Using the ATA security features of modern hard disks and SSDs

In the Vault

The Master Password: Caution!

So far, I have not talked about the master password. In the previous scenario, the master password can be used as a fallback if the user password is not known. The idea behind this design again originates in a corporate laptop scenario: The company's own IT department must at all times have access to the data, even if the users are no longer around.

Every hard disk is initially supplied with an undocumented master password. In the hdparm output, you can see this from the details of the master password revision code, which refers to the currently valid master password as an identifier. The default value 65534 (hex $ FFFE) references the manufacturer-defined password. In other words, the HDD or SSD manufacturer has a way of resetting the security settings right from the outset. The initial master password is unknown to the user but can be overwritten by the first call of the SECURITY_SET_PASSWORD command, this time using the --user-master m switch:

# hdparm --user-master m --security-set-pass "UltraSecret" /dev/sdb
security_password="UltraSecret"
/dev/sdb:
Issuing SECURITY_SET_PASS command, password="UltraSecret", user=master, mode=high

The Master Password Revision Code is then set to 1. If only a master password, but no user password, is set, no security features are active. The master password does not enter the game until these settings are enabled. All security settings can then be disabled either with the user or with master password using the SECURITY_DISABLE_PASSWORD ATA command:

# hdparm --user-master [m|u] --security-disable "UltraSecret" /dev/sdb

In terms of ATA states, a transition from SEC5 to SEC1 occurs. Now you can assign a new user password.

The ATA standard specifies two different security levels that are defined when setting the user password. These levels also define the scope and capabilities of the master password: HIGH and MAXIMUM. HIGH is the default (LOW would mean no security features are enabled). All explanations so far have related to the HIGH level. Set the MAXIMUM security level as follows:

# hdparm --user-master u --security-mode m --security-set-passwd "Secret" /dev/sdb
security_password = "Secret"
/dev/sdb:
Issuing SECURITY_SET_PASS command, password="Secret", user=user, mode=maximum

The hdparm output reflects the new status (Listing 5). In this state, you can no longer unlock the device with the master password or directly disable the security features. If you do not know your user password, a transition from SEC5 to SEC1 requires a SECURITY_ERASE_UNIT, which will restore the device to a usable, pristine state.

Listing 5

MAXIMUM Level

# hdparm -I /dev/sdb
/dev/sdb:
[...]
Security:
        Master password revision code = 65534
                supported
                enabled
        not     locked
        not     frozen
        not     expired: security count
                supported: enhanced erase
                Security level maximum
        4min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT.
[...]

The idea is that admins should not be able to gain access to user data, which is fine if you want to configure your disk that way. Keep in mind that when the security level is set to MAXIMUM, you'll lose all user data if you forget the user password.

Summary

The security features of modern ATA drives offer useful protection against unauthorized data access, provided they are applied correctly. The concept behind ATA security come from the world of corporate notebooks, but these techniques are also applicable to desktop systems – although you might need to use scripts to automate steps that the notebook BIOS completes automatically.

It is important to remember, especially in a private or simple business environment, that the HIGH security level is usually sufficient, and that devices should definitely be frozen to give malware no chance of changing the security settings – whether security is enabled or not.

If you set the security level to MAXIMUM, loss of the user password is equivalent to loss of data, unless you are prepared to pay a data recovery specialist a large amount money to open the disk under cleanroom conditions and retrieve the data or read the memory cells of the SSD directly.

Secure deletion of USB hard disks or SSDs with hdparm will generate error messages in many cases. It seems that many SATA-USB adapters block the use of the some ATA Security Commands or at least do not implement them cleanly.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus