How to verify a self-encrypted drive (SED) is really encrypted?

5

1

I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.

I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.

Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?

mwhidden

Posted 2015-10-10T20:28:01.693

Reputation: 153

You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back. – ctrl-alt-delor – 2015-10-10T22:10:03.203

Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt".

A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman. – mwhidden – 2015-10-10T23:29:13.590

Answers

2

One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.

As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.

Keltari

Posted 2015-10-10T20:28:01.693

Reputation: 57 019

1The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data. – musiKk – 2015-10-10T20:53:07.567

I was going for a simple explanation. – Keltari – 2015-10-10T21:00:11.087

Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop.

Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it. – mwhidden – 2015-10-10T23:32:27.177

However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted. – TJJ – 2016-02-15T10:49:13.113

-1

There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!

The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":

1) from any WINDOWS OS:

1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.

1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].

2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:

  • find your HD/SSD: open a terminal window and issue the command:

    blkid

[examples: "/dev/sda", "/dev/nvme0", etc]

  • run the command to find the status of your SSD:

    sudo hdparm -I /dev/xxxx

  • You will be requested to enter your admin username and password;

  • If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";

  • On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"

The typical output of the hdparm command above for a SED drive will be:

"Security:

Master Password Revision Code: 65534

supported

enabled

not locked

frozen

not expired: security count

supported: enhanced erase

Security level high

xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT

Logical Unit WWM Device Identifier: xxxxxxxxxxxxx

NAA: x

IEEE OUI: xxxxx

Checksum: correct"

If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.

If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.

BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].

The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:

1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"

2) Run the command to set up the SED encryption:

sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx

where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).

Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".

Later, if you decide to SAFELY remove the encryption without losing your data, run the command:

sudo hdparm --security-disable 'PASSWORD' /dev/xxxx

where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".

BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!

CryptoMaster

Posted 2015-10-10T20:28:01.693

Reputation: 17

1ATA security and hdparm have nothing to do with disk encryption. – UnclickableCharacter – 2019-01-15T15:01:01.077

Asked: 2015-10-10T20:28:01.693

Viewed: 4 324 times

Active: 2019-03-15T06:31:02.173