How to verify a self-encrypted drive (SED) is really encrypted?Self-Encrypting Drive (SED) and S3-suspend...

Instead of Universal Basic Income, why not Universal Basic NEEDS?

Life insurance that covers only simultaneous/dual deaths

When do we add an hyphen (-) to a complex adjective word?

Does the statement `int val = (++i > ++j) ? ++i : ++j;` invoke undefined behavior?

Replacing Windows 7 security updates with anti-virus?

Current sense amp + op-amp buffer + ADC: Measuring down to 0 with single supply

Identifying the interval from A♭ to D♯

Why are there 40 737 Max planes in flight when they have been grounded as not airworthy?

Co-worker team leader wants to inject his friend's awful software into our development. What should I say to our common boss?

Running a subshell from the middle of the current command

Why would a flight no longer considered airworthy be redirected like this?

Why doesn't using two cd commands in bash script execute the second command?

Should we release the security issues we found in our product as CVE or we can just update those on weekly release notes?

How do anti-virus programs start at Windows boot?

Is a lawful good "antagonist" effective?

At what level can a dragon innately cast its spells?

Is it possible to upcast ritual spells?

Have researchers managed to "reverse time"? If so, what does that mean for physics?

Why are the outputs of printf and std::cout different

What is the greatest age difference between a married couple in Tanach?

What are the possible solutions of the given equation?

Where is the 1/8 CR apprentice in Volo's Guide to Monsters?

Why do Australian milk farmers need to protest supermarkets' milk price?

Force user to remove USB token



How to verify a self-encrypted drive (SED) is really encrypted?


Self-Encrypting Drive (SED) and S3-suspend (sleep)How can I know if a Self Encrypting Drive is really encryptingPBA FDE Multi BootHow to know if my SSHD supports encryption?Is it possible to check if a BIOS supports password entry for a self-encrypting SSD/harddrive?Accessing a TrueCrypt Encrypted Drive from a Dead LaptopLinux dual-boot on self-encrypted drive (Dell Data Protection)How to enable Samsung EVO 840 mSATA SSD Self Encrypting Drive with Intel RST RAID 0How to Enable Hard Drive Encryption with Seagate Constellation ES.3 SED Drive on AMI BIOS with TPMSelf-Encrypting Drive (SED) and S3-suspend (sleep)How to use full disk encryption on the second self-encrypting disk?ATA secure erase really long using a SED harddriveHow can I know if a Self Encrypting Drive is really encryptingWhat physical/logical interface does my laptop's SSD have?













3















I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.



I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.



Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?










share|improve this question

























  • You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.

    – ctrl-alt-delor
    Oct 10 '15 at 22:10













  • Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.

    – mwhidden
    Oct 10 '15 at 23:29


















3















I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.



I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.



Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?










share|improve this question

























  • You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.

    – ctrl-alt-delor
    Oct 10 '15 at 22:10













  • Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.

    – mwhidden
    Oct 10 '15 at 23:29
















3












3








3


1






I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.



I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.



Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?










share|improve this question
















I have a Dell Precision M3800 that is supposed to have a self-encrypted hard drive. I'm running Windows 10. In the Storage Management screen, the disk claims to be a 'LITEONIT LMT-256L9M-41 MSATA 256GB SED'.



I've set a hard drive password in the Dell BIOS, but how can I confirm that the contents of the disk are actually encrypted by a key tied to that password? The BIOS is very unclear about what is happening on that front, and I don't find options to do crypto-erase so I'm not sure how to assure myself that the contents are safe.



Also, does anyone know if it is possible to force the computer to prompt me to unlock the HD after waking from sleep, or do I need to shutdown in order to fully "lock" the hard drive?







windows hard-drive bios fde self-encrypting-drive






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Oct 22 '18 at 11:03









͏͏͏

2,72211214




2,72211214










asked Oct 10 '15 at 20:28









mwhiddenmwhidden

11815




11815













  • You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.

    – ctrl-alt-delor
    Oct 10 '15 at 22:10













  • Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.

    – mwhidden
    Oct 10 '15 at 23:29





















  • You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.

    – ctrl-alt-delor
    Oct 10 '15 at 22:10













  • Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.

