K200

Read here:-

http://www.hitachigst.com/tech/techlib. ... tar_E7K200

nurio · #4 Post by **nurio** » Thu Aug 02, 2007 10:45 am

To the best of my understanding both the 7K200 and E7K200, should have encryption models available. The E7K200 is more intended for enterprise / datacenter use, while the 7K200 is for laptops. When I discussed this with Hitachi reps we were talking about 7K200 on laptops and the same encryption information seems to be available for the 7K200 as well:
http://www.hitachigst.com/tech/techlib. ... star_7K200

One of the reps that I spoke with, said that it would probably be hard to find them in stores at this moment and suggested to start looking in about month from now.

ScotchDiver · #5 Post by **ScotchDiver** » Thu Aug 02, 2007 11:19 pm

According to the "Safeguarding Your Data with Hitachi Bulk Data Encryption" document, it sounds like all new Hitachi drives will support BDE:

http://www.hitachigst.com/tech/techlib. ... _paper.pdf

From the last paragraph:
"Hitachi will be offering the Bulk Data Encryption option on all new 2.5-inch hard disk drive models launched in 2007, including both the 7200 RPM and 5400 RPM product lines. At the request of the customer, this option can be enabled or not, at the factory, without any impact on the drive’s storage capacity, features or performance."

This could be a poor translation and they meant to say that each model (combination of size, capacity, speed, etc) will have a twin that adds BDE capabilities. When I first read it, it sounded like they intend to put BDE into every controller chipset from here on out. Could just be wishful thinking on my part though.

nurio · #6 Post by **nurio** » Fri Aug 03, 2007 3:46 pm

Yes, their documents are poorly written. Also If you take a look at the 7K200 spec doc (http://www.hitachigst.com/tech/techlib. ... 0_Spec.pdf) the encryption option is only available on the HTS7220xxK9SA00 models only... so, it is not available on all the 7K200?!
This is why I called Hitachi a few days ago and I told the rep that from the documentation and product description it looked like the 7K200 model on zipzoomfly.com supports encryption. He replied that only certain models have encryption option and he couldn't confirm that the other 7K200 also support encryption.

If the encryption option is important to you, I'd suggest that you either email Hitachi support or call them, I wonder if you will get a different answer.

Hitachi USA contact info:
Toll-free 1.888.426.5214
E-mail: support_usa@hitachigst.com

la.margna · #7 Post by **la.margna** » Mon Aug 13, 2007 3:36 am

Stupid question in this respect.

I currently have an original 100GB HD in my T60p 14.1".

Sounds great to double the capacity and increase speed with such Hitachi 7K200 hd.

Is this easy and will it work? So I just order the 7K200 200GB and open the notebook and replace it? any other issues or things to be aware of?

Many thanks!

jjt3hii · #8 Post by **jjt3hii** » Wed Aug 29, 2007 3:45 am

Has anyone purchased a 7K200 and actually used the full disk encryption? Everything I see online says "optional"... so whats the deal? Need to send it to factory?
How is the password set?
Do you type it on every boot up?

what happens if you put the drive into another system as a boot drive, and non-boot drive?

(BTW the E7K200 model has nothing to do with FDE or BDE, the E simply means the drive firmware is altered to run in 24x7 always accessible environments.)

Jason

EOMtp · #9 Post by **EOMtp** » Thu Aug 30, 2007 12:45 am

jjt3hii wrote:Has anyone purchased a 7K200 and actually used the full disk encryption? Everything I see online says "optional"... so whats the deal? Need to send it to factory?
How is the password set?
Do you type it on every boot up?

what happens if you put the drive into another system as a boot drive, and non-boot drive?

None of the drives shipped by Hitachi as of 8/25/2007 has BDE, and it is indeterminate as of today when those drives will enter the distribution channels. The model numbers given on the second posting on this thread show the units which will have BDE. The model number is not machine-readable, hence the only way to know whether or not a given drive has BDE is to inspect physically the label on the drive.

The "optional" designation is a misnomer; the feature is "optional" only to the extent that buying a car with a V6 or a V8 engine is "optional", i.e., a given car like that is either a V6 or a V8 when one buys it. Therefore, if the drive is one of the specified models, then it has BDE and it is active all the time IF the hard drive password (HDD Password) has been set by the user; if it is not one of those models, then it does not have BDE, and BDE cannot be enabled because required electronics are absent.

If the model number is for a drive with BDE, then the data is automatically encrypted once the HDD Password is set by the user (via the BIOS or ThinkVantage CSS software). Removing the password renders the data permanently inaccessible (the "very fast" equivalent of wiping the drive to MIL standards).

If an HDD Password is set, then that password must be supplied every time the machine is powered up. On machines with a fingerprint reader, the HDD Password can be submitted via the fingerprint reader, thus eliminating the need to type the password.

