How to verify a self-encrypted drive (SED) is really encrypted?Self-Encrypting Drive (SED) and S3-suspend...
Instead of Universal Basic Income, why not Universal Basic NEEDS?
Life insurance that covers only simultaneous/dual deaths
When do we add an hyphen (-) to a complex adjective word?
Does the statement `int val = (++i > ++j) ? ++i : ++j;` invoke undefined behavior?
Replacing Windows 7 security updates with anti-virus?
Current sense amp + op-amp buffer + ADC: Measuring down to 0 with single supply
Identifying the interval from A♭ to D♯
Why are there 40 737 Max planes in flight when they have been grounded as not airworthy?
Co-worker team leader wants to inject his friend's awful software into our development. What should I say to our common boss?
Running a subshell from the middle of the current command
Why would a flight no longer considered airworthy be redirected like this?
Why doesn't using two cd commands in bash script execute the second command?
Should we release the security issues we found in our product as CVE or we can just update those on weekly release notes?
How do anti-virus programs start at Windows boot?
Is a lawful good "antagonist" effective?
At what level can a dragon innately cast its spells?
Is it possible to upcast ritual spells?
Have researchers managed to "reverse time"? If so, what does that mean for physics?
Why are the outputs of printf and std::cout different
What is the greatest age difference between a married couple in Tanach?
What are the possible solutions of the given equation?
Where is the 1/8 CR apprentice in Volo's Guide to Monsters?
Why do Australian milk farmers need to protest supermarkets' milk price?
Force user to remove USB token
How to verify a self-encrypted drive (SED) is really encrypted?
Self-Encrypting Drive (SED) and S3-suspend (sleep)How can I know if a Self Encrypting Drive is really encryptingPBA FDE Multi BootHow to know if my SSHD supports encryption?Is it possible to check if a BIOS supports password entry for a self-encrypting SSD/harddrive?Accessing a TrueCrypt Encrypted Drive from a Dead LaptopLinux dual-boot on self-encrypted drive (Dell Data Protection)How to enable Samsung EVO 840 mSATA SSD Self Encrypting Drive with Intel RST RAID 0How to Enable Hard Drive Encryption with Seagate Constellation ES.3 SED Drive on AMI BIOS with TPMSelf-Encrypting Drive (SED) and S3-suspend (sleep)How to use full disk encryption on the second self-encrypting disk?ATA secure erase really long using a SED harddriveHow can I know if a Self Encrypting Drive is really encryptingWhat physical/logical interface does my laptop's SSD have?
I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.
I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.
Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?
windows hard-drive bios fde self-encrypting-drive
add a comment |
I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.
I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.
Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?
windows hard-drive bios fde self-encrypting-drive
You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.
– ctrl-alt-delor
Oct 10 '15 at 22:10
Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.
– mwhidden
Oct 10 '15 at 23:29
add a comment |
I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.
I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.
Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?
windows hard-drive bios fde self-encrypting-drive
I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.
I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.
Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?
windows hard-drive bios fde self-encrypting-drive
windows hard-drive bios fde self-encrypting-drive
edited Oct 22 '18 at 11:03
͏͏͏
2,72211214
2,72211214
asked Oct 10 '15 at 20:28
mwhiddenmwhidden
11815
11815
You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.
– ctrl-alt-delor
Oct 10 '15 at 22:10
Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.
– mwhidden
Oct 10 '15 at 23:29
add a comment |
You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.
– ctrl-alt-delor
Oct 10 '15 at 22:10
Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.
– mwhidden
Oct 10 '15 at 23:29
You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.
– ctrl-alt-delor
Oct 10 '15 at 22:10
You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.
– ctrl-alt-delor
Oct 10 '15 at 22:10
Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.
– mwhidden
Oct 10 '15 at 23:29
Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.
– mwhidden
Oct 10 '15 at 23:29
add a comment |
3 Answers
3
active
oldest
votes
One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.
As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.
1
The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.
– musiKk
Oct 10 '15 at 20:53
I was going for a simple explanation.
– Keltari
Oct 10 '15 at 21:00
Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.
– mwhidden
Oct 10 '15 at 23:32
However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.
– TJJ
Feb 15 '16 at 10:49
add a comment |
There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!
The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":
1) from any WINDOWS OS:
1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.
1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].