    – mwhidden
    Oct 10 '15 at 23:29



















You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.

– ctrl-alt-delor
Oct 10 '15 at 22:10







You can not, just because it looks encrypted, and you can not make sense of the data, does not mean that it is encrypted (see microsoft barny). Have you considered putting user data in a separate partition and encrypting that in software. There is no need to encrypt the OS, as this is public data already. Also if someone gets hold of you computer they can inject a man in the middle, so do not trust it when you get it back.

– ctrl-alt-delor
Oct 10 '15 at 22:10















Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.

– mwhidden
Oct 10 '15 at 23:29







Well I didn't mean mathematically verifiable... just verifiable in the sense that I cannot go, "oh, look, it's not trivially identifiable as an NTFS (or whatnot) filesystem and here are the contents of foo.txt". A Windows tool or BIOS screen that says "harddrive status: encrypted" would work, too, for my purposes as a crypo layman.

– mwhidden
Oct 10 '15 at 23:29












3 Answers
3






active

oldest

votes


















1














One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.



As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.






share|improve this answer



















  • 1





    The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.

    – musiKk
    Oct 10 '15 at 20:53











  • I was going for a simple explanation.

    – Keltari
    Oct 10 '15 at 21:00











  • Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.

    – mwhidden
    Oct 10 '15 at 23:32













  • However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.

    – TJJ
    Feb 15 '16 at 10:49



















0














There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!



The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":



1) from any WINDOWS OS:



1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.



1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].



2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:





  • find your HD/SSD: open a terminal window and issue the command:



    blkid




[examples: "/dev/sda", "/dev/nvme0", etc]





  • run the command to find the status of your SSD:



    sudo hdparm -I /dev/xxxx



  • You will be requested to enter your admin username and password;


  • If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";


  • On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"





The typical output of the hdparm command above for a SED drive will be:



"Security:



Master Password Revision Code: 65534



supported



enabled



not locked



frozen



not expired: security count



supported: enhanced erase



Security level high



xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT



Logical Unit WWM Device Identifier: xxxxxxxxxxxxx



NAA: x



IEEE OUI: xxxxx



Checksum: correct"



If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.



If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.





BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].



The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:



1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"



2) Run the command to set up the SED encryption:



sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx



where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).



Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".



Later, if you decide to SAFELY remove the encryption without losing your data, run the command:



sudo hdparm --security-disable 'PASSWORD' /dev/xxxx



where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".



BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!






share|improve this answer


























  • ATA security and hdparm have nothing to do with disk encryption.

    – ͏͏͏
    Jan 15 at 15:01



















-1














I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.



Thanks,
Jeff






share|improve this answer








New contributor




Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f984905%2fhow-to-verify-a-self-encrypted-drive-sed-is-really-encrypted%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    1














    One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.



    As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.






    share|improve this answer



















    • 1





      The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.

      – musiKk
      Oct 10 '15 at 20:53











    • I was going for a simple explanation.

      – Keltari
      Oct 10 '15 at 21:00











    • Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.

      – mwhidden
      Oct 10 '15 at 23:32













    • However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.

      – TJJ
      Feb 15 '16 at 10:49
















    1














    One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.



    As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.






    share|improve this answer



















    • 1





      The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.

      – musiKk
      Oct 10 '15 at 20:53











    • I was going for a simple explanation.

      – Keltari
      Oct 10 '15 at 21:00











    • Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.

      – mwhidden
      Oct 10 '15 at 23:32













    • However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.

      – TJJ
      Feb 15 '16 at 10:49














    1












    1








    1







    One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.



    As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.






    share|improve this answer













    One way to verify the drive is encrypted is to physically connect it to another machine. Either by direct SATA connection, or by a USB to SATA adapter. The other machine should be able to recognize the drive, but not be able to read the contents.



    As for your second question, you most likely cant get it to "lock" the hard drive during a sleep. Even when a machine is sleeping, the OS is waiting in the background in a low power state. It has to be able to access and read the drive to come out of sleep.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Oct 10 '15 at 20:41









    KeltariKeltari

    51.6k18119170




    51.6k18119170








    • 1





      The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.