Whether the drive is used as a boot drive or not, if it has a password set, then the data on it is accessible only if the correct password is provided upon powering on the drive. (Note: powering on, not reboot.)

#10 Post by **erik** » Thu Aug 30, 2007 4:37 pm

EOMtp wrote:None of the drives shipped by Hitachi as of 8/25/2007 has BDE, and it is indeterminate as of today when those drives will enter the distribution channels.

newegg listed the BDE 200GB 7K200 (0A53070) a few weeks ago for $280. i bookmarked the link but it no longer works. since i didn't order one i cannot confirm whether or not they actually had the drives or if it was a mistake.

jjt3hii · #11 Post by **jjt3hii** » Thu Aug 30, 2007 9:42 pm

Hitachi replied to me a couple times and it's pretty much what EMOtp says above. None the less, here's what they sent me...

Second Email:
Unfortunately, we are not able to tell you what every reseller currently has for stock. To purchase a drive with the bulk data encryption
technology you would need to purchase the correct part number. I have
included the generic part numbers below however, keep in mind that these may not yet be readily available in the distribution channel.

0A53066 – 80GB
0A53067 -100GB
0A53068 – 120GB
0A53069 – 160GB
0A53070 – 200GB

The BDE technology is enabled or disable by setting or removing a password on the drive in the system’s BIOS. If the motherboard were to fail you would be able to swap that out and gain access to the drive again as long as the correct password is entered in the system’s BIOS on the new board
for the drive. The encryption is not tied to a specific board.

First Email:
To enable Bulk Data Encryption,you will need to set a password in the BIOS which in turn

will activate the Bulk Data Encryption of the drive.

The Travelstar 7K200 drives with the Bulk Data Encryption feature will soon be available for purchase.

Do you type it on every boot up?
Yes. Every time the computer boots up, it will require the password.

What happens if you put the drive into another system as a boot drive?
With the drive in another system and the Bulk Data Encryption feature enabled, you will not be able to access the drive by any means. The drive must be in the same system that it was in when the Bulk Data Encryption feature was enabled.

What happens if you put the drive into another system as a non-boot drive?
With the drive in another system and the Bulk Data Encryption feature enabled, you will not be able to access the drive by any means. The drive must be in the same system that it was in when the Bulk Data Encryption feature was enabled.

#12 Post by **GomJabbar** » Thu Aug 30, 2007 10:05 pm

The following two statements from the post above don't seem to jive to me.

If the motherboard were to fail you would be able to swap that out and gain access to the drive again as long as the correct password is entered in the system’s BIOS on the new board for the drive. The encryption is not tied to a specific board.

With the drive in another system and the Bulk Data Encryption feature enabled, you will not be able to access the drive by any means. The drive must be in the same system that it was in when the Bulk Data Encryption feature was enabled.

1percent · #13 Post by **1percent** » Fri Sep 14, 2007 8:49 pm

Has anyone heard more about the 7k200 200gb with bulk data encryption being available for purchase finally (US or EU)?

Thanks,
Alex

T40p -> T61p (sitting idle waiting for a hard drive)

p.s. I have repeatedly emailed TigerDirect that their listing is incorrect and included the emails from Hitachi. They have yet to stop referring to the bulk data encryption as "optional". I won't be buying from them.

#14 Post by **erik** » Sat Sep 15, 2007 12:56 pm

lenovo is now offering the 200GB BDE drive in the X61 CTO. soon they will be available in the T61.

1percent · #15 Post by **1percent** » Sat Sep 15, 2007 1:06 pm

lenovo is now offering the 200GB BDE drive in the X61 CTO. soon they will be available in the T61.

Any news on what brand it is? I've already received my laptop so just need to buy a drive. Almost ready to give up on BDE...

Thanks,
Alex

p.s. anyone know the value of the stock 5400rpm 80gb drive that came with the laptop?

#16 Post by **erik** » Sat Sep 15, 2007 2:39 pm

1percent wrote:Any news on what brand it is? I've already received my laptop so just need to buy a drive. Almost ready to give up on BDE...

most likely a seagate with FDE. it's a $380 option.

nurio · #17 Post by **nurio** » Tue Sep 18, 2007 2:47 pm

Hitachi recently added a new How to Guide for BDE, which makes things a bit more clearer and also lists the SKU #’s of the HDD that support BDE: http://www.hitachigst.com/tech/techlib. ... _final.pdf

I also noticed that some of the other documents were updated in order to clarify the “Optional BDE”…

smartins · #18 Post by **smartins** » Mon Oct 15, 2007 7:10 am

Has anyone heard anything more about the 7k200 with bulk data encryption being available for purchase?

