I have a machine that was protected with a HDD password and, as any IT manager's nightmare, right after setting it the following first trial have failed to let us use the hard drive.
We also set the bios admin password (the one which is required to make changes in bios) and this one is working accordingly.
On the HDD password bios page you can read that you can use the admin/master password to remove the HDD password (supposedly without losing data), but I wasn't able to find how could that be done, can someone tell me how?
Best outcome: Use the admin password to disable HDD password.
Unacceptable but still possible solution: Erase the whole hard disk altogether with the password.
The system is a Dell Inspiron 7560 (S/Tag
<Service tag removed>
) and we have about 60 more machines to set BIOS/HDD passwords, any help is much appreciated.
Thanks for posting.
Apologies that your systems are not working as expected.
Your post suggests that you have a corporate or large business account. The Forums are pretty much made up of consumers helping other consumers. Your company will have a Technical Account Manager assigned to it.
The TAM will have all the information regarding your products and what warranty options are available, so contacting them would be in your best interest in resolving this issue. If you are having difficulty finding your TAM, please contact your IT department or the Finance department of your company.
To remove the hard drive password, it's necessary to set a blank password (go into the setup page with the hard drive password, and enter the current password). Leave both fields blank and save. This will remove the hard drive password.
There are two parts to the drive password - the one in setup, and the one stored on the drive itself. You MUST know the existing password to reset it to blank -- if you don't, while you CAN remove the CMOS portion of the password, the one on the drive will remain -- it would require replacing the drive or shipping the drive off to a recovery company with the tools to remove it.
We have a small corporation, we bought the laptops on the market and I'm the responsible for the whole I.T. dept.
Nobody from Dell ever cared to check us, hence why I had to get here. Maybe customers will serve me better than wha I got so far from Dell.
ein63, you clearly don't understood me, I know how bios/hd password works, okay?
The thing is: In Dell's HD password page it is clearly stated that the admin (*bios*) password can be used to revoke the hard drive password, in such scenario the HDD password would be encrypted using admin's password hash as encryption key, and if you have such password you could anytime later generate the key that could be used to turn the encrypted HDD password back into plaintext.
On the other hand I understand your skeptical stance (I have the same). I have to investigate up until an authoritative answer that what's written on bios is actually rubbish, see?
What is the exact wording you're seeing in the BIOS about clearing out the HDD password by only knowing the admin password? The HDD password is stored in the HDD's controller itself. Even for drives that are NOT self-encrypting, I don't believe there's even an ATA command to clear out the password without knowing it, otherwise somebody could just move your drive to a system where they know the BIOS admin password, clear it out, and then access your data, which would render an HDD password utterly useless. But on drives that DO use the password to protect an encryption key that in turn protects all the sectors on the drive, clearing out the password without knowing the original would not even be possible, except of course if you were to accept erasing the entire drive.
The connection is indirect - you need the BIOS or Admin password to get to the page where you can reset the hard drive password -- that much is true.
Note however that the hard drive password DOES NOT encrypt the contents of the drive. Unless your system and drive support full disc encryption -- which is a totally separate issue from the password set on the hard drive itself.
That password is stored in a user-inaccessible portion of the drive -- it CAN be removed by someone having the software tools to do the job, at which point the contents of the drive become accessible.
I just solved it, you can actually use the admin password right on place of the HDD password and it will reset the HDD successfully.
Be aware that my admin password has nothing to do with the HDD password, the HDD password was given to the end used, the admin password wasn't.
I'll leave you guys with the trouble of understanding how can the BIOS encrypt HDD's password by employing the hash of the admin's password as the encryption key, sorry, that's cryptography 101 for me.
You're wrong in many ways, the ATA specification do have a specific command for that since ages ago. The HDD password is kept on disk, but unaccessible for ordinary users, if the password was kept on the HDD controller (the disk-side part of it) a simple HDD controller switcheroo would solve the problem. The HDD is really not encrypted at all, we just want to make it a bit safer, not NSA-proof. (We're considering whether or not to employ truecrypt or bitlocker over the machines or not, 'til then we're using HDD's passwords.)
What you don't get it is that the BIOS itself keeps a copy of HDD password on it, but even if you reverse engineer it you won't be able to extract it because that copy of the (HDD) password was scrambled/encrypted by the admin's (BIOS) password, so as long as you know admin's password you can extract the plaintext of the HDD's password as long as the HDD was kept on the same machine that used to set its password all along.
The text on that admin's password page goes: <snip>"Also, the admin password can be used to delete the HDD password."<snip>, it just doesn't tell you how: It's just a matter of typing the admin's password where you should type HDD's password.
Thanks to your post I took the time to try using the admin's password right in place of the HDD's password, even though they're clearly different, and it worked like a charm, who would have thought?
Glad you got it sorted. And that's interesting, I didn't realize Dell systems cached a copy of the HDD password in some form in order to enable that functionality.
In terms of a little safer rather than NSA-proof, if you're going to have your users typing in passwords anyway, I don't see why you wouldn't want to use proper disk encryption. It's much more security for the same amount of effort, and actually BitLocker is designed to allow you to have encryption without a user-supplied password at all because the TPM stores the key (although you still need to retain the Recovery Key for certain atypical scenarios, and you can optionally still require a user-supplied PIN as well). Additionally, using encryption would simplify data recovery efforts through tools like SATA to USB adapters/enclosures/docks, which wouldn't know how to prompt for an ATA password but which you would be able to decrypt if they were using BitLocker or similar. Finally, as of this writing, Dell does not support HDD passwords on NVMe-based SSDs, just in case you were planning on getting any laptops that will have them.