Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

ThinkPad NotebooksThinkPad: X Series Laptops
All Forum Topics
Options

126 Posts

02-17-2013

Antigua and Barbuda

203 Signins

1281 Page Views

  • Posts: 126
  • Registered: ‎02-17-2013
  • Location: Antigua and Barbuda
  • Views: 1281
  • Message 11 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-02-24, 8:21 AM

Problem solved: there was no Hardware Password set.  So I set this password and from then on the disk could not be read by any other PC, so I assume it's encrypted. 

What I don't understand: how was the old harddisk enrypted without this password. It was definitely not a bitlocker encryption. Anyway, everything works now as expected.

Reply
Options

3 Posts

11-22-2010

Arizona

3 Signins

24 Page Views

  • Posts: 3
  • Registered: ‎11-22-2010
  • Location: Arizona
  • Views: 24
  • Message 12 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-02-28, 18:00 PM

"Mounting the new Samsung 840PRO was possible and the content was readablae, so it's not encrypted."  This is most likely incorrect.  I can't say for certain, but its very likely that all data written to the disk is always encrypted, even if you have not set an HDD password.

 

When you set the HDD password, under the hood the keys used to encrypt/decrypt are encrypted.  If there is no HDD password, then the decryption key is going to be stored in clear text, and so the drive controller can just grab the key and use it, no matter which computer has the drive. 

 

I'm not a Samsung engineer (and I also think its unforgiveable that they don't publish ANYTHING explaining how their crypto technology works), but I understand the basics of cyrpto and crypto API's. 

 

The general protocol for something like encrypting a hard-drive is going to involve generating a key that is used for both encrypting it and decrypting it.  If the key were derrived from a password, then changing the pasword would necessitate changing the key, which in turn would require decrypting the drive with the old key, and then re-encrypting it with the new key.  That would be terribly inefficient.  Imagine that you set the password for the first time AFTER you've setup Windows and copied all of your data to it.  Either the drive would have to spend a lot of time encrypting everyting you've already copied to it, or you would have to start-over completely.  The simple solution is to lock down the decryption key by encrypting it using another key.  In the case of hardware based full disk encryption, this means generating a key using a "Hash" of a password.  Its like the difference between leaving the key to your front-door right there in the lock versus locking the key in a separate lockbox, like those that reasestate agents use.  When you set the HDD password, you are putting the decryption key in a lockbox that can only be unlocked by the HDD password. 

 

One question I have about Samsung's drive encryption stuff is, where does it store the key to decrypt the drive.  On another forum (AandTTech), someone stated that they called Samsung and were told that the drive requires a bios that supports 1) Setting and HDD password and 2) A TPM.  If that is true, then the key would be stored in the TPM.  I find it hard to believe that this is the case.  If it is true, it would be impossible to decrypt the drive on any computer other than the computer where the HDD password was originally setup.  If this is the case, then there is probably some way of completely wiping the drive to force it to generate a new key, but if something goes wrong with your computer, you can't just transfer the drive, even though you know the HDD password.   

 

 

Reply
Options

4 Posts

02-13-2010

United States

9 Signins

89 Page Views

  • Posts: 4
  • Registered: ‎02-13-2010
  • Location: United States
  • Views: 89
  • Message 13 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-04-14, 3:35 AM

How do you not get a password prompt once you enable HD Password?

 

I entered a user password and get promted everytime I do a cold boot...shutdown and turn on.

 

On reboots I don't have to.

 

I have an X230 with the Samsung 840 Pro and Plextor msata.

Reply
Options

2 Posts

04-16-2013

Seattle, WA

5 Signins

22 Page Views

  • Posts: 2
  • Registered: ‎04-16-2013
  • Location: Seattle, WA
  • Views: 22
  • Message 14 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-04-16, 0:55 AM

I have plenty of experience working with HDD encryption using built-in 128bit AES on an Intel 320 series SSD.  I configure User + Master passwords (Press F1 at the encryption prompt to get a prompt to enter the Master instead of User password.)  If you'd like it to prompt for password at EVERY boot, not just a cold boot, enable "Password on Restart".  For the final level of security, I also enable a supervisory password even to get into the BIOS. 

 

Once all of this has been done, any attempt to boot whether warm or cold will yield a password prompt.  Attempting to access the BIOS will yield first a password prompt to unlock the HDD, and then a supervisory password prompt.  If you physically remove the drive and place it in a different computer that has an identical BIOS, the same User+Master passwords will work to access the drive (good to know in case a system board fails and you want to retrieve your data.)  If you remove the drive and place it in a different computer that has a different BIOS that still supports ATA encryption (I went from a lenovo laptop to an HP desktop in my test) it will still prompt for passwords but entering the proper password will not provide access, it treats it as a bad password, probably because the BIOS internal encryption algorythms differ to some extent.  I haven't ever tried putting the drive into a system that didn't support ATA encryption - I expect that it wouldn't enumerate, let alone mount.

