5

I'm buying some new machines and am concerned about security of the data should the machine be physically stolen. It's easy to take out the drive, image it, and read what you want.

I could use file level encryption, but that's insufficient: people will end up not encrypting each file, and, besides, there's too much stored in the swap, page file, logs, registry, caches, etc.

I could use BitLocker, or other OS full disk encryption, but have several issues with this, which I won't go through now. In short, I want something at the hardware level, not software.

Now, Self Encrypting Drives (SED) seem like exactly what I want, but, they're expensive, especially for very large size (which I need) - I can't even find a 1 TB SED SSD. I see that many machines have a BIOS/UEFI "hard drive password", but I can't find very much about it. Is this just a BIOS password with a different name? Is there encryption behind it? Is it a check at the controller level? The disk interface? Will taking the drive out and imaging it bypass it?

If breaking the lock requires replacing drive electronics (ie it's a lock in the drive hardware, but not encrypted), that's sufficient. If it's just a BIOS password which can be defeated with a screwdriver and a SATA bridge, that's a different story.

How secure are BIOS/UEFI hard drive passwords? How do they work? What type of attacks are known against them?

SRobert James
  • 51
  • 1
  • 1
  • 2
  • It's probably not secure at all, just meant to prevent someone from booting your computer without you (a little more restrictive than not allowing them to modify boot order by locking BIOS with a password, to prevent booting with a different disk). If you're worried about someone taking your drives out and imaging them, then don't rely on this. – childofsoong Mar 18 '16 at 18:07
  • 4
    @AstroDan not a duplicate - the firmware password is enforced by the firmware, while the disk password is enforced by the disk itself, the firmware being just a way of entering the password. – André Borie Mar 18 '16 at 19:15

2 Answers2

2

That password is enforced by the storage drive itself, so it can't be overridden by the system firmware; that doesn't mean it should be trusted though.

How the drive enforces that password varies and there is no clear standard (and if there is, there would be no easy way of verifying if the drive is actually compliant); so it is most likely either just a password enforced by the drive's firmware (with no encryption behind, so replacing the firmware is enough to disclose the data), or poor security-by-obscurity powered encryption that would get broken in a matter of days.

In short, consider those self-encrypting drives as if there was no encryption involved. You can use them on top of data already encrypted with something strong (LUKS, TrueCrypt/VeraCrypt or BitLocker if you don't mind Microsoft and the NSA peeking), but don't use them as your only protection.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 1
    you are mixing up concepts/terms. SEDs are much more secure. BIOS/UEFI hdd passwords are not equivalent to SEDs. You are correct if you meant that the former don't use proper encryption, the latter does. – jiggunjer Jan 09 '18 at 11:16
1

An ATA hard drive password is nothing more than an on-off access switch. A drive that implements it doesn't encrypt the data, it's just that the drive electronics won't transmit data until the correct password is entered. There are companies that promise to reset this setting for a modest price (I assume they replace the drive electronics board.) Supposedly there is software that can reset these passwords, but I've never seen one used, and I'm not even tempted to download one from those sketchy sites.

Full disk encryption (SED) is actual AES encryption that makes use of the Trusted Platform Module (TPM) chip on the motherboard to unlock the key; before TPM chips became common, drives used to use Pre-Boot Authentication (PBA) to unlock their keys. But if the thief steals the whole computer, they also have the TPM chip. They can then boot the system while the drive is connected to the stolen machine, wait for it to receive the key, leave the drive powered up (so it retains the key), switch the SATA data cable to the machine of their choosing, then take an unencrypted image of your disk. This paper, 'Self-Encrypting Disks pose Self-Decrypting Risks' has details on several different attacks on SED drives including DMA transfers via PCI, Firewire, or Thunderbolt; and evil maid MBR attacks.

Another known problem is the firmware on the drive can be tampered with (the Snowden leaks revealed the NSA has the capability called IRATEMONK) rendering the whole SED concept ineffective.

Whether or not you want to invest in SEDs depends on your perceived threat model. Are your attackers sufficiently motivated? Is your data of high value to a third party? Or are you afraid of the average opportunistic thief in the coffee shop, who is simply going to sell your laptop on Craigslist?

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • 1
    Are you sure SED uses the TPM? I'm pretty sure the key is managed on the hard drive itself. – forest Apr 04 '16 at 03:59
  • @forest, some of them use Pre-Boot Authentication, which managed the key in the disk but required data from the CPU to unlock it - which is effectively replacing the encryption key with the security surrounding whatever data the PBA gives the drive. More recently, I believe the use of PBA has been replaced with TPM. See https://en.wikipedia.org/wiki/Pre-boot_authentication#Combinations_with_Full_Disk_Encryption for more. – John Deters Apr 04 '16 at 19:30
  • 2
    Drives which are able to initiate ATA Security Erase in seconds do so by wiping the SED key. Those drives are entirely encrypted, even though they provide no data at rest security (they simply provide a quick method of destroying all data). I have never seen any of those SED drives fail to work when plugged into a computer without a TPM, or a computer with a different TPM. How could that be explained, if the keys are stored in the TPM? Perhaps you're thinking of full disk encryption using the TPM, rather than true SED (which is not exactly the same as FDE)? – forest Apr 04 '16 at 23:51
  • @forest I think the motherboard firmware plays a major role in determining if a SED uses a TPM and/or password. – jiggunjer Jan 09 '18 at 11:35
  • 1
    @forest Those are unrelated concepts and for sure SEDs do not require TPM. TPM is only one of the possible ways to handle the authentication part (others are PBA or using disk password in BIOS). – ᄂ ᄀ Sep 05 '18 at 14:22