Unsolved
5 Posts
0
4404
Move Class 0 Hardware Encrypted SSD drive to another PC
Hello,
I have a hardware encrypted SAMSUNG 850 EVO (sata3) using Class 0 - HDD Password on BIOS.
My questions are the following:
1. If my PC fails for a reason (e.g. CPU failure), will I be able to access my data on another PC?
2. If yes, that other PC must have certain specifications, or I just plug my SAMSUNG 850 as, let's say external HDD, enter my password and gain access ?
3. If no, what is the reason? Is it about TPM?
I am asking because in case of 3. -as a home user- it is more likely to have a hardware failure rather than a thief to extract my SSD from motherboard.
thank you in advance
rgds
ejn63
10 Elder
10 Elder
•
23.1K Posts
0
September 23rd, 2018 03:00
The answer is maybe. There's no guarantee you can move a password-protected drive to another system and have the password function correctly. It will likely work on the same system model - but likely will not work if you move it to different hardware.
If you are using encryption of any type, keeping a full, unencrypted backup somehow and somewhere - preferably separate from the location of the system itself - is absolutely critical. It's a good idea for ALL systems but absolutely essential for those using encryption of any type.
ppaschalis
5 Posts
0
September 23rd, 2018 05:00
thank you for your reply. I totally agree about the full unencrypted backup and it is something I have already done, but on the other hand I need a certain answer.
For example is there a list of other laptops with specific specifications which allow me to have access ?
rgds
ejn63
10 Elder
10 Elder
•
23.1K Posts
0
September 23rd, 2018 06:00
I would still keep a secure, unencrypted backup somewhere. Just a little corruption in an encrypted backup can render it useless.
Encryption has a place -- it's just not in keeping a backup. That's playing with fire.
jphughan
4 Operator
4 Operator
•
14K Posts
0
September 23rd, 2018 06:00
You're not going to find a list anywhere, and I actually would recommend against an unencrypted backup unless you can physically secure it very well. Otherwise, just encrypt the backup in a different way, potentially using a solution built into the backup application itself.
A friend of mine just recently got bit by the situation you're asking about, though. He had a Latitude E7440 with a Samsung 850 Evo where he had enabled Class 0 encryption. The E7440 died, so he brought the SSD to me to install into my XPS 15 9530 in order to capture an image of the drive for him, since I was the only person he knew with a system that also had an mSATA slot. I installed it into my XPS 15 and got the prompt for the HDD password at boot as expected, but my friend's password didn't work -- and yes he knew the password was right because he'd been entering it every day for years. We even tried an external keyboard. I ended up having to borrow my mother-in-law's E7440 to do this, where the password worked just fine. I had thought that HDD passwords were standardized, but apparently not. The most "exotic" character in this person's password was an equal sign, by the way. I'm not sure why this doesn't work as you'd expect, but it doesn't. It wouldn't be the TPM though, since that's not involved with HDD passwords.
For this reason and several others I greatly prefer BitLocker encryption, or even something like VeraCrypt. First off, to even have a CHANCE of working with Class 0 encryption in another system, you have to install the SSD internally; you can't use a USB enclosure/adapter like you can with drives protected by software encryption, which already makes Class 0 inconvenient in a recovery scenario. People say hardware encryption is faster, but the reality is that CPUs for a decade now have had hardware acceleration for AES encryption/decryption operations that allows today's CPUs to perform those operations even at NVMe SSD speeds without introducing a bottleneck, so I don't buy the performance argument. I also fundamentally don't like the idea of using an encryption scheme that isn't well-documented, whereas BitLocker and VeraCrypt are both very well documented. And BitLocker gives you a lot more options in terms of what mechanism(s) can be used to unlock the drive. But mostly it's about recoverability for me.
If you have to work with a dual boot system, then I can certainly see why Class 0 is a simpler solution. But otherwise, I would really recommend switching to a software solution like the free VeraCrypt or just paying to upgrade to the Pro version of Windows in order to gain BitLocker if you're not already running it.
jphughan
4 Operator
4 Operator
•
14K Posts
0
September 23rd, 2018 07:00
Ok first, if you're capturing a disk image, just a little corruption in unencrypted backups can render them useless too. And second, encryption doesn't have a place in keeping a backup?? So everyone who wants to ensure their backups can't be accessed by unauthorized parties and uses encryption to achieve that is fundamentally doing it wrong? Give me a break. In some industries if you even THINK that someone may have gained access to your unencrypted backups, you are obligated by law to notify any clients whose data may have been compromised about the incident -- which in the case of backups could be all clients. That can cause massive reputational damage, so people in those industries routinely encrypt their backups, in fact encrypting backups is mandatory in some cases.
If you're worried about corruption, then you solve that by having multiple independent backups. Fundamentally it's safer to mitigate the corruption risk by having multiple backups than to simply trust that your backup is sufficiently physically secured that no unauthorized party could ever get to it. For most people, their backups are on a hard drive sitting on their desk in their home, or maybe a drive that travels with them and/or gets taken off-site to mitigate theft/natural disaster threats, or possibly in the cloud, which is really just someone else's computer. NONE of those situations should be considered physically secure, which is why encrypting them is important.
ejn63
10 Elder
10 Elder
•
23.1K Posts
0
September 23rd, 2018 08:00
I said nothing about a disc image - yes, they're useful - along with a readable backup of the data that IS NOT encrypted, and is not in proprietary format. You're reading what you want to see - not what I wrote, as in the past.