2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:
find your HD/SSD: open a terminal window and issue the command:
blkid
[examples: "/dev/sda", "/dev/nvme0", etc]
run the command to find the status of your SSD:
sudo hdparm -I /dev/xxxx
You will be requested to enter your admin username and password;
If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";
On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"
The typical output of the hdparm command above for a SED drive will be:
"Security:
Master Password Revision Code: 65534
supported
enabled
not locked
frozen
not expired: security count
supported: enhanced erase
Security level high
xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT
Logical Unit WWM Device Identifier: xxxxxxxxxxxxx
NAA: x
IEEE OUI: xxxxx
Checksum: correct"
If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.
If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.
BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].
The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:
1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"
2) Run the command to set up the SED encryption:
sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx
where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).
Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".
Later, if you decide to SAFELY remove the encryption without losing your data, run the command:
sudo hdparm --security-disable 'PASSWORD' /dev/xxxx
where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".
BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!
ATA security andhdparm
have nothing to do with disk encryption.
– ͏͏͏
Jan 15 at 15:01
add a comment |
I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.
Thanks,
Jeff
New contributor
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f984905%2fhow-to-verify-a-self-encrypted-drive-sed-is-really-encrypted%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.
As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.
1
The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.
– musiKk
Oct 10 '15 at 20:53
I was going for a simple explanation.
– Keltari
Oct 10 '15 at 21:00
Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.
– mwhidden
Oct 10 '15 at 23:32
However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.
– TJJ
Feb 15 '16 at 10:49
add a comment |
One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.
As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.
1
The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.
– musiKk
Oct 10 '15 at 20:53
I was going for a simple explanation.
– Keltari
Oct 10 '15 at 21:00
Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.
– mwhidden
Oct 10 '15 at 23:32
However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.
– TJJ
Feb 15 '16 at 10:49
add a comment |
One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.
As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.
One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.
As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.
answered Oct 10 '15 at 20:41
KeltariKeltari
51.6k18119170
51.6k18119170
1
The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.
– musiKk
Oct 10 '15 at 20:53
I was going for a simple explanation.
– Keltari
Oct 10 '15 at 21:00
Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.
– mwhidden
Oct 10 '15 at 23:32
However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.
– TJJ
Feb 15 '16 at 10:49
add a comment |
1
The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.
– musiKk
Oct 10 '15 at 20:53
I was going for a simple explanation.
– Keltari
Oct 10 '15 at 21:00
Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.
– mwhidden
Oct 10 '15 at 23:32
However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.
– TJJ
Feb 15 '16 at 10:49
1
1
The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.
– musiKk
Oct 10 '15 at 20:53
The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.
– musiKk
Oct 10 '15 at 20:53
I was going for a simple explanation.
– Keltari
Oct 10 '15 at 21:00
I was going for a simple explanation.
– Keltari
Oct 10 '15 at 21:00
Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.
– mwhidden
Oct 10 '15 at 23:32
Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.
– mwhidden
Oct 10 '15 at 23:32
However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.
– TJJ
Feb 15 '16 at 10:49
However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.
– TJJ
Feb 15 '16 at 10:49
add a comment |
There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!
The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":
1) from any WINDOWS OS:
1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.
1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].
2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:
find your HD/SSD: open a terminal window and issue the command:
blkid
[examples: "/dev/sda", "/dev/nvme0", etc]
run the command to find the status of your SSD:
sudo hdparm -I /dev/xxxx
You will be requested to enter your admin username and password;
If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";
On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"
The typical output of the hdparm command above for a SED drive will be:
"Security:
Master Password Revision Code: 65534
supported
enabled
not locked
frozen
not expired: security count
supported: enhanced erase
Security level high
xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT
Logical Unit WWM Device Identifier: xxxxxxxxxxxxx
NAA: x
IEEE OUI: xxxxx
Checksum: correct"
If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.
If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.
BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].
The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:
1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"
2) Run the command to set up the SED encryption:
sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx
where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).
Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".
Later, if you decide to SAFELY remove the encryption without losing your data, run the command:
sudo hdparm --security-disable 'PASSWORD' /dev/xxxx
where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".
BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!
ATA security andhdparm
have nothing to do with disk encryption.
– ͏͏͏
Jan 15 at 15:01
add a comment |
There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!
The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":
1) from any WINDOWS OS:
1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.
