Question Does ANY current motherboard support ATA Password for nVME drives?

[ImBatman]

All of the new Samsung EVO nVME drives feature drive-level, Class 0 encryption via setting an ATA Password.

This is a standard and feature that has been around for other drives for at least 10 years. But, I am surprised to find that there are few (if any?) motherboards that support it for nVME drives.

I tried emailing the "big 4" motherboard makers (MSI, Gigabyte, Asus, ASRock) and they all replied that they do not carry any board that supports this feature.

Does anyone know of any motherboard that supports it?

The closest I have found are the Supermicro gaming boards (yes, they actually do make gaming boards): https://www.supero.com/en/product-series

Their on-line manuals do include screens for setting ATA Passwords on drives in the BIOS. However, I can't tell from what they give whether or not there are limitations to that (ie. it only works on SATA drives, etc.). And I haven't been able to reach a person there to verify.

By any chance does someone have one of their gaming boards and know the answer?

Any help would be greatly appreciated!

PS: I already know about alternative methods of drive encryption. So, do not need to learn about TPM, etc. Those have drawbacks I don't like and feel that I should be able to simply find a way to use a feature that is already on the drives.

 

[Topweasel]

This kind of functionality is generally reserved for the business computers and other big box sales. Not for enthusiast retail boards.

 

[ImBatman]

This kind of functionality is generally reserved for the business computers and other big box sales. Not for enthusiast retail boards.

Eh. I respectfully disagree. Millions of people buy boards for business use from the same outlets/manufacturers as everyone else.

I bought boards over 10 years ago that had this feature. From CompUSA.

 

[artvscommerce]

Which chipset are you looking to use?

 

[ImBatman]

Which chipset are you looking to use?

I think ideally I would like to get into a Z490 or Z390. But, I would consider other options as well if they support this feature and cover a few other bases.

 

[artvscommerce]

I think ideally I would like to get into a Z490 or Z390. But, I would consider other options as well if they support this feature and cover a few other bases.

I will see if I have access to any Supermicro boards on Z390 or Z490- If I do I would like to test this. I'm not sure how quickly I would be able to get this completed, but if I can make this happen I will be sure to share my findings with you.

 

[thesmokingman]

Eh. I respectfully disagree. Millions of people buy boards for business use from the same outlets/manufacturers as everyone else.

I bought boards over 10 years ago that had this feature. From CompUSA.

lol, I've been doing this a long time and have never seen this feature.

 

[ImBatman]

I will see if I have access to any Supermicro boards on Z390 or Z490- If I do I would like to test this. I'm not sure how quickly I would be able to get this completed, but if I can make this happen I will be sure to share my findings with you.

That would be great! Supermicro did email to me that their boards support ATA Password on all of the SATA drives. But, not the nVME one. It was kind of a vague explanation. But, they said something about the Intel "PCH" not allowing it. Never know. Maybe the guy I emailed with was wrong? Would love to be surprised.

lol, I've been doing this a long time and have never seen this feature.

There are gaming boards released within the last few months that have it for SATA drives. Just not nVME.

If you have owned a lot of boards going back a long time you likely had it and did not know. No reason to look for it if you aren't using it and the options don't typically appear on the BIOS menu unless you have a drive installed that has it. Typically, it is in higher end hard drives.

 

[piokos]

All of the new Samsung EVO nVME drives feature drive-level, Class 0 encryption via setting an ATA Password.

There's clearly some misunderstanding here.

ATA Password is not encrypting the drive. It just locks the controller. Until you input the right password, the controller won't let you access the files.
This is a part of ATA standard and is very weak - you can easily look up ways to bypass this (including just flushing the drive firmware...).
You don't see this option in modern BIOS because it's rubbish.

Many drives from different manufacturers offer a built-in AES-256 encryption chip.
But keep in mind that on Windows this just works as hardware acceleration for Bitlocker (also AES-256).
You're not getting any extra protection - just slightly better performance (or few % less CPU load).

To turn it on, you probably have to use the software that comes with the drive (so in your case: Samsung Magician).

Eh. I respectfully disagree. Millions of people buy boards for business use from the same outlets/manufacturers as everyone else.