      – musiKk
      Oct 10 '15 at 20:53











    • I was going for a simple explanation.

      – Keltari
      Oct 10 '15 at 21:00











    • Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.

      – mwhidden
      Oct 10 '15 at 23:32













    • However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.

      – TJJ
      Feb 15 '16 at 10:49














    • 1





      The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.

      – musiKk
      Oct 10 '15 at 20:53











    • I was going for a simple explanation.

      – Keltari
      Oct 10 '15 at 21:00











    • Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.

      – mwhidden
      Oct 10 '15 at 23:32













    • However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.

      – TJJ
      Feb 15 '16 at 10:49








    1




    1





    The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.

    – musiKk
    Oct 10 '15 at 20:53





    The OS is not "waiting", it's woken up by ACPI. If the system's firmware supports it, it may very well erase the key from memory upon entering sleep and requiring it upon resume. Few laptops support it though. It's the only way to avoid an attack where the data cable of a hard drive in a sleeping computer is plugged into another computer granting full access to the data.

    – musiKk
    Oct 10 '15 at 20:53













    I was going for a simple explanation.

    – Keltari
    Oct 10 '15 at 21:00





    I was going for a simple explanation.

    – Keltari
    Oct 10 '15 at 21:00













    Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.

    – mwhidden
    Oct 10 '15 at 23:32







    Thanks. I was hoping not to have to do that, since they don't make taking the drive out of the laptop something simple for the software-oriented. If it were a 3.5" SATA drive in a tower, I'd say yes, but I'm loathe to dig into the guts of my laptop. Thanks also for the BIOS info. My old Latitude would prompt for the BIOS and HD passwords (not an SED there, though) after waking from sleep, which I liked, but the M3800 doesn't do it.

    – mwhidden
    Oct 10 '15 at 23:32















    However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.

    – TJJ
    Feb 15 '16 at 10:49





    However, with this technique, you still won't know if the drive is just locked or if the data is really encrypted.

    – TJJ
    Feb 15 '16 at 10:49













    0














    There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!



    The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":



    1) from any WINDOWS OS:



    1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.



    1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].



    2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:





    • find your HD/SSD: open a terminal window and issue the command:



      blkid




    [examples: "/dev/sda", "/dev/nvme0", etc]





    • run the command to find the status of your SSD:



      sudo hdparm -I /dev/xxxx



    • You will be requested to enter your admin username and password;


    • If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";


    • On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"





    The typical output of the hdparm command above for a SED drive will be:



    "Security:



    Master Password Revision Code: 65534



    supported



    enabled



    not locked



    frozen



    not expired: security count



    supported: enhanced erase



    Security level high



    xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT



    Logical Unit WWM Device Identifier: xxxxxxxxxxxxx



    NAA: x



    IEEE OUI: xxxxx



    Checksum: correct"



    If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.



    If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.





    BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].



    The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:



    1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"



    2) Run the command to set up the SED encryption:



    sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx



    where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).



    Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".



    Later, if you decide to SAFELY remove the encryption without losing your data, run the command:



    sudo hdparm --security-disable 'PASSWORD' /dev/xxxx



    where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".



    BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!






    share|improve this answer


























    • ATA security and hdparm have nothing to do with disk encryption.

      – ͏͏͏
      Jan 15 at 15:01
















    0














    There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!



    The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":



    1) from any WINDOWS OS:



    1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.



    1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].



    2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:





    • find your HD/SSD: open a terminal window and issue the command:



      blkid




    [examples: "/dev/sda", "/dev/nvme0", etc]





    • run the command to find the status of your SSD:



      sudo hdparm -I /dev/xxxx



    • You will be requested to enter your admin username and password;


    • If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";


    • On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"





    The typical output of the hdparm command above for a SED drive will be:



    "Security:



    Master Password Revision Code: 65534



    supported



    enabled



    not locked



    frozen



    not expired: security count



    supported: enhanced erase



    Security level high



    xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT



    Logical Unit WWM Device Identifier: xxxxxxxxxxxxx



    NAA: x



    IEEE OUI: xxxxx



    Checksum: correct"



    If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.



    If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.





    BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].



