Parted Magic Secure Erase Error with Samsung 850 EVO

[brontosaurus]

I'm new to using parted magic and secure erase for SSDs, but I've used it with relative ease on one of my computers with a 250gb samsung 850 evo.

So I got a 500 gb samsung 850 evo for a different computer. Mobo is Asus P8Z77-V LK with latest BIOS. I want to enable hardware encryption via bitlocker, so I install Windows 8.1 then enable encryption via Samsung Magician.

Then booted on PartedMagic's Secure Erase (using internal method) and get to the standard "Secure Erase Selection Dialog." I select "Enhanced", not "Secure" but didn't think much of it. It secure erases successfully, I re-install windows 8.1 and try to enable the hardware encryption via bitlocker. For some reason, after the request to save encryption key elsewhere, it doesn't just "encrypt" but asks to select whether I want to encrypt all of part of the ssd, which I understand it to be the standard software encryption that bitlocker uses. I was expecting it to just turn on per various instructionals.

I was a bit confused, so I thought I'd perform another Parted Magic Secure Erase and re-install windows to see if bitlocker would work correctly. But when I boot back and turn on secure erase, this is the message I got.

Parted Magic can still see the SSD in other programs like GParted (partitioning program). I can't figure out why it's giving me this error...

So I actually just tried re-installing windows 8.1 without doing another secure erase. This time, I turned on bitlocker and enabled hardware encryption without a hitch!

However, whenever I boot into Parted Magic and try to secure erase this drive, it keeps giving me the error pic above.

Has anyone come across this error and is there a way to "reset" the drive to be recognized?

Sorry for the lengthy post..

 

[aviator79]

This is complex stuff.
Check this: https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Your SSD may be locked from a failed Secure Erase. Or you must diable Bitlocker, start Secure Erase, after that enable bitlocker ans install.
If the SSD was already encrypted, you need to do a PSID-Reset. And for that you will need a special tool. Maybe google finds it for you.

 

[Jovec]

When you enable hardware E-drive mode on the EVO, the drive no longer responds to the ATA security commands needed to perform a secure erase. This occurs whether Bitlocker is enabled or not, or whether Bitlocker is in hardware or software mode.

You need a PSID revert. I can't vouch that the Samsung utility linked there will work with a 850 Evo, but it does for 840 Evo.

 

[brontosaurus]

@Jovec

Thank you for the information! I focused so much on reading how to encrypt SSDs, but I didn't read or understand what happens post-encryption.

You mention in your link: "Also, there can come a time when the Evo is no longer needed as an eDrive, and a Secure Erase is desired to restore performance prior to use in a different environment or even being sold."

In the event that I want to sell this drive, what happens if I sell the e-Drive+bitlocker encryption enabled SSD as is? Do I understand encryption correctly in that the contents cannot be accessed, but the new owner can write over it? Or is the SSD rendered unfunctional if I sell as-is, unless they are aware of the PSID revert tool?

I will try the PSID revert tool and report back.

 

[Jovec]

In the event that I want to sell this drive, what happens if I sell the e-Drive+bitlocker encryption enabled SSD as is?

It can be sold and reused. More details below.

Do I understand encryption correctly in that the contents cannot be accessed, but the new owner can write over it?

With actual encryption like Bitlocker or a similiar program, the contents would not be accessible by the new owner. Merely enabling eDrive on the Evo however, without the follow-up encryption, would allow the drive contents to be accessed.

In either case the new owner can "write over it" by formatting or deleting/creating partitions.

Or is the SSD rendered unfunctional if I sell as-is, unless they are aware of the PSID revert tool?

The SSD is still functional, with or without encryption. Partitions can be created and destroyed, OS and apps installed, etc. If eDrive mode has been enabled, then a Secure Erase can not be performed until a PSID revert is done.

 

[brontosaurus]

@Jovec

Thanks for the clarification.

Lastly, can you comment on whether my thought process is at least qualitatively correct below?

1) Currently, the EVO is e-Drive enabled and Bitlocker enabled. In this current state, if I perform a fresh install of Win 8.1 and install Samsung Magician, it should show that e-Drive is enabled (since it is not reversible without PSID revert tool), right? However, since Windows is a new install, bitlocker should be turned off. So when I turn it back on, it should prompt me to create a new key/password, enabling a new encryption compared to the previous state.

2) If I created a new key/password to re-enable bitlocker encryption, isn't the previous state's contents and the encryption key gone/irretrievable even without performing Secure Erase?

Or maybe a better way to ask is, when is it necessary to disable eDrive mode to perform a Secure Erase? I initially only cared about Secure Erase because it was the first step to enabling eDrive for Samsung EVO for encryption purposes. But if I can enable and disable encryption via bitlocker, now that eDrive is permanently enabled, when is Secure Erase necessary? Is it the only guaranteed way to make the contents completely irretrievable?

