Anyway to lock a 3.5" internal drive with a password?

[tracerit]

I'm using a 3TB 3.5" drive now for video storage and would like to put it away somewhere else physically. Probably a safety deposit box. But I also want to put a password on it so someone wouldn't be able to just plug the SATA and power cable in and access it as a secondary drive. I don't want to encrypt the contents, just lock it.

 

[dave_the_nerd]

They don't really work that way: if I can connect it to a computer, I can read the data on it. If you had some kind of password protection on the file system but the data was unencrypted, I'd just overwrite your partition map and then run a drive recovery program to retrieve the files. (Or something similar. I'm not a Forensics guy so I only know roughly how it works, but I'm pretty sure your data would be retrievable.)

The only way to actually protect the data is to mangle/encrypt it. BitLocker is included with Windows. Or you could put your data in a password-protected ZIP archive or disk image or something similar.

 

[VirtualLarry]

ATA Security supports doing just that, but support for that is, for some reason, VERY limited on desktop PCs.

 

[corkyg]

The Safety Deposit Box should be very secure. I keep such items in one, and it is primarily for the Executor if my estate (my son) to have quick and easy access for the days when I croak. Until then, I have the only access key outside of the bank.

 

[PliotronX]

Dave is right, and perhaps a hardware solution would come in handy. I prefer the idea of encrypted container files but Veracrypt has an interesting feature where the drive can have a "fake" partition that looks mostly empty and the encrypted goods are hidden to take it a step further. For simple use though, fully encrypting with BitLocker to Go (where available, only in 7 Enterprise/ultimate or 8.1/10 professional/enterprise) or Veracrypt would be the way.

 

[XavierMace]

If it's important enough to need a password, it's important enough to encrypt.

 

[Red Squirrel]

You could look into something like Trucrypt but since that project is kind of in limbo, not sure what the alternatives are. Some Linux distros do have encryption for the OS drive but it's an option at installation, so I'm not sure how you'd do that for a non OS data drive after the fact.

Another option is you could use a "loop" device and then encrypt it. Ex:

dd if=/dev/zero of=loopdevice.bin bs=1G count=10  (creates a blank, large 10GB file)

losetup -e aes /dev/loop1 loopdevice.bin   (mounts this file as if it were a hard disk, using encryption - it prompts for a password)

mkfs.ext4 /dev/loop1    (formats a file system - in this case you don't bother partitioning and just format the entire device)

mount /dev/loop1 /mnt/loop1  (mounts it to a mount point so you can store files in it)

This would create an encrypted disk image file that you can then store on a hard drive. The magic happens in the losetup command as the -e aes part encrypts it. I cannot guarantee the security of this though, I was just playing with it for fun once and thought it was an interesting thing.

There may be other ways to encrypt a hard drive but I don't know of any programs off hand other than trucrypt/veracrypt which I would not trust at this point. Basically they issued a statement at one point to not trust the product, but there was no explanation why. It's possible the government may have gotten involved and they were not allowed to say. There may be a known exploit or something.

 

[BonzaiDuck]

I'm using a 3TB 3.5" drive now for video storage and would like to put it away somewhere else physically. Probably a safety deposit box. But I also want to put a password on it so someone wouldn't be able to just plug the SATA and power cable in and access it as a secondary drive. I don't want to encrypt the contents, just lock it.

Do you anticipate the possibility of "The Bank Job" ? That scenario doesn't seem like much of a practical risk.

Of course, if you're away from home much of the time, and excluding the option of putting the disk in a safe-deposit box, the risk of having it stolen in a home-invasion is much greater for you than for me.

 

[corkyg]

What is missing for me is, what is the threat? What is needing to be secured, and against whom?

 

[rchunter]

I just use LUKS. I think it's built in to most linux distros. It works good. I do all my banking and important stuff anyway on my linux machine. I don't encrypt the boot drive/OS. I just have a separate partition I encrypt.

 

[BonzaiDuck]

What is missing for me is, what is the threat? What is needing to be secured, and against whom?

I think I've followed a rational migration to computer parts that support mobility when mobility is urgent. I think of that episode in "Weeds" where Nancy Botwin has 20 minutes to vacate her So-Cal suburban home as a wildfire advances toward her neighborhood. So my backup disks for all systems (and my server -- which backs up all . . ) are 2.5" hot-swap units.

20 or 30 years ago, you could worry a lot about home-invasion and computer theft, and that could still be a worry. You wouldn't want some South-LA gang accessing your bank-account data. But since we spend most of our time at home, the only security gap remaining is the absence of a good pump-action shot-gun. [Supposedly, just hearing the gun being racked is enough to scare the bejeesus out of anyone familiar with the sound.]

Some may think I'm a bit retrograde, but I don't implement the security features of the newer motherboards, and I don't use any special encryption of my data HDDs (or any other). I've seen too many folks struggling with BIOS misconfigurations (and Secure-Boot) or accessing encrypted disks. I think I've seen people who get into trouble with BitLocker, but someone can correct me if they think I'm mistaken or confused about it.

Secure-Boot may only be peripheral to this issue, but I had encountered problems when a system becomes unstable and somehow resets the BIOS -- or the BIOS is reset by some other accident. The motherboard default has Secure-Boot Enabled, and one needs to reconfigure the BIOS to disable it before the boot disk is again bootable.

Now -- if someone wants to place a million-dollar defense contract at my feet with certain "requirements," I'll be glad to do that. But for my personal retiree-existence, I'm not inclined to it.