1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].
2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:
find your HD/SSD: open a terminal window and issue the command:
blkid
[examples: "/dev/sda", "/dev/nvme0", etc]
run the command to find the status of your SSD:
sudo hdparm -I /dev/xxxx
You will be requested to enter your admin username and password;
If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";
On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"
The typical output of the hdparm command above for a SED drive will be:
"Security:
Master Password Revision Code: 65534
supported
enabled
not locked
frozen
not expired: security count
supported: enhanced erase
Security level high
xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT
Logical Unit WWM Device Identifier: xxxxxxxxxxxxx
NAA: x
IEEE OUI: xxxxx
Checksum: correct"
If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.
If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.
BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].
The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:
1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"
2) Run the command to set up the SED encryption:
sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx
where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).
Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".
Later, if you decide to SAFELY remove the encryption without losing your data, run the command:
sudo hdparm --security-disable 'PASSWORD' /dev/xxxx
where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".
BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!
ATA security andhdparm
have nothing to do with disk encryption.
– ͏͏͏
Jan 15 at 15:01
add a comment |
There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!
The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":
1) from any WINDOWS OS:
1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.
1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].
2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:
find your HD/SSD: open a terminal window and issue the command:
blkid
[examples: "/dev/sda", "/dev/nvme0", etc]
run the command to find the status of your SSD:
sudo hdparm -I /dev/xxxx
You will be requested to enter your admin username and password;
If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";
On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"
The typical output of the hdparm command above for a SED drive will be:
"Security:
Master Password Revision Code: 65534
supported
enabled
not locked
frozen
not expired: security count
supported: enhanced erase
Security level high
xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT
Logical Unit WWM Device Identifier: xxxxxxxxxxxxx
NAA: x
IEEE OUI: xxxxx
Checksum: correct"
If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.
If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.
BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].
The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:
1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"
2) Run the command to set up the SED encryption:
sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx
where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).
Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".
Later, if you decide to SAFELY remove the encryption without losing your data, run the command:
sudo hdparm --security-disable 'PASSWORD' /dev/xxxx
where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".
BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!
There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!
The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":
1) from any WINDOWS OS:
1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.
1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].
2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:
find your HD/SSD: open a terminal window and issue the command:
blkid
[examples: "/dev/sda", "/dev/nvme0", etc]
run the command to find the status of your SSD:
sudo hdparm -I /dev/xxxx
You will be requested to enter your admin username and password;
If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";
On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"
The typical output of the hdparm command above for a SED drive will be:
"Security:
Master Password Revision Code: 65534
supported
enabled
not locked
frozen
not expired: security count
supported: enhanced erase
Security level high
xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT
Logical Unit WWM Device Identifier: xxxxxxxxxxxxx
NAA: x
IEEE OUI: xxxxx
Checksum: correct"
If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.
If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.
BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].
The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:
1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"
2) Run the command to set up the SED encryption:
sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx
where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).
Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".
Later, if you decide to SAFELY remove the encryption without losing your data, run the command:
sudo hdparm --security-disable 'PASSWORD' /dev/xxxx
where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".
BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!
edited Jul 4 '18 at 21:37
answered Jul 4 '18 at 21:29
CryptoMasterCryptoMaster
193
193
ATA security andhdparm
have nothing to do with disk encryption.
– ͏͏͏
Jan 15 at 15:01
add a comment |
ATA security andhdparm
have nothing to do with disk encryption.
– ͏͏͏
Jan 15 at 15:01
ATA security and
hdparm
have nothing to do with disk encryption.– ͏͏͏
Jan 15 at 15:01
ATA security and
hdparm
have nothing to do with disk encryption.– ͏͏͏
Jan 15 at 15:01
add a comment |
I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.
Thanks,
Jeff
New contributor
add a comment |
I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.
Thanks,
Jeff
New contributor
add a comment |
I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.
Thanks,
Jeff
New contributor
I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.
Thanks,
Jeff
New contributor
New contributor
answered 11 mins ago
JeffJeff
1
1
New contributor
New contributor
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f984905%2fhow-to-verify-a-self-encrypted-drive-sed-is-really-encrypted%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.
– ctrl-alt-delor
Oct 10 '15 at 22:10
Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.
– mwhidden
Oct 10 '15 at 23:29