Haswell mobo with HDD password / ATA password

[jareks]

Hi guys,

I am looking for a desktop mobo to utilize full drive encryption found in new SSDs. From what I understand, it is essential to have HDD password (also called ATA password) support in BIOS to be able to unlock disk when computer starts.
So far, I was able to collect following information:
list of intel mobo with hdd password support: http://www.intel.com/support/motherboards/desktop/sb/CS-034023.htm
old topic suggesting that support for Trusted Module Platform (TPM) is enough:
http://forums.anandtech.com/showthread.php?t=2285601&highlight=hdd+password
and an interesting topic about adding this function to existing bios:
http://vxlabs.com/2012/11/28/adding-the-ata-security-extension-bios-to-amibios/

question: does any of new ASUS, Gigabyte, MSI or other mainstream motherboards support HDD password (maybe since as many of them have TPM connectors)?
question 2: does using HDD password requires drive to be in ATA mode, not AHCI? (a bit more info: http://security.stackexchange.com/questions/29813/ssd-enrcyption-with-ata-password-ahci-mode )

 

[asdif]

I second this. It seems impossible to tell what motherboards support ata passwords. No mobo reviews even mention this feature, something even Anandtech is guilty of (then why even mention what SSDs support encryption?).

As far as I'm aware, the ATA password, AHCI, and TPM are unrelated. What is important is that you can set both the user and master password. Alternatively, if you can set the ATA security level to maximum, then you are safe because the master password will only erase the drive then.

A link with some useful information (and lots of confusion) is here: http://communities.intel.com/message/120689#120689

This is the most important motherboard feature to me. If anyone could tell me a Haswell motherboard that supports this feature, I would be extremely grateful. It seems like only business laptops allow ATA passwords.

Thanks for reading.

 

[fenderman]

I am curious about this as well. In the past even the intel motherboards that support this feature only support 1 drive attached to sata port 0. There is no raid support for the hard disk password, which seems so silly to me.

 

[JayNYC]

bump

 

[jareks]

After doing some more research on the topic, I found out there is an alternative approach to deal with lack of ata password support in BIOS.
What seems possible (and documented over the Internet) is that one can create a minimal boot OS (for example on USB drive) which manually sends ata password to encrypted drive (hdparm command in linux can do that). After it is unlocked, mini OS does warm reboot, which keeps real drive unlocked. On reboot real drive boots up normally.
That sounds pretty complicated, but surely doable if someone is as desperate as me
Can anyone comment on such setup? Or maybe someone found out some haswell mobos with ata password support?

 

[readymix]

before going on a extended vacation I did this with an asus tpm I got of amazon, tpm + bitlocker
http://www.maximumpc.com/article/features/how_protect_your_boot_drive_bitlocker

 

[jareks]

@readymix:
Great thanks for your reply!
Could you please tell us which exactly asus mobo + tpm chip did you use? And most importantly, does TPM cheap enable any extra options (ata password) in bios, or is it only useful with bitlocker?

 

[readymix]

@readymix:
Great thanks for your reply!
Could you please tell us which exactly asus mobo + tpm chip did you use? And most importantly, does TPM cheap enable any extra options (ata password) in bios, or is it only useful with bitlocker?

at the time the tpm was install in a asus p6t6, since moved. it did not enable a bios ata password then or since with a asus p9x79. search amazon, "asus + tpm" it is still available. module is by Infineon. search asus downloads for "tpm" for Infineon software package, or, as I recall the tpm came with a mini disk. the software package was not necessary for my purpose, in fact between the windows tpm support and the Infineon software i'd say I barely scratched the surface of tpm utility.

 

[jrichrds]

I'm also looking for Haswell motherboards that have ATA Password option in BIOS for "easy" encryption of SSD. My Ivy Bridge H61 chipset Dell Optiplex has the ATA password feature in the BIOS, but the rest of my desktops don't (boards from MSI and Gigabyte, and Lenovo ThinkServer TS140). Can go the TPM+Bitlocker way, but doing it the ATA password way is so much simpler and works with any OS while maintaining hardware encryption.

 

[piasabird]

Cant you just reset the BIOS? If you could not reset the BIOS, then this option would cause more problems than it is worth. There would be tons of people wanting to know how to get around these passwords when they forget what the password is.

 

[gasmando]

Just a quick post, because I've mentioned this elsewhere in the forums. However, this was one of the threads I came to to learn about this topic. I dug for information on motherboards with ATA password support. Nothing. No reviews mention, and the mobo makers don't advertise this feature. Which is weird given the millions of Samsung EVO and Intel SSDs with hardware encryption capability.

Turns out HP and Lenovo laptops have this feature, but desktop support for ATA passwords is rare. Why? One forum mentioned in discussions with ASUS that the the ATA Password method is so secure, that if the password gets lost, no one can help. Not Samsung, Intel, ASUS, or anyone. Even forensic guys at Shmoocon mention that encrypted SSDs could spell the end for forensic drive analysis.

So I did a build with a state of the art mobo with ASRock, then found out no ATA password. I wrote to them, and they wrote back with a modified BIOS 1.07B, that had the password function. It worked. The drives were encrypted and when put on other machines, were totally useless and/or unreadable even with forensic stuff.

I want to thank all that contributed to this thread- it helped me a lot in understanding this tech.

 

[jrichrds]

Just a quick post, because I've mentioned this elsewhere in the forums. However, this was one of the threads I came to to learn about this topic. I dug for information on motherboards with ATA password support. Nothing. No reviews mention, and the mobo makers don't advertise this feature. Which is weird given the millions of Samsung EVO and Intel SSDs with hardware encryption capability.

Turns out HP and Lenovo laptops have this feature, but desktop support for ATA passwords is rare. Why? One forum mentioned in discussions with ASUS that the the ATA Password method is so secure, that if the password gets lost, no one can help. Not Samsung, Intel, ASUS, or anyone. Even forensic guys at Shmoocon mention that encrypted SSDs could spell the end for forensic drive analysis.

So I did a build with a state of the art mobo with ASRock, then found out no ATA password. I wrote to them, and they wrote back with a modified BIOS 1.07B, that had the password function. It worked. The drives were encrypted and when put on other machines, were totally useless and/or unreadable even with forensic stuff.

I want to thank all that contributed to this thread- it helped me a lot in understanding this tech.

I've found Dell Latitude Laptops and Dell Optiplex desktops have the ATA password feature in the BIOS...not sure if their consumer line laptops/desktops have it though.

That's pretty impressive you got a modified BIOS made for you by the mobo manufacturer. I've always thought requests like these go into the "we'll look into it, but never to be heard back from" bin.

 

[jrichrds]

Cant you just reset the BIOS? If you could not reset the BIOS, then this option would cause more problems than it is worth. There would be tons of people wanting to know how to get around these passwords when they forget what the password is.

Resetting the BIOS would have no effect on the encrypted contents of the SSD. You'd still have to provide the correct ATA password for the drive contents to be accessible.