WD My Book drives and encryption automatically enabled?

[Elixer]

A friend has a 4TB My book external drive, and his 2 year old managed to damage the unit from working.

Anyway, I was over there trying to help him get his data back, and opened up his case (it was out of warranty), and attempted to plug the HD into another machine I brought with me.
That did work, the HD is seen, however, the data seems to be encrypted.
I asked him if he ever set any password, and he said no, he just plugged it in, and starting writing data to it.

Looking online, it seems that WD is doing this to "protect your data", even if you didn't ask for said data to be encrypted to make it impossible to recover any info in case of disaster.
There is a encryption key that seems to be stored in a EEPROM chip most likely on the USB PCB, and I haven't seen any tools that could decrypt it.

Funny enough, I just saw a press release from ACE recovery saying that can now crack this encryption of these units. http://www.businesswire.com/news/ho...CE-Announces-Data-Recovery-Solution-Failed-WD

Why is WD automatically doing this without the consent of the user?
It seems the only thing this does is make sending these drives to professional recovery services mandatory. With HDs this size and higher, that tends to cost thousands of $$$, so, this seems rather shortsighted by WD.

Luckly, here, this was used as a backup drive mainly, with only some stuff that wasn't backed, but, they still had the originals of the other stuff, so, I just reformatted the HD, and stuck it in a regular USB 3 case (with fan), and, no more of this encryption nonsense.

Anyone know if this encryption is always on, on ALL WD external devices now?

 

[Captain_WD]

~snip~

Hey there Elixer,

I'm sorry to hear about the trouble with the drive. WD My Book and WD My Passport drives have the hardware encryption feature while other products such as the WD Elements - don't.
The data on the drives with hardware encryption is always encrypted by a chip and cannot be turned off. It's up to the user's preference if they want to set a password or not, but the encryption of these drives is always on and cannot be turned off. This is described on our website for all the products that feature hardware encryption. Here's an example: http://products.wdc.com/support/kb.ashx?id=NMG4c5

The hardware encryption serves to protect the data on a drive to be taken in case the drive is lost or stolen. It's a 256-bit hardware-based encryption that is also used by governments to protect classified information. The drive itself cannot be read if a password is set and that password is not entered correctly or the drive is used outside of that particular enclosure.

It is advised to have backups of the data on such drives for such cases. Your safest bet would be a data recovery company but these services tend to be quite costly.

Feel free to ask if you have further questions

Captain_WD.

 

[RecoveryForce]

It should be added that the ACE solution only works for drives without the password set or have a known password from the user.

 

[Elixer]

Hey there Elixer,

The hardware encryption serves to protect the data on a drive to be taken in case the drive is lost or stolen. It's a 256-bit hardware-based encryption that is also used by governments to protect classified information. The drive itself cannot be read if a password is set and that password is not entered correctly or the drive is used outside of that particular enclosure.

It is advised to have backups of the data on such drives for such cases. Your safest bet would be a data recovery company but these services tend to be quite costly.

Feel free to ask if you have further questions

Captain_WD.

I asked him to send me pics of the box, and it states on the side label:
"WD security software helps protect your files from unauthorized access with password protect and hardware encryption. Keep your private stuff private."

It doesn't mention it (hardware encryption) is always on from the moment you turn it on.
It doesn't mention that you CAN'T get your data back by normal means either, in case the case dies on you.

Yes, more tech savy people know to keep backups, but, these are made for the average joe, and they just buy the device thinking it is their backup, and that is all they need.

Oh, the box also claims it can do backups to dropbox, but he states there was no software or any DVD that came with the unit. Was it preloaded on the HD itself?

IMO, there should be a sticker on it saying "This drive uses hardware encryption at all times, please make appropriate backups since you will be unable to recover your data without professional help."

In the case of the item is stolen, and a password wasn't set, the thieves can read the data just fine. In the case where they remove the HD from the case, then, unsure why they didn't take the whole thing to begin with.

So, I am unsure why hardware encryption is on by default.
If people want the encryption on, let them set the password, and then, you can throw up the disclaimers and all that good stuff.