 

[Jovec]

TLDR; Encypt if you want to. Use eDrive for hardware Bitlocker if your computer meets the requirements, otherwise ignore it for software encryption or no encryption. Secure Erase/Revert when repurposing drives, but modern drives with enough free space don't need a SE to restore performance like older ones did since they don't lose as much performance as older ones did.

@Jovec

Thanks for the clarification.

Lastly, can you comment on whether my thought process is at least qualitatively correct below?

1) Currently, the EVO is e-Drive enabled and Bitlocker enabled. In this current state, if I perform a fresh install of Win 8.1 and install Samsung Magician, it should show that e-Drive is enabled (since it is not reversible without PSID revert tool), right? However, since Windows is a new install, bitlocker should be turned off. So when I turn it back on, it should prompt me to create a new key/password, enabling a new encryption compared to the previous state.

My understanding is the only thing that can set eDrive mode to "Enabled" is a fresh Win8.1 install. In order to do this, eDrive mode must first be set to "Ready to Enable" via Magician prior to the install. With "Enabled" eDrive and a fresh install, one can then enable Bitlocker for the actual hardware encryption. Note that software Bitlocker can be enabled without changing eDrive mode, and eDrive can be "Enabled" without any encryption.

It is also possible that a PSID revert might be needed when going from one hardware Bitlocker installation to another (i.e. an OS reinstallation), but that seems unlikely. I have no first hand knowledge on such. In practice, I would do a revert anyway to restore drive performance prior to the new OS install.

2) If I created a new key/password to re-enable bitlocker encryption, isn't the previous state's contents and the encryption key gone/irretrievable even without performing Secure Erase?

It depends. I can enable Bitlocker, encrypt my drive, use it for weeks and months, then disable Bitlocker and decrypt my drive, then enable BL again with a new password, etc. All of this is with the same installation.

If you mean with a new OS installation (BL enabled on the first, then use that same drive for a new OS install without first disabling BL), then you can consider the old data to no longer be accessible since in order for the new install to happen, the partition will need to be formatted or destroyed/created.

The name Secure Erase is somewhat problematic. It should be called SSD Format or similar. On a modern SSD, all data is encrypted, it is just that the keys are known and accessible to all (hence, we consider it unencrypted). You can think of a locked door that has the keys left in the lock (though this analogy falls apart later). The door is locked, but anyone can walk up to the door and unlock it since the keys are right there. This is why you can take an unencrypted SSD and move it from one computer to another and access the data without issue. What a Secure Erase does is change the keys while still leaving those new keys in the lock (here is where the analogy falls apart, since a new lock on a door still opens up to the same room). The purpose of a SE is to effectively erase the SSD without actually erasing it. Recall that SSD NAND has a limited number of Program/Erase cycles. To actually erase the SSD would require writing zeroes to the entire drive, consuming a P/E cycle. By changing the keys via SE, the drive can act like it has been erased, since the old data cannot be accessed, but without consuming a P/E cycle.

Or maybe a better way to ask is, when is it necessary to disable eDrive mode to perform a Secure Erase?

It's part of the spec, likely based off of TCG Opal / SED standards, that the ATA security commands be disabled.

I initially only cared about Secure Erase because it was the first step to enabling eDrive for Samsung EVO for encryption purposes. But if I can enable and disable encryption via bitlocker, now that eDrive is permanently enabled, when is Secure Erase necessary? Is it the only guaranteed way to make the contents completely irretrievable?

A SE provides a very useful means to format the SSD. It also restores SSD performance, though newer drives with better TRIM and garbage collection this is needed less and less. Physically destroy the device if you want guarantees.

When working with encryption it is important to understand the threat levels you are trying to protect against. For example, I encrypt my laptop with software Bitlocker (no UEFI BIOS so no hardware BL). I don't care too much if MS and the NSA can backdoor it - I'm primarily concerned with casual theft. I'm also not that concerned with key length - I want any brute force attacks to be out of reach for casual attackers and local agencies, but the reality is that more powerful companies and governments don't need to brute force my keys - they could install hardware keyloggers, install a tiny camera in the ceiling when I'm not home to view my keystrokes, intercept my computer parts during shipment and modify them, or simply beat the password out of me.

In theory, there are ways that data can be retrieved even after a Secure Erase, though they are extremely unlikely and likely limited to very powerful attackers (i.e. governments who really want your data and specifically target you, as opposed to general bulk collection). Brute force is one way, collection of the old keys prior to the SE is another (then using those old keys on the drive (or copy of the drive) where the old data has not yet been overwritten). The decryption keys are also stored in memory when the computer is on, and there are attacks to quickly freeze RAM then move it to another device for key retrieval. There could also be gaping NSA-approved backdoors in both the software (Windows/Bitlocker) and hardware (SSD controller, firmware).

