3
1
since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.
Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.
What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.
Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.
Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.
Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!
Help would be much appreciated, and I hope to get this set up over the weekend.
TJJ
Posted 2016-02-12T13:52:36.827
Reputation: 470
Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?
– Ƭᴇcʜιᴇ007 – 2016-02-12T14:02:59.2231AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt. – Tom Yan – 2016-02-13T00:35:27.820
Tried asking the manufacturer? Seems almost every drive does things a little differently – Xen2050 – 2016-02-13T16:30:14.980
1Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation! – TJJ – 2016-02-14T04:25:02.567