Why don't they just buy an OEM PC like a proper enterprise would?

 

[ImBatman]

There's clearly some misunderstanding here.

ATA Password is not encrypting the drive. It just locks the controller. Until you input the right password, the controller won't let you access the files.
This is a part of ATA standard and is very weak - you can easily look up ways to bypass this (including just flushing the drive firmware...).
You don't see this option in modern BIOS because it's rubbish.

Many drives from different manufacturers offer a built-in AES-256 encryption chip.
But keep in mind that on Windows this just works as hardware acceleration for Bitlocker (also AES-256).
You're not getting any extra protection - just slightly better performance (or few % less CPU load).

To turn it on, you probably have to use the software that comes with the drive (so in your case: Samsung Magician).

This is kind of true. Yes. Technically, "ATA Password" by itself is not encryption. However, I have never seen a drive with ATA Password only and no self-encryption. And every drive I have seen that has self-encryption implements it by having "always on" encryption of the data and encrypting the key either via ATA Password (that protects the encryption key) or TPM (which I think is the common Bitlocker approach you describe).

You can't just flash the drive to access the encrypted data because the key is stored there. You would just lose the key forever.

Always-on encryption allows you to secure your data by setting a password without having to wipe or separately encrypt the data. It also makes it fast and easy to "erase" the entire drive.

The SSD does this by storing the encryption key in plaintext. When you set an ATA disk password (Samsung calls this Class 0 security), the SSD uses it to encrypt the key itself, so you'll need to enter the password to unlock the drive. This secures the data on the drive without having to erase the entire contents of the drive or overwrite all data on the drive with an encrypted version.

Having all the data encrypted on the drive also brings another perk: the ability to effectively erase it instantly. By simply changing or deleting the encryption key, all data on the drive will be rendered unreadable, without having to overwrite the entire drive. Some newer Seagate hard drives (including several newer consumer drives) implement this feature as Instant Secure Erase.

Because modern hardware encryption engines are so fast and efficient, there is no real performance advantage to disabling it. As such, many newer SSDs (and some hard drives) have always-on encryption. In fact, most newer WD external hard drives have always-on hardware encryption.

https://superuser.com/questions/986387/why-does-my-ssd-internally-encrypt-data-even-without-a-password-set

Why don't they just buy an OEM PC like a proper enterprise would?

I think this is a joke?

 

[piokos]

This is kind of true. Yes. Technically, "ATA Password" by itself is not encryption. However, I have never seen a drive with ATA Password only and no self-encryption. And every drive I have seen that has self-encryption implements it by having "always on" encryption of the data and encrypting the key either via ATA Password (that protects the encryption key) or TPM (which I think is the common Bitlocker approach you describe).

Well, yes. Technically, you can set up drive encryption with ATA Password access.
But...
ATA Password SUCKS
... and you simply shouldn't do that.
Your original issue here was that modern motherboards don't offer this. They don't on purpose. If you see this on some server/workstation motherboards, it's probably for compatibility issues.

On Windows it's best to use Bitlocker. It does everything you want.
It's AES-256, it's fast, it's beautifully optimized for the OS. I would not look any further unless you're on W10 Home.
On Macs: FileVault.
On Linux: depends what you need and can do. I would start here:

Self-encrypting drives - ArchWiki

wiki.archlinux.org

I think this is a joke?

Not really. DIY computers in an enterprise? Why?

The grocery store downstairs uses a DIY desktop for their surveillance cameras and playing music. This is probably the largest enterprise I've seen using DIY computers.
Even when I was studying, everything was OEM-made - mostly by Dell.
And I live in former Eastern Bloc - so in a relatively poor area where DIY desktops in households survived for a lot longer than in the West. OEM desktops were too expensive for people here, so virtually everyone used custom desktops at home until affordable laptops arrived.

 

[ImBatman]

Well, yes. Technically, you can set up drive encryption with ATA Password access.
But...
ATA Password SUCKS
... and you simply shouldn't do that.
Your original issue here was that modern motherboards don't offer this. They don't on purpose. If you see this on some server/workstation motherboards, it's probably for compatibility issues.