 

Clear as mud?  Good :)

 

- Lee

Reply
Options

4 Posts

02-13-2010

United States

9 Signins

89 Page Views

  • Posts: 4
  • Registered: ‎02-13-2010
  • Location: United States
  • Views: 89
  • Message 15 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-04-16, 1:16 AM
This I understand but the original poster mentioned that he was only prompted to enter the HD password once on boot up and never prompted again. That I don't understand.
Reply
Options

2 Posts

04-16-2013

Seattle, WA

5 Signins

22 Page Views

  • Posts: 2
  • Registered: ‎04-16-2013
  • Location: Seattle, WA
  • Views: 22
  • Message 16 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-04-16, 1:17 AM

He probably didn't enable "Password on Restart" and never cold boots his machine...

Reply
Options

125 Posts

01-26-2011

Fort Stewart, GA

520 Signins

3885 Page Views

  • Posts: 125
  • Registered: ‎01-26-2011
  • Location: Fort Stewart, GA
  • Views: 3885
  • Message 17 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-04-16, 2:01 AM
I do cold and warm reboot my machine. However, I use my fingerprint reader to start my machine and when the fingerprint is accepted, then I am not required to manually enter a password.

I entered a password one time after creating a user password and that was all.

When I installed a newer fingerprint software version I did have to type in a password until I went into the software and set my fingerprint to not require me to manually enter a password.

I use a x220. I like that my fingerprint will boot the machine and serve as my Windows password and SSD encryption password, so to speak.
Reply
Options

17 Posts

12-01-2009

Illinois

19 Signins

192 Page Views

  • Posts: 17
  • Registered: ‎12-01-2009
  • Location: Illinois
  • Views: 192
  • Message 18 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-04-24, 0:16 AM

I've been doing quite a bit of research for data at rest protection with SSDs:

A big problem with SSDs due to wear leveling, is that if you attempt to deploy traditional sanitization methods used with mechanical storage, you don't always end up overwriting/erasing all of it.  This is especially true for SSD drive overprovisioning where the total physical space internally is measureably less than the usable, like 256GB in flash chips, yet only 240GB usable space.  That reminds me a lot of ECC RAM and physically throwing in an extra chip--the system can't directly access and leverage the extra chip.

To deal with wear leveling and data sanization, a lot of manufacturers incorporate a flash controller that encrypts everything.  A cryptographically secure encryption and random number algorithm can effectively function in place of data sanitization since when encrypted the result is essentially random data.  So to perform a secure erase, you wipe the encryption key (in this case AES), assuming wiping the key is performed by the firmware properly.

Incorporating the onboard encryption mechanism definitely has potential to extend beyond data sanization into data security.  The pitful however with AES being a synchronous encryption algorithm means that it is critical in how you store and access the key in a cryptographically secure way.

The problem with HDD based passwords even if the controller utilizes onboard encryption is the manner in which it stores and governs access to the key.  The best case scenario is if it leverages your password to encrypt the encryption key itself.  You can implement much worse techniques than that.  Afterall, to fulfill the function of a secure erase, you only need to design the firmware to securely wipe the key, when it's the performed, not necessarily how it's stored until then.

The other downside to HDD passwords even if done in the most secure way possible is that the effective level of security is only as complex as your password.  We all know how poor memorable passwords are for most people.

The most secure means of data at rest that incorporates onboard hardware-based encryption is for the device to be OPAL TCG compliant.  They publish standards for manufacturers adhere to in order for their product to be certified.  Based on the most recent published list, there are only 2 SATA-based solid state products on the market, and the 840 isn't one of them.  For at least one, they make 2 different variants and only one supports it.


The question is how much is enough.  Personally I don't consider any password that a user can remember to be cryptographically secure enough for data encryption.  But it's up to the user ultimately.  However, I definitely don't consider any form of HDD password based protection to be even close to adequate for a business protecting data.

Reply
Options

34 Posts

04-10-2008

United States of America

44 Signins

499 Page Views

  • Posts: 34
  • Registered: ‎04-10-2008
  • Location: United States of America
  • Views: 499
  • Message 19 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-07-20, 21:14 PM

To Kent or other x220 users running FDE with SSD.....

 

What happens when you "close the lid" and the computer goes into either Sleep or Hibernate?   When you open the laptop again, are you prompted for a BIOS /FDE level password?  Or is there only a Windows password?  I am looking for clarity about Ease Of Use vs. Vulnerability in a world where a user is frequently opening and closing an X220 while traveling from meeting to meeting, room to room, etc..

 

Thanks

Reply
Options

125 Posts

01-26-2011

Fort Stewart, GA

520 Signins

3885 Page Views

  • Posts: 125
  • Registered: ‎01-26-2011
  • Location: Fort Stewart, GA
  • Views: 3885
  • Message 20 of 31

Re: Enabling SSD Encryption in BIOS for Samsung 840 Pro or SSDs

2013-07-21, 0:19 AM

Hi - I am prompted for credentials - but in my case with a fingerprint reader - I just swipe my finger and that also doubles as my windows and FDE password.  I think in the fingerprint software you can select an option to have your fingerprint also authenticate your Windows password as well.  Hope all goes well but if you have a fingerprint reader the process is pretty painless.

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms