How do I encrypt a Samsung Evo 840 SSD?

14

9

I've purchased a HP Envy 15-j005ea laptop which I have upgraded to Windows 8.1 Pro. I have also removed the HDD and replaced it with a 1TB Samsung Evo 840 SSD. I now wish to encrypt the drive to protect my company's source code and my personal documents but I can't work out how to do it or if its even possible.

I gather that it is not recommended to use Truecrypt on a SSD but please correct me if I'm wrong. I also understand that the 840 Evo has built-in 256 bit AES encryption so it is recommended to use that.

The Evo has been updated to the latest EXT0BB6Q firmware and I have the latest Samsung Magician. I don't know what UEFI level I have but I do know that the machine was built in December 2013 and has the F.35 BIOS made by Insyde.

This is what I have tried:

  • Bitlocker. The latest Samsung firmware is supposedly Windows 8.1 eDrive compatible, so I followed the instructions I found in an Anandtech article. First of all it would seem the laptop has no TPM chip, so I had to allow Bitlocker to work without TPM. Once I'd done that I tried to turn Bitlocker on. Anandtech say that "If everything is eDrive compliant you won’t be asked whether or you want to encrypt all or part of the drive, after you go through the initial setup BitLocker will just be enabled. There’s no extra encryption stage (since the data is already encrypted on your SSD). If you’ve done something wrong, or some part of your system isn’t eDrive compliant, you’ll get a progress indicator and a somewhat lengthy software encryption process." Unfortunately I was asked if I want to encrypt all or part of the drive so I cancelled that.

  • Setting the ATA Password in the BIOS. I don't appear to have such an option in the BIOS, only an admin password and boot-up password.

  • Using Magician. It has a "Data Security" tab, but I don't fully understand the options and suspect that none are applicable.

enter image description here

The info in this question and answer helped but didn't answer my question.

Clearly then, what I would like to know is how do I encrypt my solid state drive in the HP Envy 15 or am I in fact out of luck? Are there any alternative options or do I have to either live without encryption or return the laptop?

There is a similar question on Anandtech but it remains unanswered.

Stephen Kennedy

Posted 11 years ago

Reputation: 266

Encrypting SSDs is problematic due to wear leveling. I don't know all the specifics to it, but you might find a related question at Security.SE helpful. (Note that this is from a security perspective rather than implementation.)

– Jonathan Garber – 11 years ago

Please read the comments on my post on SSD encryption: http://vxlabs.com/2012/12/22/ssds-with-usable-built-in-hardware-based-full-disk-encryption/ -- it has become a discussion board for people interested in SSD FDEs. I think TCG Opal that you show might be interesting.

– Charl Botha – 11 years ago

That's a good discussion Charl, I will keep an eye on it. Looks like none of your visitors have cracked this yet. WinMagic SecureDoc Standalone for Windows is mentioned which is new to me... but I'm not sure I want to pay $100 just for the privilege of setting a password! – Stephen Kennedy – 11 years ago

Answers

8

The password has to be set in the BIOS under the ATA-security extension. Usually there's a tab in the BIOS menu titled "Security". Authentication will occur at the BIOS level, so nothing this software "wizard" does has any bearing on setting up the authentication. It's unlikely that a BIOS update will enable HDD password if it wasn't previously supported.

To say that you're setting up the encryption is misleading. The thing is that the drive is ALWAYS encrypting every bit it writes to the chips. The disk controller does this automatically. Setting a HDD password(s) to the drive is what takes your security level from zero to pretty much unbreakable. Only a maliciously-planted hardware keylogger or an NSA-sprung remote BIOS exploit could retrieve the password to authenticate ;-) <-- I guess. I'm not sure what they can do to BIOS yet. The point is it's not totally insurmountable, but depending on how the key is stored on the drive, it's the most secure method of hard drive encryption currently available. That said, it's total overkill. BitLocker is probably sufficient for most consumer security needs.

When it comes to security, I guess the question is: How much do you want?