Compatibility issues? It is a feature that is either provided or not. A drive would be compatible either way. And FYI, it is provided in some boards. Just, not for nVME that I have found yet. Other drives are still supported.

Do you have an actual argument about why using this method sucks? Or is "it sucks" the extent of your opinion here?

On Windows it's best to use Bitlocker. It does everything you want.
It's AES-256, it's fast, it's beautifully optimized for the OS. I would not look any further unless you're on W10 Home.
On Macs: FileVault.
On Linux: depends what you need and can do. I would start here:

Self-encrypting drives - ArchWiki

wiki.archlinux.org

PS: I already know about alternative methods of drive encryption. So, do not need to learn about TPM, etc. Those have drawbacks I don't like and feel that I should be able to simply find a way to use a feature that is already on the drives.

Not really. DIY computers in an enterprise? Why?

The grocery store downstairs uses a DIY desktop for their surveillance cameras and playing music. This is probably the largest enterprise I've seen using DIY computers.
Even when I was studying, everything was OEM-made - mostly by Dell.
And I live in former Eastern Bloc - so in a relatively poor area where DIY desktops in households survived for a lot longer than in the West. OEM desktops were too expensive for people here, so virtually everyone used custom desktops at home until affordable laptops arrived.

Do the millions of freelance developers, 3D designers, writers, etc. all use Dell?

Survived for a lot longer than in the West? You think that people in the West prefer OEM computers over DIY?

 

[piokos]

Compatibility issues?

Wrong phrase. I meant legacy solutions etc. Sorry.

It is a feature that is either provided or not. A drive would be compatible either way. And FYI, it is provided in some boards. Just, not for nVME that I have found yet. Other drives are still supported.

Well, as I said. BIOS makers are removing this option. Maybe in your case it still works for some drives. I don't know.
Just move on. We have better solutions.

Do you have an actual argument about why using this method sucks? Or is "it sucks" the extent of your opinion here?

Google: unlock bypass remove ATA password

There are more modern, more secure, easier to use options. I just don't understand why you want to use ATA Password so much.
Bitlocker is better in every way and the only problem is upgrading to Windows Pro if you don't have it already. You can move the drive to another PC, you can use a USB key to unlock. It's a solution from XXI century.

Do the millions of freelance developers, 3D designers, writers, etc. all use Dell?

They mostly use laptops. But yeah, I definitely didn't think about freelancer when I used the word "enterprise". My bad.

Survived for a lot longer than in the West? You think that people in the West prefer OEM computers over DIY?

Of course they do and did back then, but that's not the point. They simply could afford them.
Where I lived, DIY PCs were a common choice even for people who had absolutely no interest in building them or tinkering. And even for people who didn't game or need a lot of performance for work.
Almost no one could afford a Dell, an Atari or an iMac (or a proper console for gaming).
DIY PC was the cheap option for poor people - opposite of what we have today.

 

[ImBatman]

Wrong phrase. I meant legacy solutions etc. Sorry.

I don't see how that difference turns it into a criticism of the technology. It changes your statement to "They are including the feature just because people still want to use the feature."

Yes. Yes they do! As evidenced by it's support in the latest versions of some of the most high end hard drives available.

Well, as I said. BIOS makers are removing this option. Maybe in your case it still works for some drives. I don't know.
Just move on. We have better solutions.

I'm sorry but you have not made a compelling case that you are aware of any solutions that I am not already familiar with. I am just looking for help from the community regarding what hardware may be out there as there is a lot and online support for these companies is not very helpful in clarifying compatibilities.

Google: unlock bypass remove ATA password

As I already pointed out, that would accomplish nothing toward decrypting the data on the drive.

There are more modern, more secure, easier to use options. I just don't understand why you want to use ATA Password so much.
Bitlocker is better in every way and the only problem is upgrading to Windows Pro if you don't have it already. You can move the drive to another PC, you can use a USB key to unlock. It's a solution from XXI century.

I'm not interested in going over notes about this subject. If you believe Bitlocker is great, ok. Don't let me get in the way! I am already familiar with it.