SteveDC · #19 Post by **SteveDC** » Mon Oct 15, 2007 10:32 am

erik wrote:lenovo is now offering the 200GB BDE drive in the X61 CTO. soon they will be available in the T61.

I see it on the 14" widescreens but not the 14" "standard" screen. Wonder why? I'd like to get it with a standard screen. I guess they can do it if you call.

I have two questions as a self-employed T40 user:

1. How does BDE work in practice? Do I have to enter a password or something to use the drive, after logging on to the computer?

2. Off topic -- Do I want the fingerprint security on at TP61?. Just entering a password seems to work fine for me now.

Thank you.

khaverblad · #20 Post by **khaverblad** » Wed Oct 17, 2007 1:55 pm

Has anyone managed to get their hands on BDE based disk yet? First hand experience using such disk would be really interesting instead of software based whole disk encryption.

1percent · #21 Post by **1percent** » Wed Oct 17, 2007 4:18 pm

They finally started showing up in Froogle:
http://www.google.com/products?q=0A5307 ... &scoring=p

Debating whether I should wait just a little longer for a hands on review or be the guinea pig.

Alex

nurio · #22 Post by **nurio** » Fri Oct 19, 2007 10:10 pm

Hitachi 7K200 BDE (0A53070) is now available on zipzoomfly.com for $269.99, while the non BDE (0A50940) is going for $189.99

1percent · #23 Post by **1percent** » Thu Oct 25, 2007 4:00 pm

I have not been able to locate a single review of this drive with the BDE. Anyone have any experience compared to other full disk encryption schemes? Need encryption but not full disk if it comes at a performance hit.

Thanks,
Alex

wackydan · #24 Post by **wackydan** » Thu Oct 25, 2007 4:56 pm

1percent wrote:I have not been able to locate a single review of this drive with the BDE. Anyone have any experience compared to other full disk encryption schemes? Need encryption but not full disk if it comes at a performance hit.

Thanks,
Alex

You will not suffer a performance hit with an FDE drive as compared with the 3-5% hit you take with a software only solution.

Problem is, these FDE drives are mainly geared towards business environments right now and the Seagates are somewhat proprietary.

The reality is, you don't gain much of any protection by utilizing an FDE drive vs just an HD password, unless you are afraid of someone stealing your machine and actually pulling the platters from the drive to recover the data. Wave is currently the software of choice for managing the Seagates, and there will be a host of packages for the Hitachis and others. These packages let you add multifactor login requirements with biometrics or smart cards, usb tokens, etc..... They also give you full control over the 4 admin keys and 4 user keys that you can populate on the Seagates.... Again more tailored for a commercial environment - least today.

ARLUT · #25 Post by **ARLUT** » Tue Oct 30, 2007 10:00 am

FWIW:

Hitachi wrote:The drives with bulk data encryption are always encrypted even when no ATA password has been set. The ATA password is the not the bulk data encryption key. When the "security set password" command is issued from the host the bulk encryption key is wrapped with the ATA password value. This process is reversed when the "security disable password" command is issued and the default value stored in the drive is used. Changing or removing the ATA password does not regenerate the bulk encryption key or otherwise render existing data unreadable.

When no password is enabled the data is still being encrypted and decrypted by the drive however there is no ATA security prevention in place.

When the user password is created access control is enabled on the drive. This means that the drive will not accept any commands from the host until the user or master password has been entered.

Still trying to determine how secure the actual ATA password is, since that would seem to be only way to attack these drives with current technology. You'd have to get the drive to cough up the key used to encrypt the data on the platters (so moving the platters elsewhere wouldn't yield any results... hopefully).

jketzetera · #26 Post by **jketzetera** » Sat Nov 03, 2007 11:00 am

Hitachi wrote:The drives with bulk data encryption are always encrypted even when no ATA password has been set. The ATA password is the not the bulk data encryption key. When the "security set password" command is issued from the host the bulk encryption key is wrapped with the ATA password value. This process is reversed when the "security disable password" command is issued and the default value stored in the drive is used. Changing or removing the ATA password does not regenerate the bulk encryption key or otherwise render existing data unreadable.

When no password is enabled the data is still being encrypted and decrypted by the drive however there is no ATA security prevention in place.

When the user password is created access control is enabled on the drive. This means that the drive will not accept any commands from the host until the user or master password has been entered.

Whoa, if I am not misinterpreting the above it would seem that the security of the Hitachi BDE drives leave a lot to be desired.

According to the description above, the only difference between a non-BDE and a BDE drive is that the BDE drive is constantly encrypting the information as it is written to the platters and automatically decrypting it when it is read (regardless if there is a password set or not). That means that an attacker would gain nothing by removing the drive platters and reading them manually (which is good).