 

[brontosaurus]

Reporting back in regarding the compatibility of the PSID revert tool with Samsung EVO 850.

It says it successfully performed a revert. See below:

And like @Jovec mentioned, following the PSID revert, the drive is recognized and can respond to ATA Secure Erase via Parted Magic! Looks like problem resolved! But wait...

I do a fresh install of Win 8.1, and install Samsung Magician to make sure that it indeed disabled e-Drive mode... and apparently it's still enabled.

I took this right after I did a fresh install after PSID revert -> Secure Erase. Didn't even turn on bitlocker encryption. But since e-Drive still remained enabled after the PSID revert, I was able to enable bitlocker hardware encryption without having to do another re-install of windows.

Summary - Samsung PSID revert tool shows successful revert, as evidenced by the screenshot as well as the EVO's ability to respond to ATA Secure Erase request in Parted Magic. But Samsung Magician shows e-Drive "enabled" instead of "Ready to Enable" contrary to what @Jovec mentioned should happen. So.. partial success? At least I'm able to secure erase...but e-Drive didn't become disabled after PSID revert tool.

@Jovec any thoughts?

 

[Jovec]

And like @Jovec mentioned, following the PSID revert, the drive is recognized and can respond to ATA Secure Erase via Parted Magic! Looks like problem resolved! But wait...

I do a fresh install of Win 8.1, and install Samsung Magician to make sure that it indeed disabled e-Drive mode... and apparently it's still enabled.

I took this right after I did a fresh install after PSID revert -> Secure Erase. Didn't even turn on bitlocker encryption. But since e-Drive still remained enabled after the PSID revert, I was able to enable bitlocker hardware encryption without having to do another re-install of windows.

Summary - Samsung PSID revert tool shows successful revert, as evidenced by the screenshot as well as the EVO's ability to respond to ATA Secure Erase request in Parted Magic. But Samsung Magician shows e-Drive "enabled" instead of "Ready to Enable" contrary to what @Jovec mentioned should happen. So.. partial success? At least I'm able to secure erase...but e-Drive didn't become disabled after PSID revert tool.

@Jovec any thoughts?

After the PSID revert, eDrive gets set to "Ready to Enable." The Win8.1 install then flips that to "Enabled" automatically. You need to revert and then use Magician to set eDrive to "Disabled" before the install.

An alternative might exist if there is some way to prevent Win 8.1 from automatically activating eDrive mode during install via some boot arguments or similar. I know of no such way, but I never looked into it much.

 

[brontosaurus]

After the PSID revert, eDrive gets set to "Ready to Enable." The Win8.1 install then flips that to "Enabled" automatically. You need to revert and then use Magician to set eDrive to "Disabled" before the install.

Makes sense. Once the PSID revert tool does its thing, in a matter a seconds the system bluescreens with "kernel_inpage_error" then drive is unbootable.

An alternative might exist if there is some way to prevent Win 8.1 from automatically activating eDrive mode during install via some boot arguments or similar. I know of no such way, but I never looked into it much.

If I find anything, I'll report back.

 

[Jovec]

Makes sense. Once the PSID revert tool does its thing, in a matter a seconds the system bluescreens with "kernel_inpage_error" then drive is unbootable.

A PSID revert erases the SSD. If you are booting from the same SSD that you are doing to the revert on, then as it completes the OS can longer access any data on that drive and will blue screen.

You will want to temporarily connect the EVO to another computer and do the revert there, or temporarily connect another drive into the same computer as the Evo and boot of that one instead.

Remember that after the revert, you will still need access to Magician to disable eDrive mode prior to the Win8.1 install.

 

[brontosaurus]

A PSID revert erases the SSD. If you are booting from the same SSD that you are doing to the revert on, then as it completes the OS can longer access any data on that drive and will blue screen.

You will want to temporarily connect the EVO to another computer and do the revert there, or temporarily connect another drive into the same computer as the Evo and boot of that one instead.

Remember that after the revert, you will still need access to Magician to disable eDrive mode prior to the Win8.1 install.

I confirmed that I can disable eDrive mode of the 850 EVO by PSID reverting the drive as a non-OS drive, contrary to what I stated a few posts above. Should've been obvious, but I didn't realize the simple check to do it this way. I guess my laziness dreaded the idea of opening up a computer to plug the SATA (Samsung Magician didn't recognize the drive via sata-to-usb)...

Thanks @Jovec!