Hardware-based full disk encryption is several orders of magnitude more secure than software-level full disk encryption like TrueCrypt. It also has the added advantage of not impeding your SSD's performance. The way SSD's stow their bits can sometimes lead to problems with software solutions. Hardware-based FDE is just less messy and more elegant and secure of an option but it hasn't "caught on" even among those who care enough to encrypt their valuable data. It's not tricky to do at all but unfortunately many BIOS's simply don't support the "HDD password" function (NOT to be confused with a simple BIOS password, which can be circumvented by amateurs). I can pretty much guarantee you without even looking in your BIOS that if you haven't found the option yet, your BIOS doesn't support it and you're out of luck. It's a firmware problem and there's nothing you can do to add the feature short of flashing your BIOS with something like hdparm which is something so irresponsible that even I wouldn't attempt it. It's nothing to do with the drive or the included software. This is a motherboard specific problem.

ATA is nothing more than a set of instructions for the BIOS. What you're trying to set is an HDD User and Master password, which will be used to authenticate to the unique key stored securely on the drive. "User" password will allow the drive to be unlocked and boot to proceed as normal. Same thing with "Master". Difference is that a "Master" password is needed to change passwords in the BIOS or erase the encryption key in the drive, which renders all its data inaccessible and irrecoverable instantly. This is called the "Secure Erase" feature. Under the protocol, a 32-bit string of characters is supported, meaning a 32-character password. Of the few laptop manufacturers that support setting an HDD password in the BIOS, most limit characters to 7 or 8. Why every BIOS company doesn't support it is beyond me. Maybe Stallman was right about proprietary BIOS.

The only laptop (pretty much no desktop BIOS supports HDD password) I know will allow you to set a full-length 32-bit HDD User and Master password is a Lenovo ThinkPad T- or W- series. Last I heard some ASUS notebooks have such an option in their BIOS. Dell limits HDD password to a weak 8 characters.

I am much more familiar with the key storage in Intel SSD's than Samsung. Intel was I believe the first to offer on-chip FDE in their drives, the 320 series and on. Although that was AES 128-bit. I haven't looked extensively into how this Samsung series implements key storage, and nobody really knows at this point. Obviously customer service was of no help to you. I get the impression only five or six people in any tech company actually know anything about the hardware they sell. Intel seemed reluctant to cough up the specifics but eventually a company rep answered somewhere in a forum. Keep in mind that for the drive-manufacturers this feature is a total afterthought. They don't know or care anything about it and neither do 99.9% percent of their customers. It's just another advertisement bullet point on the back of the box.

Hope this helps!

Rinny T. Tinfoil

Posted 11 years ago

Reputation: 89

6"Hardware-based full disk encryption is several orders of magnitude more secure than software-level full disk encryption like TrueCrypt." Citation needed. – Abdull – 11 years ago

The claim that hardware encryption is more secure than software encryption is not falsifiable because we cannot know exactly what the hardware is doing. Open source software, such as TrueCrypt, can and has gone through several audits, so users can know exactly what they are using. This problem with hardware based security is not new and is standard criticism of TPM. – Paul – 8 years ago

@Paul - maybe TrueCrypt is not the best example as that software has security flaws and is no longer supported because of it. – Igor – 8 years ago

1

@Igor TrueCrypt has survived through several audits and no major flaws have been found. https://www.schneier.com/blog/archives/2015/04/truecrypt_secur.html

– Paul – 8 years ago

That's a lovely answer "Mr Tinfoil"; lots and lots of info, some of which I knew and some of which I certainly didn't :) I'd already concluded that I was out of luck wrt to the BIOS and its such a shame as the drive is, as you point out, already encrypting the data! I don't need NSA-proof levels of security - just enough to satisfy myself and my employer that our source code (and my personal files) would likely be safe if I lost the laptop. I'm already on the road and have gone with Bitkeeper (software level encryption) for the time being. Thanks again. – Stephen Kennedy – 11 years ago

8

I finally got this to work today and like you I believe I do not have an ATA password setup in the BIOS either (at least not that I can see). I did enable the BIOS user/admin passwords and my PC does have a TPM chip but BitLocker should work without one (USB key). Like you I was also stuck in the exact same spot at the BitLocker prompt do I want to encrypt just the data or the whole disk.

