Unlock hard drive vs full-disk encryption

Question

When I turn my notebook on, it asks me for the password to unlock the BIOS and than it asks me for the password to unlock the hard drive.

How different is this 'password to unlock the hard drive' from the so-called full-disk encryption in terms of offered protection?

If someone could reset the BIOS (which is said to be easy even if password protection) given that this hard drive password was itself set in the BIOS, wouldn't the person have access to the drive? I'm not sure that this lock means encrypting.

Because if it works as Xander suggest then it makes the whole discussion about what software to use in full-disk encryption seem silly, since the solution is as trivial as setting a password in the BIOS.

I'm confused. :)

If your hard drive natively supports full-disk encryption, you don't need software. If it doesn't, however, you do. — Xander, Mar 30 '13 at 00:18

Polynomial · Accepted Answer · 2013-03-30T00:33:23.343

15

There are (typically) three types on on-boot authentication:

BIOS boot password
Drive locking mechanisms (e.g. HP DriveLock)
Full disk encryption (e.g. TrueCrypt / OpenPGP)

The BIOS boot password is simply a logical check inside the BIOS chip, which can be bypassed by flashing the BIOS manually or replacing the chip. It's a soft protection mechanism.

Full disk encryption is a proper security mechanism that involves actively encrypting the entire disk, and using a password or other authentication materials to decrypt the disk data on boot. This is typically performed via 3rd party software, but may also be integrated into the disk hardware.

Drive locking mechanisms are (usually) a proprietary feature of certain laptops, e.g. HP DriveLock. These involve encrypting the low sectors of the hard disk, i.e. the sectors that contain things like telemetry and bad sector mapping. When these are scrambled, a traditional drive controller cannot access the disk. This doesn't encrypt the data of the disk. It is possible to do a full hardware-level image of the sectors from a known set of telemetry and manually carve the file systems out, but it's a significant barrier against all but the best equipped attackers.

edited Mar 30 '13 at 00:33

answered Mar 30 '13 at 00:22

Polynomial

132,208
43
298
379

3

This answer describes ways you could be using a disk password *without* having the protection of full disk encryption, so you definitely shouldn't rely on my answer...You need to find out exactly what you're dealing with in *your* machine. – Xander Mar 30 '13 at 00:36
Precisely. Read the documentation, and contact the manufacturer if you have any doubts at all. You want full-disk crypto and a BIOS access password at a minimum. – Polynomial Mar 30 '13 at 00:40
Your description of HDD lock seems a bit optimistic a correspond to the "best case" scenario. Depending on the disk manufacturer, it might also be a logical check made by the disk firmware with a password stored in clear form in a normally inaccessible zone of the HDD, the same firmware also providing a backdoor (few undocumented [ATA commands](http://forum.hddguru.com/viewtopic.php?t=8374&start=9) in the case of Western Digital drives) still allowing to access this password for knowledgeable people, thus removing all usefulness and trustability of such protection... – WhiteWinterWolf May 22 '15 at 14:22

score 5 · Answer 2 · edited Sep 05 '18 at 11:54

In the past, it was a logical control on the physical drive. Even swapping out the drive electronics couldn't circumvent the password, so it took advanced tools, or hacked hardware to bypass the password.

Some 5 years ago or so, they began to do AES encryption on the disk itself, shipping the disk encrypted and encrypting the key with your password when you set it using the ATA Security Extensions.

Hitachi has a good FAQ about this:

Bulk Data Encryption – FAQ

Other manufacturers also provide similar features, on HDDs and SSDs

http://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption

That said, a couple things to be aware of:

Not all disks do this.
This is black-box encryption

It's black-box because although they claim to use AES128, there's no reasonable way to verify it. And although they claim to do it properly, there's no way to inspect their implementation.

A few years ago I sent them a simple question... if all the drives ship from the factory with encryption turned on, then how do they seed their random key?

I never got an answer and I never heard anyone provide a reasonable explanation. For all we know, all the keys on all the drives are identical. Unless you have a method to bypass the drive electronics to read the raw, encrypted platters, you will never know. Even if you execute a ATA SE "secure erase" function to delete the key, you don't know how the new key is being generated.

Because of this, I don't rely on this technology to secure systems.

Xander · Answer 3 · 2013-03-30T01:21:33.360

3

The password to unlock the hard drive may be full disk encryption at work. The password you enter to unlock the hard drive is the password used to encrypt the key, which is in turned used to encrypt the contents of the drive. So, if you were to pull your drive out of the machine it's in and hook it up to another computer, you would likely find only an encrypted volume.

edited Mar 30 '13 at 01:21

answered Mar 30 '13 at 00:04

Xander

35,525
27
113
141

Edited for clarification. – Strapakowsky Mar 30 '13 at 00:09
No, you set the password via BIOS, but that isn't where it is stored. Each disk manufacturer may store it differently, but it's stored in the disk hardware itself. BIOS only provides the interface. – Xander Mar 30 '13 at 00:12
This isn't true. It's a separate thing. – Polynomial Mar 30 '13 at 00:14
@Polynomial Nobody said HDD password and encryption key are the same thing. The answer stated clearly that the former _may_ be used for encryption. And it is in BDE-enabled drives from HGST. Quoting https://www.hgst.com/hdd/support/bulk_faqs.htm: Bulk Data Encryption is always enabled. It cannot be turned on or off. To protect the data and prevent unauthorized access the end-user would need to enable the "user" hard drive password in the system's BIOS. With no HDD password set, bulk encryption will still be enabled but there will be no access barrier. – ﾤﾡ Sep 05 '18 at 13:53

score 1 · Answer 4 · answered Mar 31 '13 at 14:55

There are many rumors about how SEDs might work. I totally agree with mgjk that it's black box. You have to believe the manufacturer that he does what he claims to do. And it's even difficult to get detailed information about how it's supposed to work. I've researched the Internet and the manufacturer's website to get information about how to enable encryption on Samsung's 840 SSD. So far, i've been unsuccessful in enabling it. Unfortunately, my notebook's BIOS does not support ATA security passwords. And even if it did, I couldn't be certain that it also enabled encryption, as there is no official information from the manufacturer. Some third-party websites claim that it should be OPAL compliant. So I tried software which claims to be able to initialize OPAL drives - namely Wave's Embassy Security Center and WinMagic's SecureDoc. None of these did the job - they both fell back to software encryption with as little as no Information about why. Both do have as little as no documentation about how to initialize SEDs. So now, im stuck.

Unlock hard drive vs full-disk encryption

4 Answers4

Linked