Samsung 840 Pro SED

[znxIxID]

I have a question about the encryption on this drive. I understand it's a self encrypting and to take advantage of that, I need to set an HDD password in the BIOS. I've read elsewhere that Bitlocker can be used to take advantage of the hardware encryption (rather than using software encryption).

My laptop does not support TPM. Work is asking all of the employees to use some sort of encryption method on their laptops. I'm thinking that setting the HDD password should be sufficient, although I hear that there might be issues transferring the drive from one computer to another, if that is ever needed.

The laptop is a Samsung NP520U4C-A01UB.

So I guess I'm asking, is setting an HDD password sufficient 🙂

 

[Hellhammer]

The 840 Pro only supports hardware encryption through an ATA password, so it is either that or software-based encryption using BitLocker or a third party tool.

 

[znxIxID]

The 840 Pro only supports hardware encryption through an ATA password, so it is either that or software-based encryption using BitLocker or a third party tool.

Thank you sir. Curious, if I were to move the drive to another computer in the future, would it be possible to unlock the drive with the same ATA password? Just want to make sure it doesn't become machine specific. Or another scenario, I take the drive out and attach it to a PC via a SATA to USB connection.

Thanks!

 

[Hellhammer]

Thank you sir. Curious, if I were to move the drive to another computer in the future, would it be possible to unlock the drive with the same ATA password? Just want to make sure it doesn't become machine specific. Or another scenario, I take the drive out and attach it to a PC via a SATA to USB connection.

Thanks!

ATA passwords are tricky because they require BIOS support, so you may not be able to connect the drive to another computer. If both support ATA passwords, then it should work, but I would rather use software encryption (like BitLocker) just because it's easier to manage.

 

[Jovec]

A TPM isn't necessarily required. Bitlocker for instance, can be configured to ask for a passphrase at boot instead.

The SED label on SSDs is misleading. The 840 Pro does encrypt all your data automatically using an internally generated key. However the decryption key is stored within the drive and is automatically used whenever the drive is powered on (hence why you can move it from computer to computer). This is done so that all a Secure Erase needs to do is discard the existing key and create a new one. The main goal of all this is to save writes and extend NAND endurance. Once the old key is lost, that data is no longer accessible.

My (limited) understanding of the BIOS Sata password is that it acts as a secondary layer. The drive still uses it's own key internally, but now the Bios password must first be entered. This is different from encrypting the data on the drive using your password, because if the Bios Sata password can be bypassed, the data is accessible using the drives internal key.

The BIOS Sata password isn't generally considered secure. There are various threads that discuss how to bypass it and software that claims to do just that.

If your data security is that important, I'd look into other options.

Or another scenario, I take the drive out and attach it to a PC via a SATA to USB connection.

Thanks!

Likely wouldn't work, as the sata commands aren't passed through to the drive (to do the unlock). You'd need eSata.

 

[Topweasel]

A TPM isn't necessarily required. Bitlocker for instance, can be configured to ask for a passphrase at boot instead.

My favorite and I would do it even with TPM support is with a USB drive. That way its like a security dongle or smart card. To me TPM is kind of useless unless you combine that with a boot password as well. But with it stored on a USB drive, just remove the USB stick and walk away.

 

[znxIxID]

Thanks for the feedback, everyone. I would use Bitlocker combined with a USB, if I new it would take advantage of (or recognize) the hardware encryption that the drive uses. I guess I don't want to see software encryption used on top of hardware. I've used Bitlocker in the past, but with an HDD.

According to the manual for the laptop, there are 3 BIOS passwords - Supervisor, User and HDD. It says that once the HDD password is set, it can't be accessed from another drive. Maybe that's incorrect 🙂

Thanks again for the responses.

 

[Topweasel]

Most mobile hard drives sport a password lock support and I believe that will work with the Samsung. As others state the drive already writes information encrypted but unlocks the encryption at power on. I believe by turning the HD password on you would then have the drive wait till you enter the password before unlocking the drive.

 

[Jovec]

I guess I don't want to see software encryption used on top of hardware.

Plenty of people do it. It works fine, and I doubt you'd notice any performance loss unless you benchmark it (and even then, it's very slight).

 

[gasmando]

I would disagree that the SATA Password in the BIOS isn't secure. This paper specifically addresses SSDs and ATA passwords, and the conclusion is that if you use an SATA password, it's uncrackable once the SSD is powered down: https://www1.informatik.uni-erlangen.de/filepool/projects/sed/seds-at-risks.pdf

The advantage I see of SATA passwords within the BIOS are simplicity, speed, and security. Unlike Bitlocker or Truecrypt, there are no performance hits with hardware encryption using the ATA Password in the BIOS. Samsung and Intel drives as already mentioned here are already encrypting, so adding a password changes nothing performance-wise. Security is likely better with hardware encryption because all software can be hacked, and who knows what backdoors are in Bitlocker? The problem: if you forget the ATA password, you're done, at least according to that paper. Hence backing up to an unencrypted drive kept secure/offsite would be wise. But then again, that degree of security was the point, right?

 

[JeffKuhn]

if you use an SATA password, it's uncrackable once the SSD is powered down

It's important to note that the drive must actually be powered down. If your PC is running, anyone who is able to warm boot to a Live USB stick can access the drive without having to reenter the ATA password.