    The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:



    1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"



    2) Run the command to set up the SED encryption:



    sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx



    where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).



    Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".



    Later, if you decide to SAFELY remove the encryption without losing your data, run the command:



    sudo hdparm --security-disable 'PASSWORD' /dev/xxxx



    where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".



    BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!






    share|improve this answer


























    • ATA security and hdparm have nothing to do with disk encryption.

      – ͏͏͏
      Jan 15 at 15:01














    0












    0








    0







    There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!



    The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":



    1) from any WINDOWS OS:



    1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.



    1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].



    2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:





    • find your HD/SSD: open a terminal window and issue the command:



      blkid




    [examples: "/dev/sda", "/dev/nvme0", etc]





    • run the command to find the status of your SSD:



      sudo hdparm -I /dev/xxxx



    • You will be requested to enter your admin username and password;


    • If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";


    • On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"





    The typical output of the hdparm command above for a SED drive will be:



    "Security:



    Master Password Revision Code: 65534



    supported



    enabled



    not locked



    frozen



    not expired: security count



    supported: enhanced erase



    Security level high



    xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT



    Logical Unit WWM Device Identifier: xxxxxxxxxxxxx



    NAA: x



    IEEE OUI: xxxxx



    Checksum: correct"



    If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.



    If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.





    BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].



    The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:



    1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"



    2) Run the command to set up the SED encryption:



    sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx



    where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).



    Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".



    Later, if you decide to SAFELY remove the encryption without losing your data, run the command:



    sudo hdparm --security-disable 'PASSWORD' /dev/xxxx



    where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".



    BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!






    share|improve this answer















    There is ABSOLUTELY NO NEED TO REMOVE ANY OF YOUR DRIVES FROM YOUR RIG to check whether or not it is a SED drive and to check its encryption status!



    The easiest and SAFEST way to verify if any of your drives is a SED [Self-Encrypting Drive] and its encryption status is to use the Linux command "hdparm":



    1) from any WINDOWS OS:



    1.a) Download the ISO file for the latest Linux Mint Xfce 64-bit OS from https://linuxmint.com and either burn the ISO file to a DVD or use Rufus to create a bootable USB from the ISO file.



    1.b) Boot from the bootable DVD/USB and follow the instructions below [in a Dell M3800 with the "Hard Drive Password" set, you will still be asked for the drive password at boot-up].



    2) from any recent Linux Mint OS [17.x, 18.x, 19.x]:





    • find your HD/SSD: open a terminal window and issue the command:



      blkid




    [examples: "/dev/sda", "/dev/nvme0", etc]





    • run the command to find the status of your SSD:



      sudo hdparm -I /dev/xxxx



    • You will be requested to enter your admin username and password;


    • If you are booting from the Live DVD/USB ISO file you burned the username is lowercase "mint" and there is NO password - simply hit "enter";


    • On the command above "xxxx" is the name of your SED drive; watch out for typos: the "-I" above is a Capital "i", NOT a lowercase "L" or a digit "one"





    The typical output of the hdparm command above for a SED drive will be:



    "Security:



    Master Password Revision Code: 65534



    supported



    enabled



    not locked



    frozen



    not expired: security count



    supported: enhanced erase



    Security level high



    xMin for SECURITY ERASE UNIT. xMin for ENHANCED SECURITY ERASE UNIT



    Logical Unit WWM Device Identifier: xxxxxxxxxxxxx



    NAA: x



    IEEE OUI: xxxxx



    Checksum: correct"



    If the results of your drive are similar to above, your HD or SSD drive is an self-encrypted drive, the drive is self-encrypting your data on-the-fly and your drive have no errors.



    If the commands returns an error without returning any output or if the fist line of the output says "not supported" it means your drive is NOT a SED drive.





    BTW (1): BEWARE of setting your SED "Hard Drive Password" through BIOS, especially on any LENOVO THINKPAD's [some of these LENOVO THINKPAD's notoriosly ADDS an EXTRA bit to the character of your chosen password, effectively BRICKING the SED drive, unlees that drive has on its label a PSID "factory reset" password which allows you to unlock and reset the drive - but you WILL loose ALL THE DATA on that drive!].