However, the only thing preventing regular i/o access to the BDE drive seems to be the same with non-BDE drives i.e. a simple ATA HD Lock Password. As there are several companies that either offer software for breaking ATA HD Locks or offer mail-in service for breaking ATA HD Locks on-site, the security of the Hitachi BDE seems to be seriously flawed (I hope I am wrong).

Also, the fact that the encryption key is unrelated to the password could have several serious implications. Since it seems that the encryption key is pre-set and not user changeble, it means that Hitachi in theory could have a copy of all encryption keys in use.

Does anyone have any more techincal details on how Hitachi's BDE works? If the security of the drive can be bypassed by resetting the ATA HD Lock password then the "security" features of Hitachi's BDE are next to useless since it is much cheaper to hack an ATA HD Lock password than have a lab manual remove the platters from a drive.

smartins · #27 Post by **smartins** » Sun Nov 04, 2007 12:52 pm

jketzetera wrote:However, the only thing preventing regular i/o access to the BDE drive seems to be the same with non-BDE drives i.e. a simple ATA HD Lock Password. As there are several companies that either offer software for breaking ATA HD Locks or offer mail-in service for breaking ATA HD Locks on-site, the security of the Hitachi BDE seems to be seriously flawed (I hope I am wrong).

Care to share which companies offer such service or software programs are available for such task? Last time I looked (3-4 months ago), I could only find one company that offered such services and the drive selection which they could reset the ATA password was very limited and they required proof of ownership before doing any work.

jketzetera · #28 Post by **jketzetera** » Sun Nov 04, 2007 8:09 pm

smartins wrote: Care to share which companies offer such service or software programs are available for such task? Last time I looked (3-4 months ago), I could only find one company that offered such services and the drive selection which they could reset the ATA password was very limited and they required proof of ownership before doing any work.

There are a lot of outfits providing these services in many different ways. Most annoyingly I could not find the UK company that I remebered were experts on IBM/Hitachi drives. However, at least one of the companies below claim 100% success rate with any ATA locked drive.

http://www.hdd-tools.com/products/rrs/

http://www.nortek.on.ca/Password%20Remo ... moval.aspx

http://www.yec-usa.com/products/hddrock.htm

http://www.pwcrack.com/harddisk.shtml

http://www.datatrack-labs.co.uk/password_recovery.asp

http://www.dataclinic.co.uk/password-pr ... -drive.htm

EDIT - Found the UK company

http://www.ultratec.co.uk/services/hard ... emoval.asp

smartins · #29 Post by **smartins** » Mon Nov 05, 2007 3:48 am

jketzetera wrote:
smartins wrote: Care to share which companies offer such service or software programs are available for such task? Last time I looked (3-4 months ago), I could only find one company that offered such services and the drive selection which they could reset the ATA password was very limited and they required proof of ownership before doing any work.
There are a lot of outfits providing these services in many different ways. Most annoyingly I could not find the UK company that I remebered were experts on IBM/Hitachi drives. However, at least one of the companies below claim 100% success rate with any ATA locked drive.

http://www.hdd-tools.com/products/rrs/

http://www.nortek.on.ca/Password%20Remo ... moval.aspx

http://www.yec-usa.com/products/hddrock.htm

http://www.pwcrack.com/harddisk.shtml

http://www.datatrack-labs.co.uk/password_recovery.asp

http://www.dataclinic.co.uk/password-pr ... -drive.htm

EDIT - Found the UK company

http://www.ultratec.co.uk/services/hard ... emoval.asp

Thanks for those links. I only found pwcrack.com when I did my search.

But from a brief look, it doesn't seem that any of those companies offer easy ways (software based) to recover passwords and keep the data for the latest Seagate or Hitachi hard drives, unless a custom analysis is made and that would be a $500+ plus bill on nortek.

Still, I see that it's indeed possible to remove the password if there's someone with the desire and money to do it.

jketzetera · #30 Post by **jketzetera** » Mon Nov 05, 2007 6:22 am

smartins wrote: But from a brief look, it doesn't seem that any of those companies offer easy ways (software based) to recover passwords and keep the data for the latest Seagate or Hitachi hard drives, unless a custom analysis is made and that would be a $500+ plus bill on nortek.
.

If it is possible to remove the ATA Lock on the new Hitache BDE drives the same way it is possible to remove the ATA Lock on non-BDE drives, then there is no point of buying the BDE disk in the first place.

If the above is true, then the only tangible benefit of having a BDE-drive is that an attacker will encounter fully encrypted data if he removes the platters and has them read them manually in a lab.

However, as there seems to be several cheaper and non-invasive ATA lock bypass methods available, why would an attacker opt for the expensive and complicated platter removal method in the first place?