RecoveryForce, is the key on the HD itself, or, is it on the controller board?

 

[Captain_WD]

~snip~

Again, I'm sorry for the situation.

The software comes pre-installed on the drive. In case of a format or something else that might remove it you can always download it from our website. The WD SmartWare tool does support online cloud backups as well as other features. Here's more info: http://products.wdc.com/support/kb.ashx?id=qCZdHF

Hardware encryption by definition is done by a hardware chip and this cannot be turned off as all the data goes through that encrypting chip at all times before it goes on to the device so there's basically no way the data isn't encrypted.
Again, if encryption isn't needed or desired from the product you could always choose the WD Elements line (Desktop or Portable) as this is the only major difference between WD My Book drives and WD Elements Desktop drives.

The idea behind the encryption is to easily safeguard your data by simply putting a password on the drive without waiting for it to encrypt everything (which would take hours). Removing a drive from a case and plugging it internally or in another decrypting docking station is a common thing. The encryption chip is part of the enclosure of the device, not the drive itself - this is why the drive can't be decrypted outside of the enclosure.

The data recovery company that you have posted are our partners and have access to the encryption methods used on these devices to make data recovery easier.

Captain_WD.

 

[jkauff]

Can I trade in my eight WD My Book drives for WD Elements drives? I had no idea these drives used hardware encryption out of the box, and I don't like it.

 

[myocardia]

The hardware encryption serves to protect the data on a drive to be taken in case the drive is lost or stolen.

Good thing everyone always removes their Western Digital external drives from the enclosure in which they come, before transporting them, or stealing them.

 

[Elixer]

Again, if encryption isn't needed or desired from the product you could always choose the WD Elements line (Desktop or Portable) as this is the only major difference between WD My Book drives and WD Elements Desktop drives.

Noted for future references.

Stay away from My Book drives if you want a chance at recovering your data, in case of controller component failure, without spending thousands of dollars on a recovery service to do it for you.

Yes, yes, keep backups, we know, just tell people on the box.

 

[Coup27]

In the case of the item is stolen, and a password wasn't set, the thieves can read the data just fine. In the case where they remove the HD from the case, then, unsure why they didn't take the whole thing to begin with.

So, I am unsure why hardware encryption is on by default.

+1.

but the encryption of these drives is always on and cannot be turned off. This is described on our website for all the products that feature hardware encryption. Here's an example: http://products.wdc.com/support/kb.ashx?id=NMG4c5

For the record, your website states the following:

-Keep your private stuff private. (highlights section)
Gain peace of mind knowing that your data is protected from unauthorized access with password protection and hardware encryption.

-Secure your files (features section)
Use WD Security to set password protection and hardware encryption. Gain peace of mind knowing that your data is protected from unauthorized access.

So it clearly implies on your website that you use WD Security to set the hardware encryption on or off.

 

[Captain_WD]

~snip~

The WD Security software is used to set and manage a password on the drive, not to enable/disable the actual encryption. I will check this with my colleagues and I will let you know. Thank you!
Again, the hardware encryption cannot be turned off and it is on by default as the data always goes through the chip in the enclosure before reaching the drive itself.

Captain_WD.

 

[Coup27]

The WD Security software is used to set and manage a password on the drive, not to enable/disable the actual encryption.

That maybe what it does in reality but that's is not what the website states. The website is worded as such that the WD Security software is there to enable encryption by setting a password.

 

[Homerboy]

/me crosses WD off his list.

 

[MrPickins]

Wow.

I would have never purchased a WD My Passport drive had this been made clear up front.

Very disappointing.

 

[jkauff]

If the encryption chip is programmable (which it probably is), couldn't WD create a firmware update that could disable the chip if that's what the user wants?

Maybe Ars Technica would be interested in this story. They seem more willing to call out a manufacturer than Anandtech.

 

[ReignQuake]

I just received an Western Digital Elements and an My Passport Ultra Metal. It says about 256-bit encryption on the box. The My Passport Ultra Premium is listed as having Optional 256-bit AES hardware encryption. Do the Passport drives have the USB 3.0 Micro B port soldered to it like Samsung "Seagate" drives or is there an adapter inside?