One day, you may need to read that backup - and a lost encryption key or a format that's obsolete may mean you'll never see that data again.
You SHOULD HAVE a readable backup of your data files -- secured in a safe deposit box if you want - separate from the system. That ultimate backup should NOT be encrypted - or you may find it locked out of use forever at some point
jphughan
4 Operator
4 Operator
•
14K Posts
1
September 23rd, 2018 08:00
Securing backups in a safe deposit box isn't feasible for data that changes on an even somewhat regular basis -- and what if your hard drive gets stolen in transit to/from the box? Or are you expecting average people to use armored carriers?
If you personally don't consider your data sufficiently private to be worth making sure it's always encrypted, then that's completely fine, but it's irresponsible to suggest that people with encrypted data should have an "ultimate backup" that isn't encrypted. There are several ways to secure encryption keys -- including a safe deposit box, which IS practical for an encryption key because a key DOESN'T change on a regular basis, and as long as you don't transport the key and data together, even loss of the key in transit wouldn't be catastrophic.
As for formats becoming obsolete, that doesn't just happen overnight. If BitLocker gets deprecated, people would have a period of time where they can easily migrate to something else. And even after that, there will be a way to run a version of Windows that can access BitLocker drives on hardware that can work with a USB hard drive for decades to come. It would get more difficult over time, but if people don't care enough about their data to ensure it's always stored in an easily usable format, then that's on them. The obsolescence concern also applies to the file formats of the unencrypted data itself too, and for that matter the hardware it's stored on. That issue isn't unique to encryption.
For truly sensitive data, the risks mitigated by encryption far outweigh the risks incurred as long, as you take reasonable precautions like having multiple backups -- which you should have anyway -- and storing keys in a robust way, including a way to make sure that your heirs can access them if you die unexpectedly. By comparison, losing control of unencrypted data could be catastrophic. Again, you can implement encrypted backups in a safe way. In most cases, you CANNOT implement a physical storage solution that is sufficiently secure for unencrypted backups to be considered safe AND sufficiently practical to actually use.
For average users, your guidance to keep unencrypted backups would have them choosing between sufficient security and reasonable practicality. And on the other end of the spectrum, such as entities that store some of the most crucial and sensitive data in the world, your guidance to keep unencrypted backups simply doesn't align with industry standard practices, and in many cases would be illegal. So don't suggest that anyone who only stores their data in encrypted form is taking a foolish risk and that your method is the only sensible choice. In most cases it's the exact opposite.
ppaschalis
5 Posts
0
September 25th, 2018 15:00
Hello, thank you for your answer. A quick question. If I backup an encrypted ssd with let's say Acronis backup (or whatever backup software), will I be able to use (have access) it on another pc assuming that Acronis is also installed there?
If the answer is yes then hardware encryption is the best solution for me. If no then in a hardware failure (e.g. CPU) then both SSD and backup files are useless since they are tight with this particular CPU and cannot be used elsewhere.
Am i wrong?
Thanx
jphughan
4 Operator
4 Operator
•
14K Posts
0
September 26th, 2018 07:00
With one exception I'll get into in a moment, if you capture an image backup of an encrypted drive, the backup itself will NOT be encrypted -- unless you enable encryption functionality built into the imaging solution related to its own image files, but that would be completely separate from whatever's going on with the drive itself. The reason is that in almost all cases, the imaging tool is being used in a context where the drive is unlocked, e.g. after a decryption password has been entered somewhere, and therefore the imaging tool is seeing the data in unencrypted form.
The exception would be if you captured an image backup of a drive while it was still LOCKED. That wouldn't be possible with hardware encryption since the drive won't allow anything at all to be read from it while it's locked. But for example with software encryption like BitLocker and VeraCrypt, if you booted into some recovery environment and did NOT enter the decryption key, the partition would be locked, but the sectors would still be readable. In that situation, you could still capture an image of the drive, but all of the data you're capturing will of course still be encrypted. In general you don't want to capture images of drives while they're still locked, because capturing raw encrypted data makes the images much larger -- compression doesn't work with encrypted data, and even the free space on the disk has to be captured in the image since it's not possible to differentiate free space from used space while the drive is still locked -- and depending on particular imaging software you use, other features may not be usable in this setup either.
The better way to keep your backups encrypted would be to use the imaging software's own encryption option. In that case, the imaging tool can see the data in unencrypted form when it's being captured, which means free space doesn't get backed up AND compression can be applied, and THEN the software encrypts the output using its own solution. Another option would be to capture unencrypted image backups but store them on a drive that has BitLocker enabled, which is what I do. Either way, you'll end up with smaller backups, and the full set of your imaging software's features will also be available.
And then yes, you'll always be able to work with your image backups from another system that has the appropriate software installed, although if encryption is involved anywhere you'll obviously need to know the decryption password.