    The SAFEST way to set encryption on a SED drive that the command "hdparm" returns an output of "NOT ENABLED" is, again, to use the "hdparm" command, as below:



    1) UNFREEZE the hard-drive by SUSPENDING the computer for a few seconds. When you resume the status of the drive at "hdparm -I /dev/xxxx" will say "UNFROZEN"



    2) Run the command to set up the SED encryption:



    sudo hdparm --user-master u --security-set-pass 'PASSWORD' /dev/xxxx



    where xxxx is the name the name of your SED drive and PASSWORD is the password you want to it (DON'T FORGET TO ENCLOSE YOUR CHOSEN PASSWORD WITH SINGLE QUOTES!).



    Afterwards simply the command "hdparm -I /dev/xxxx" to check the status of your encryption: it should say "ENABLED".



    Later, if you decide to SAFELY remove the encryption without losing your data, run the command:



    sudo hdparm --security-disable 'PASSWORD' /dev/xxxx



    where xxxx is the name of the drive and PASSWORD the password you've chosen to use: the drive status on the "hdparm -I /dev/xxxx" output will be "SUPPORTED", "NOT ENABLED".



    BTW (2): if you own MULTIPLE encryption-enabled SED's on your rig (like me with my four Samsung EVO 960 1TB M.2 NVMe's plus one Seagate Momentus 4TB as a backup on my Dell Precision M6800 Mobile Workstation) and you do not want at boot-up to input multiple times the password to unlock your SED's, simply choose the SAME password in all your SED hard-drives. This way you will only need to input your hard-drive password ONCE and ALL your SED's drives will unlock!







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Jul 4 '18 at 21:37

























    answered Jul 4 '18 at 21:29









    CryptoMasterCryptoMaster

    193




    193













    • ATA security and hdparm have nothing to do with disk encryption.

      – ͏͏͏
      Jan 15 at 15:01



















    • ATA security and hdparm have nothing to do with disk encryption.

      – ͏͏͏
      Jan 15 at 15:01

















    ATA security and hdparm have nothing to do with disk encryption.

    – ͏͏͏
    Jan 15 at 15:01





    ATA security and hdparm have nothing to do with disk encryption.

    – ͏͏͏
    Jan 15 at 15:01











    -1














    I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.



    Thanks,
    Jeff






    share|improve this answer








    New contributor




    Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.

























      -1














      I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.



      Thanks,
      Jeff






      share|improve this answer








      New contributor




      Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.























        -1












        -1








        -1







        I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.



        Thanks,
        Jeff






        share|improve this answer








        New contributor




        Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.










        I know this has been around for awhile, but I think there may be a mistake in your verbage. I followed your steps to encrypt a ST750LM022 drive and everything seemed to work and I was very pleased with myself, but I looked it up on Seagate's site and the specifications do not mention this being a self-encrypted drive. I think your steps work, but just because it supports the ATA security function to password lock a hard drive, doesn't mean it's encrypted. This document indicates that ATA drive password security is fairly easily defeated: https://security.utexas.edu/education-outreach/BreakingATA . This said, your information was excellent, but I wanted to address that unless you have a SED installed, everything will look great and the password will give you the feeling that you are well protected when it does not appear that you are. If this is incorrect, please correct me, and if someone can tell me a surefire way to determine if a drive is a SED short of digging through specs for each drive, it would be greatly appreciated.



        Thanks,
        Jeff







        share|improve this answer








        New contributor




        Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        share|improve this answer



        share|improve this answer






        New contributor




        Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.









        answered 11 mins ago









        JeffJeff

        1




        1




        New contributor




        Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.





        New contributor





        Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






        Jeff is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
        Check out our Code of Conduct.






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f984905%2fhow-to-verify-a-self-encrypted-drive-sed-is-really-encrypted%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Couldn't open a raw socket. Error: Permission denied (13) (nmap)Is it possible to run networking commands...

            VNC viewer RFB protocol error: bad desktop size 0x0I Cannot Type the Key 'd' (lowercase) in VNC Viewer...

            Why not use the yoke to control yaw, as well as pitch and roll? Announcing the arrival of...