12
5
I have a Dell Latitude E6400 and I would like to know how secure setting a BIOS HDD Password is? Does this apply some form of encryption to the contents of the drive or is it just some simple lock on accessing the drive? I.e. if the notebook was lost or stolen could the data on it be accessed by someone with a bit of know how?
user10762
Posted 2009-10-27T23:44:03.943
Reputation: 373
11
BIOS passwords are simple locks. If you don't provide the password, the BIOS simply stops and doesn't continue the boot process.
There are two ways to get around this simple lock:
Clear the BIOS/CMOS memory (usually requires direct motherboard access).
Remove the drive and connect it to another computer (easier).
Update: As Blackbeagle's answer mentions, there is a HDD password defined as part of the ATA specifications. This is also a simple lock, but it's implemented in the drive, so neither of the above steps will bypass it. Some technical knowledge (and possibly some additional hardware) is required. You might be interested in this primer article on HDD passwords.
The BIOS lock is a decent deterrant in any number of movie-plot scenarios: someone with limited technical knowledge, or situations where the attacker can access the computer but doesn't have time or freedom enough to take it apart. If you're just trying to prevent your co-worker or family member from access, this works. However, this is not a significant deterrant for a determined attacker or someone who has unlimited physical access.
The ATA-level lock is a better deterrent, but it isn't perfect. Again, a determined attacker, given enough time, will get your data.
Full-disk encryption is available, and provides better protection. Self-encrypting drives that do this in hardware exist, and there are plenty of software options. Data encryption makes it much more difficult for an attacker to get your data, but there are always ways to get around encryption. (In particular, beware of Lead-Pipe Cryptanalysis.)
quack quixote
Posted 2009-10-27T23:44:03.943
Reputation: 37 382
8
With due respect, there is a misunderstanding between BIOS passwords and HDD passwords. Another between password and encryption. Another between HDD security and Security chip on the mobo.
BIOS pwds protect the boot process only: if the password is not provided to BIOS during power on sequence, then the power on sequence is stopped. BIOS pwd are stored on the mobo. At this stage, the disk has not been even accessed. HDD password (actual name is ATA Security) is provided by the drive only, and not by the BIOS. HDD pwds are stored on the drive only. However the BIOS needs to ask the pwd to the user and pass it to the drive (it is not checked either by BIOS). The HDD will then decide if it will unlock the drive. If not no data can be read or write.
HDD passwords don't relate to disk encryption. The ATA Security feature is just a lock/unlock mechanism. Data may be encrypted or not by the system, this is transparent to the HDD controller onboard the HDD. Note that some Hitachi Travelstar disks are always encrypted, but are not protected (the encryption key is not released outside the drive, only the drive knows it). The goal is to scramble the data, and force them to be read by the HDD chip only, but there are provided to everyone. Protection will be available only by mean of ATA Security.
Passwords and credential in general may be stored in simple storage (bare EEPROM) or in smart storage. Bare EEPROM can be read and written. Smart storage is offered by micro controller chips (similar to MMC cards) like the famous "TPM" (on of the Trusted Computing Group standard). TPM may store passwords, or crypto keys safely. They are associated with the computer mobo before being used, so swapping TPM between computer doesn't work. It is not possible to read them. They can be cleared only. Simply said you provide the pwd you want to confirm, the chip says Yes or No but you cannot guess which pwd would leads to Yes. TPM are used by new EFI BIOS to ensure the boot process is safe, signature of the boot software and hardware are stored in the TPM. Should they differ at boot time, the user will be informed and will need to confirm that he/she wants to continue unsafe.
bitlocked
Posted 2009-10-27T23:44:03.943
Reputation: 189
Then how do you explain HDD password can be bypassed by BIOS setting? (See my answer.) – jarno – 2019-11-13T14:53:13.100
3
For BIOS boot password, the answer is correct- relatively easy to bypass. Normally short the CMOS down.
For hard drive password locks - I believe that that they normally have a small crypto chip on the circuit board. When you enable them, the ATA spec then sends a signal back to the BIOS that results in control passing to the chip. It then asks for the password. Initially when you set it, it takes the password, encrypts it, and stores it on the drive platters. Subsequently when the drive is booted, the crypto chip assumes control, queries for the password and checks it against the stored copy. If they match, the crypto chip allows further boot.
THERE ARE DRIVE DECRYPTERS. I don't know the pricing, but I've seen them. They plug directly into the drive and can decrypt this sort of protection. It might be possible to swap circuit boards, but that wouldn't work if the drive manufacturer was smart enough to move the crypto chip inside the casing alongside the platters.
Blackbeagle
Posted 2009-10-27T23:44:03.943
Reputation: 6 424
I believe the ATA HDD password is not stored on the drive platters, but just in a chip on the drive system board. But this might depend on the manufacturer... – sleske – 2010-08-12T09:11:15.800
"sends a signal back to the BIOS that results in control passing to the chip" -- no. The bios or other user software ( such as the linux util hdparm ) read the password and send it to the drive. – psusi – 2017-06-12T00:09:45.443
0
HDD password does not seem to be secure. If I change BIOS setting Security>Password Bypass>Reboot Bypass, exit BIOS, boot and when there is password query, press Ctrl-Alt-Del to reboot, the password will be not asked and I can read the drive.
jarno
Posted 2009-10-27T23:44:03.943
Reputation: 173
OK that makes sense. The Dell documentation does indicate that moving the drive to another PC wont get around the HDD password but there is no mention of encryption. It sounds like this would probably be adequate if the system was lost or stolen and would prevent most people from accessing the data on the drive but is certainly not high end security. – user10762 – 2009-10-28T05:03:14.693
2
We are using these Samsung SSDs that use the hard drive password in the BIOS to encrypt themselves: http://www.samsung.com/au/consumer/pc-peripherals/solid-state-drive/solid-state-drive/MZ-7PD128BW I've tried putting the encrypted drive into another machine and Windows thinks that the disk hasn't been initialised yet.
– Matthew Lock – 2013-04-03T08:54:42.977