Highlighted
JanAtHome32
Copper

HDD-0 encryption and HDD replacement

Dear all,

I have a Latitude e5540 and use the HDD-0 password to encrypt the data on my HDD. So it can still not be read if put in any other PC. Now I want to replace the HDD but keep the data protection. Therefore I have 2 questions

1) Is the encryption of the HDD data done on/by the HDD itself? So I need a special HDD which is capable of encrypting the data (in combination with HDD-0).

2) Can I replace the HDD with any other HDD and keep the HDD-0 password encryption of the HDD data? Or is the data not encrypted anymore when changing the HDD.

0 Kudos
6 Replies
jphughan
Diamond

Re: HDD-0 encryption and HDD replacement

First, one correction: You absolutely CAN move that HDD into another PC and access the data, as long as the new PC knows how to prompt for an HDD password at boot.

Next, a clarification: Not every hard drive that allows a password to be specified actually encrypts the data when a password is enabled.  Some do, but hard drive passwords existed long before encryption did.

But IF your hard drive is encrypting its contents based on the hard drive password, then yes the encryption would be done by the drive itself, which is why another PC would know how to read it as long as it knew how to prompt for an HDD password.

In terms of your question about replacing drives, once the data leaves the HDD, it is no longer encrypted, so if you wanted it to be encrypted on a new HDD, you would have to enable encryption on the new HDD.  Some people choose to enable encryption before they even put anything on the drive, but even if you do it after the fact, the drive will still ensure all of the contents are encrypted, not just contents that are written after the encryption is enabled.

0 Kudos
JanAtHome32
Copper

Re: HDD-0 encryption and HDD replacement

Dear jphughan,
 
Thank for your answer!

So if I'm understanding you right. The HDD-0 password in the bios of my Latitude passes that password to the HDD. If the HDD is not able to encrypt it will do nothing otherwise it will encrypt if the HDD is capable off.

E.g. If I have a Samsung EVO 850 HDD which is a SED which can use class 0 mode (256bit AES). I plug in this new HDD and create in the bios the HDD-0 password the data will be protected (without password no recovery possible even in other PCs)?

0 Kudos
jphughan
Diamond

Re: HDD-0 encryption and HDD replacement

Mostly right. The BIOS is where you SET the HDD password, but it typically doesn’t STORE the HDD password. Some systems apparently do that so that you can clear an unknown HDD password by entering the BIOS admin password instead, but that only works if the unknown HDD password was originally set on that system, and it’s also not a standard feature. But normally, the BIOS allows you to set the password that gets stored in the HDD, and then at each boot cycle, if the system sees any HDDs that have a password set, it will prompt you to supply the password(s).

If you set an HDD password on a drive that doesn’t support encryption, then it just causes the drive’s controller to refuse to allow any data to be read until it receives the correct password. However, the data actually stored on the drive would not be encrypted, so with the proper tools, that lock mechanism could be bypassed to allow reading the data. For drives that DO support encryption, like the Samsung 850, technically all data is always encrypted on the drive, but before you set a password, the encryption KEY is stored in the clear. That of course renders the encryption moot, but when you set an HDD password, that encryption key is itself encrypted, thereby protecting the data. The advantage of this design is that it means you can effectively encrypt and decrypt the drive instantaneously (by changing how the key is stored) rather than having to wait for the drive to encrypt or decrypt every piece of data on the drive.

Anyhow, in your case, I would just migrate your data to the new drive and then set an HDD password, then your data will be safe on the new drive. As for password recovery, if your system supports the admin password clear mechanism I mentioned above, then you could possibly recover an unknown HDD oasssord, but if not, there’s no recovery from an unknown password, and there’s never a recovery mechanism for an unknown password outside of the original PC.
0 Kudos
jphughan
Diamond

Re: HDD-0 encryption and HDD replacement

Another advantage of the encryption design I mentioned above is that it allows instantaneous secure erase, because all the drive has to do is overwrite the key with a bunch of junk to render the data permanently unreadable, and that works even if no HDD password was ever set, because remember the data is always encrypted, but if the key is no longer readable, then the data is completely inaccessible. With drives that don’t do this, a secure erase involves overwriting every sector or cell of the drive.
0 Kudos
JanAtHome32
Copper

Re: HDD-0 encryption and HDD replacement

Dear jphughan,
 
This all is very nice to hear! I could not find the info especially about the link between the HOO-0 password and drive (different bios manufacturers and drives).

Form you second last mail I concluded that the encryption key on the HDD was fixed by the manufacture. That means that the manufacturer can always read the data (but only them).

Seen from your last mail I conclude that I can better first make a secure erase so the encryption key is not default (so unknown to anyone) anymore (although the drive is set to factory default (factory default does not mean encryption key default)).

0 Kudos
jphughan
Diamond

Re: HDD-0 encryption and HDD replacement

I don't think the Class 0 encryption spec defines how the encryption key that the SSD uses internally must be derived or whether running a Secure Erase resets it.  Yes, knowing that key would allow decrypting the data without knowing the password, so technically it's possible that the manufacturer could be able to read the data if they knew that key and that key was still in use, but I seriously doubt they keep even the key that ships by default.  Lots of companies specifically do NOT want to have that capability because if they CAN decrypt it, then government authorities and such can get subpoenas to force them to do so, and that would be bad for public relations.  After all, if the public knew that Samsung could decrypt the data of anyone using a Samsung SSD with encryption support, I suspect lots of people would stop using Samsung products.  But if on the other hand Samsung truly isn't able to decrypt the data, then they can just say that.

But yes, if you're highly security conscious, you can perform a Secure Erase using Samsung's tools, which would have to reset that key.

0 Kudos