« Previous 1 2
Using the ATA security features of modern hard disks and SSDs
In the Vault
The Master Password: Caution!
So far, I have not talked about the master password. In the previous scenario, the master password can be used as a fallback if the user password is not known. The idea behind this design again originates in a corporate laptop scenario: The company's own IT department must at all times have access to the data, even if the users are no longer around.
Every hard disk is initially supplied with an undocumented master password. In the hdparm output, you can see this from the details of the master password revision code, which refers to the currently valid master password as an identifier. The default value 65534 (hex $ FFFE) references the manufacturer-defined password. In other words, the HDD or SSD manufacturer has a way of resetting the security settings right from the outset. The initial master password is unknown to the user but can be overwritten by the first call of the SECURITY_SET_PASSWORD command, this time using the --user-master m switch:
# hdparm --user-master m --security-set-pass "UltraSecret" /dev/sdb security_password="UltraSecret" /dev/sdb: Issuing SECURITY_SET_PASS command, password="UltraSecret", user=master, mode=high
The Master Password Revision Code is then set to 1. If only a master password, but no user password, is set, no security features are active. The master password does not enter the game until these settings are enabled. All security settings can then be disabled either with the user or with master password using the SECURITY_DISABLE_PASSWORD ATA command:
# hdparm --user-master [m|u] --security-disable "UltraSecret" /dev/sdb
In terms of ATA states, a transition from SEC5 to SEC1 occurs. Now you can assign a new user password.
The ATA standard specifies two different security levels that are defined when setting the user password. These levels also define the scope and capabilities of the master password: HIGH and MAXIMUM. HIGH is the default (LOW would mean no security features are enabled). All explanations so far have related to the HIGH level. Set the MAXIMUM security level as follows:
# hdparm --user-master u --security-mode m --security-set-passwd "Secret" /dev/sdb security_password = "Secret" /dev/sdb: Issuing SECURITY_SET_PASS command, password="Secret", user=user, mode=maximum
The hdparm output reflects the new status (Listing 5). In this state, you can no longer unlock the device with the master password or directly disable the security features. If you do not know your user password, a transition from SEC5 to SEC1 requires a SECURITY_ERASE_UNIT, which will restore the device to a usable, pristine state.
Listing 5
MAXIMUM Level
# hdparm -I /dev/sdb
/dev/sdb:
[...]
Security:
Master password revision code = 65534
supported
enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
Security level maximum
4min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
[...]
The idea is that admins should not be able to gain access to user data, which is fine if you want to configure your disk that way. Keep in mind that when the security level is set to MAXIMUM, you'll lose all user data if you forget the user password.
Summary
The security features of modern ATA drives offer useful protection against unauthorized data access, provided they are applied correctly. The concept behind ATA security come from the world of corporate notebooks, but these techniques are also applicable to desktop systems – although you might need to use scripts to automate steps that the notebook BIOS completes automatically.
It is important to remember, especially in a private or simple business environment, that the HIGH security level is usually sufficient, and that devices should definitely be frozen to give malware no chance of changing the security settings – whether security is enabled or not.
If you set the security level to MAXIMUM, loss of the user password is equivalent to loss of data, unless you are prepared to pay a data recovery specialist a large amount money to open the disk under cleanroom conditions and retrieve the data or read the memory cells of the SSD directly.
Secure deletion of USB hard disks or SSDs with hdparm will generate error messages in many cases. It seems that many SATA-USB adapters block the use of the some ATA Security Commands or at least do not implement them cleanly.
Infos
- Hard Disk ATA Security: http://www.csnc.ch/misc/files/publications/harddisk_ata_security_v1.1-1.pdf
- ATA-8/ACS 3 standard draft revision 1b: http://nevar.pl/pliki/ATA8-ACS-3.pdf
« Previous 1 2
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
A closer look at hard drives
We continue our exploration of the world of hard drives – both solid state and spinning varieties. -
TKperf – Customized performance testing for SSDs and HDDs
SSD manufacturers try to impress customers with performance data. If you want to know more, why not try your own performance measurements with a standardized test suite that the free TKperf tool implements. -
Testing the Samsung MU-PA500B 500GB SSD
We kick the tires of a Samsung 500GB SSD that promises a transfer rate of 540MBps. -
Assess USB performance while exploring storage caching
Use dd fluently to compare disk performance. -
Credential management with HashiCorp Vault
Admin teams can use secret sharing to centrally manage shared access to user accounts and services. HashiCorp Vault is one of the few tools that has proven effective when it comes to implementing this solution. Here's how to use this open source tool and keep important credentials safe.