My problem was that my Windows installation was not UEFI although my Motherboard does support UEFI. You can check your installation by typing msinfo32 in the run command and checking Bios Mode. If it reads anything other than UEFI then you need to re-install windows from scratch.

See this Steb-by-Step Instructions to Encrypt Samsung SSD guide in a related post on this forum.

Igor

Posted 11 years ago

Reputation: 405

1The ATA password is not related to the BIOS. Some systems may support setting an ATA password from the BIOS interface, but the ATA password itself has nothing to do with the BIOS. For example, the hdparm Linux command line utility can be used to manage the security features using the ATA standard, as well as other manageable features in the standard. It is important to note that many BIOS developers do not allow full utility of the ATA password feature. For example, I have a Dell that only allows up to 15 characters to be included in the password, even though the standard allows up to 32. – Paul – 8 years ago

Looks like a great answer! I will check it when I will get such SSD too. – Display Name – 11 years ago

just checked, it really works this way – Display Name – 11 years ago

2

Software Encryption

TrueCrypt 7.1a is just fine for use on SSDs, but note that it will likely reduce IOPs performance by a considerable amount, though the drive will still perform more than 10 times better IOPs than HDD. So if you cannot make use of the options listed in Magician, TrueCrypt is an option for encrypting the drive, but it reportedly does not function very well with Windows 8 and later file systems. For this reason, BitLocker with full disk encryption is a better option for these operating systems.

TCG Opal

TCG Opal is basically a standard which allows for a sort of mini operating system to be installed to a reserved part of the drive that is only for the purpose of allowing the drive to boot and present the user with a password for granting access to the drive. There are various tools available for installing this feature, including some reportedly stable open source projects, but Windows 8 and later BitLocker should support this feature.

I do not have Windows 8 or later, so I cannot provide instruction on how to set this up, but my reading indicates that this is only available when installing Windows, and not after it is installed. Experienced users feel free to correct me.

ATA Password

The ATA password locking is an optional feature of the ATA standard supported by the Samsung 840 and later series drives, as well as thousands of others. This standard is not related to a BIOS and can be accessed through any number of methods. I do not recommend using a BIOS for setting or managing the ATA password as the BIOS may not be properly conforming to the ATA standard. I have experience with my own hardware appearing to support the feature, but actually not being in compliance.

Note that searching on this feature will produce a lot of discussion claiming that the ATA lock feature should not be considered safe for protecting data. This is generally only correct for HDDs that are not also Self Encrypting Drives (SED). Since the Samsung 840 and later series drives are SSDs and SEDs, these discussions are simply not applicable. The ATA password locked Samsung 840 series and later should be secure enough for your usage, as described in this question.

The best way to be sure your BIOS can support unlocking an ATA password locked drive is to lock a drive, install it into the computer, then boot the computer and see if it asks for a password and if the password entered can unlock the drive.

This test should not be performed on a drive with data you do not want to lose.

Fortunately, the test drive does not have to be the Samsung drive, as it can be any drive that supports the ATA standard security set and can be installed in the target computer.

The best way I have found for accessing the ATA features of a drive are with the Linux command line utility hdparm. Even if you don't have a computer with Linux, there are many distributions whose install disk image also supports running the OS 'live' from the install media. Ubuntu 16.04 LTS, for example, should easily and quickly install to the vast majority of computers and the same image can also be written to flash media for running on systems without optical drives.

Detailed instructions on how to enable ATA password security are beyond the scope of this question, but I found this tutorial to be one of the best for this task.

Enabling ATA Security on a Self-Encrypting SSD

Note that the maximum password length is 32 characters. I recommend doing the test with a 32-character password to be sure that the BIOS supports the standard correctly.

With the target computer powered down and the drive ATA password locked, install the drive and boot the system. If the BIOS does not ask for a password to unlock the drive, then the BIOS does not support ATA password unlock. Also, if it seems like you are entering the password completely correctly, but it is not unlocking the drive, it may be that the BIOS does not properly support the ATA standard, and thus should not be trusted.

It may be a good idea to have some way to verify that the system is properly reading the unlocked drive, such as by having an operating system installed and loading properly, or installing along side an OS drive that loads and can mount the test drive and read and write files without issue.

If the test is successful and you feel confident in repeating the steps, enabling the ATA password on a drive, including one with an OS installed, will not change anything in the data portion of the drive, so it should boot up normally after entering the password in the BIOS.

Paul

Posted 11 years ago

Reputation: 698

TrueCrypt 7.1a is just fine for use on SSDs -> No! It should not be listed as not an option. TrueCrypt is not secure and no longer supported, please edit your post accordingly. See TrueCrypt – Igor – 8 years ago

BTW this is nothing new, support was stopped on May 2014 (well over 2 years ago now).

– Igor – 8 years ago

The ending of 'support' for TrueCrypt also occurred as the project needed substantial revisions to work with newer (Windows 8) file systems. TrueCrypt 7.1a has gone through very deep auditing that found only minor issues with the code that did not affect the quality of the cryptography. Open Crypto Audit Project TrueCypt Cryptographic Review. This is verification that the crypto is known to be good. I am not aware of any other project that can boast the same level of verification.

– Paul – 8 years ago

TrueCrypt was an open source project, so claiming that it is "no longer supported" is actually misleading - it was never "supported". What has changed is that it is no longer actively developed. – Paul – 8 years ago

@Igor Unless you can provide some sort of evidence that the cryptography provided by TrueCrypt 7.1a is unacceptable, I will not be editing my answer with regards to that aspect. – Paul – 8 years ago

1

I don't know if you saw this or fixed this yet, but here's a link specifically from Samsung on your EVO 840. http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/about/whitepaper06.html

Essentially what they say to enable the hardware AES encryptor built into the ssd is to set the HDD Password under the System BIOS. The "User/Admin/Setup" passwords are just that. However, setting the HDD Password should pass through to the SSD. This will require you to manually enter the password every time you turn on the computer, and does not work with TPM chips or other PassKeys. Also, I cannot stress enough, ANYONE who uses encryption needs to make sure that their data is backed up. Recovering data from a failed/corrupted encrypted drive is next to impossible without going through a specialized service.

Roger

Posted 11 years ago

Reputation: 11

1

"I don't need NSA-proof levels of security "

Well why not use it anyway, since it's free?

After taking grad school classes in computer security and computer forensics, I decided to encrypt my drive. I looked at many options and am VERY happy I selected DiskCrypt. It's easy to install, easy to use, open source with PGP signatures provided, instructions on how to compile it yourself to insure that the exe matches the source, it auto-mounts the drives, you can set the pre-boot PW prompt and wrong-pw action, and it will use AES-256.

Any modern CPU will do a round of AES encryption in a SINGLE machine instruction (encrypting a sector's worth of data takes a couple of dozen rounds). On my own benchmarks, AES runs eleven times faster than software-implemented ciphers like blowfish. DiskCryptor can encrypt data many times faster than the PC can read and write it from the disk. There is NO measurable overhead.

I'm running a TEC-cooled, hopped-up, speed freq 5 GHz machine, so your mileage would vary, but not by much. The CPU time required for encrypt/decrypt was too low to measure (i.e., under 1%).

Once you set it up, you can totally forget it. The only noticeable effect is that you have to type your PW at boot, which I am delighted to do.

As for not using encryption on SSDs, that's a rumor I haven't heard before. It's also unwarranted. Encrypted data is written and read from the drive exactly like normal data. Only the bits in the data buffer are scrambled. You can chkdsk/f and run any other disk utility on an encrypted drive.

And BTW, unlike other programs, diskkeeper doesn't keep your pw in memory. It uses a one-way hashed key for encryption, overwrites your mistyped pwds in memory, and goes to great lengths to insure that it doesn't ride out on a paging file during PW entry and validation.

https://diskcryptor.net/wiki/Main_Page

Faye Kane girl brain

Posted 11 years ago

Reputation: 49

Well fu ck it, then. Delete my post, even though it is clearly relevant to encrypting SSDs, suggests the software to do so, responds to the suggestion that encryption will hurt an SSD, and that I obviously know what I'm talking about (even if I wasn't a grad student in computer security). See if I come back and help anybody else. – Faye Kane girl brain – 10 years ago

The reason behind encryption being somewhat bad has to do with de-duplication. I do not know if ssd's do this but if they do use it as a method of lowering writes the encryption does lead to a decrease in life because the same thing being written to the drive has to be fully written rather than deduped.

So it is not a matter of it just being bits. yes once dycrypted it looks the same but on the chip itself it is a different story. – birdman3131 – 10 years ago

@birdman3131 I think SSD's are way past the point where one needs to worry about SSD lifespan from writes for the vast, vast majority of use cases. If an SSD does not have compression/deduplication offered as a feature, I think it can be safely assumed it lacks it. If it's a filesystem level feature, then this makes no difference as to whether a lower level is encrypted or not. – Phizes – 10 years ago

0

I've posted on this elsewhere in Super User, but since this was a thread that I used to educate myself, I wanted to touch base here as well.

ATA Password vs software encryption for Full Disk Encryption in Samsung 840/850 EVO and Intel SSDs

Pros: Simple, no performance hit, extremely secure: discs are unreadable in other machines without ATA Password

Cons: You need a BIOS that has the ATA Password option (HP and Lenovo laptops seem to have this, but most desktop mobos do not. Exception: ASRock recently wrote their 1.07B BIOS for their Extreme series, and it works). Also, it's so secure that if you lose the password, the data is unrecoverable. By anyone, it seems. Lastly, it's all dependent on one controller chip on the SSD, and if that chip goes bad, the data is done. Forever.

Hope this adds to the discussion.

Al Winston

Posted 11 years ago

Reputation: 51

-1

Setting the ATA Password in the BIOS. I don't appear to have such an option in the BIOS, only an admin password and boot-up password. Too bad, this is the simplest option you have.

Second is win 8.1 + bitlocker but the whole reinnstall thing is annoying

i'm not aware of any foss tcg opal sw and the paid versions probably cost a lot

truecrypt works but if your cpu doesn't have AES-NI the spees hit can be noticable

and don't forget back up your struff, encrypted data is much much harder to recover

user384816

Posted 11 years ago

Reputation: 1

Web searches for 'FOSS TCG Opal software' provides results with links and tutorials for FOSS TCG projects. The vast majority of users will not perceive the very minor hit to performance from using TrueCrypt without hardware accelerators (anecdotally, I installed TrueCrypt to an old Dule-Core laptop that had an HDD, and I could not perceive any performance hit). Backing up data that is encrypted must be to a device with at least the same level of security, otherwise it defeats the purpose of the encryption. – Paul – 8 years ago

-1

When installing many Linux Distributions you are given the option to encrypt the /home folder. At that time when you choose to encrypt the /home folder (aka mount point), you are asked (required) to enter a password twice.

Essentially one completed, your /home folder is encrypted.

Samsung was supposed to be 'pre encrypted' at the factory.

This usually means that no access to the hard drive's information can be done without the password.

The above is what I have done. If I am lucky the Samsung encryption with another layer of Linux software encryption should make me relatively safe from most nefarious individuals, companies, and governments.

I did not feel the need to password the hard drive via BIOS.

It is hard enough to remember multiple passwords already. KeepassX may be of some use in that respect.

For the truly paranoid, you could password the Samsung EVO in BIOS, use Linux upon installation to software encrypt the drive then use an Open Source encryption program (not truecrypt because of suspected back doors and vulnerabilities).

You could use KeepassX to remember the long complicated passwords and even password protect that flash drive as well.

Unless you are some sort of criminal or have something so valuable that you need that much security, most is a waste of time.

It might be easier to keep your source code on an encrypted flash drive like IronKey so you do not take any performance hits or have drive issues. Personal documents can go there as well.

zolar1

Posted 11 years ago

Reputation: 7

Asked: 11 years ago

Viewed: 47 522 times

Active: 8 years ago