The other thing that comes to mind a number of SSD products automatically used similar encryption methods which people seemed to really like. Should we get bent out of shape over this?

 

[Elixer]

The other thing that comes to mind a number of SSD products automatically used similar encryption methods which people seemed to really like. Should we get bent out of shape over this?

There is a big difference between letting consumers control the key (password) and having the company itself generate & store the key, in a place that can't be retrieved by the consumer at all. Most of the SSDs that have encryption do so via TCG OPAL, they require you to go into the BIOS, set the password, and that is that.

I don't think WD has released any white papers on how they are doing all this either.

The crux of this specific issue is, if you are the average Joe, and you bought the My Book line of external backup units, they have NO CLUE that it is impossible for them to get their data back without spending thousands of $$$, in case of controller failure (be it by accident, or whatever else).
They wouldn't understand that the only place the key is stored is on the USB PCB itself, and they won't be able to read back their data with any known way without paying greatly for that ability.
They don't get any warning that this is going on, and the wording is questionable at best about it being selectively on vs always on.

So, no, this isn't the same.

 

[MrTeal]

Too bad you reformatted. It would have been an interesting experiment to swap the drive and EEPROM to a new unit and see if the drive is accessible, if the EEPROM is an external chip.

 

[Coup27]

and the wording is questionable at best about it being selectively on vs always on.

The wording is questionable on the website but it's clear as day in the user manual.

http://www.wdc.com/wdproducts/library/UM/ENG/4779-705098.pdf

Page 44 details step by step instructions on how to set a password. Point 9 states:

Click Save Security Settings to save your password and enable hardware encryption for your drive.

 

[ReignQuake]

Theres more than one passport drive in this brand. That model is optional not forced.

 

[Coup27]

WD My Passport drives have the hardware encryption feature while other products such as the WD Elements - don't.
The data on the drives with hardware encryption is always encrypted by a chip and cannot be turned off.

That reads to me like all the Passport drives have encryption on.

 

[ReignQuake]

If it is then many retailers have the wrong information listed: Optional 256-bit AES hardware encryption. Some of the specific my passport drive series are listed as optional. Others aren't.

http://www.amazon.com/Black-Passport-Ultra-Portable-External/dp/B00W8XXYSM/ref=sr_1_3?s=pc&ie=UTF8&qid=1452891153&sr=1-3&keywords=wd+passport

 

[C1]

Too bad you reformatted. It would have been an interesting experiment to swap the drive and EEPROM to a new unit and see if the drive is accessible, if the EEPROM is an external chip.

If I understand the thread below, then the above should work:
http://www.tomshardware.com/forum/id-1972732/mybook-essentials-hardware-encrypted.html

 

[Coup27]

Interesting read. Even more so that WD support weren't even aware what's happening.

 

[Elixer]

The wording is questionable on the website but it's clear as day in the user manual.

http://www.wdc.com/wdproducts/library/UM/ENG/4779-705098.pdf

Page 44 details step by step instructions on how to set a password. Point 9 states:

Click Save Security Settings to save your password and enable hardware encryption for your drive.

No idea if there is even a manual in the box, though, unsure people ever read manuals in a plug & play device.

I know there wasn't a CD/DVD with the software on it, so, I assume all that was on the HD.

 

[Elixer]

If I understand the thread below, then the above should work:
http://www.tomshardware.com/forum/id-1972732/mybook-essentials-hardware-encrypted.html

Hmm, if the key is randomly generated, then, he shouldn't have been able to get any data back, since each device would be assigned a new key, as per below.

Removing a drive from a case and plugging it internally or in another decrypting docking station is a common thing. The encryption chip is part of the enclosure of the device, not the drive itself - this is why the drive can't be decrypted outside of the enclosure.

So, now, this is even worse than before, if all you have to do is buy a new My Book, and bingo, you got access to any drive you attach it to, which blows the whole thing of 'being secure' out of the water (if you wanted your data to be secured that way in the first place).

I am really tempted to go on fleabay, and find some of these drives for some experiments...