Asus UX32VD and HDD password

Hi,

I have switched the 500 GB HDD in my UX32VD for an Intel SSD and have now tried to enable the HDD password in BIOS. Unfortunately I have not been able to get this to work, so I'm asking if anyone here have had any success with this feature?

I enabled both user and master HDD password, powered down the system, but on next boot I wasn't prompted for the HDD password. The disk was apparently locked, because it failed to boot and threw me back into the BIOS. Here I could disable the HDD password and booting would work again.

I confirmed that the right disk is indeed locked, since I set an HDD password in the UX32VD's BIOS, removed the disk and inserted it into another system (a Linux machine) where hdparm -I confirmed that the disk was indeed locked. I was also able to unlock it using the same password set in the BIOS.

It seems that the EFI BIOS in the UX32VD fails to see that the boot drive is locked and doesn't prompt for the HDD password. Maybe this is due to the fact that there's also the 32 GB SSD, but this is just a guess.

I have contacted ASUS about this, but received only a few standard mails (have you checked that the disk works, maybe the BIOS is corrupt, please send it in for service, etc.)

I have found another post here (for some Dell's):

Latitude E6410, UEFI, HDD Password Protected, No Boot Device - Laptop General Hardware Forum - Laptop - Dell Community

Which suggests that there could be some issues with EFI, AHCI and the HDD password (ATA security feature).

Anyway, just wanting to hear if anyone have had any success with this feature, that is: Have you been able to set a HDD password, boot the system, been prompted to enter the HDD password after which the system boots normally?

 

Okay, I have nailed down the issue, so if anybody's interested, keep reading.

First of all (and the BIOS help text even mentions this) Turn power off after setting HDD passwords. Strange things might happen if you don't.

There is still one bug that is very annoying, but possible to work around:

When setting a HDD password, it is set on both the internal 32 GB SSD and the other installed HDD. This is fine I guess, however it's not typical behaviour, since it can't cope with two disks with different passwords.

The problem is that when disabling the HDD password again, it is only disabled on the internal 32 GD SSD. At boot the BIOS sees that the boot disk is still locked and prompts for a password, but it only tries to unlock the disk which is already unlocked and then for some reason won't accept any password (even the valid one on the boot disk). Unless you can move your disk to another system to unlock it, you're screwed at this point.

Luckily the BIOS does not apply any hash function to the password before sending it to the disk, so it can be easily unlocked on another system.

There is also some bugs related to setting a password if the two disks are out of sync, power has not been turned off between entering BIOS and setting passwords, etc.

My suggestion for ASUS would be to either:

1. Have both a HDD1 and HDD2 passwords and prompt for both at boot so it would be possible to set different passwords, or only password protect one disk
2. Simply only allow setting a password on the primary disk (this is what Thinkpads do)

 

But the iSSD is impossible to move to another system, so guess we that have installed windows on iSSD should not use this?

 

When there is only one disk in the system it shouldn't be a problem I guess. If it's locked you will be asked for a password to unlock it, and if it isn't locked you'll just boot the system normally.

So if something goes wrong, just remove the other disk and everything should work as expected. The confusion apparently starts when the two disks in the system somehow comes out of sync with their passwords. This happens especially (as I have mentioned) when you disable the password, and it's only disabled on the iSSD and not the other disk.

For people who are not familiar with the HDD password feature: It sets a password on the disk itself - there is nothing about the password stored anywhere in BIOS. How various disks implement this is a different story. I haven't been able to get information about the iSSD, but I hope it stores the password as a one-way hash somewhere on the disk where there are no ATA commands that allow you to read it. However, there have been other disks that simply store the password in plaintext in the service area of the disk, which can be read by special ATA commands.

The Intel 320 and 520 SSD goes one step further. They always encrypt all data written to the disk (this can't be turned off) but without a HDD password, the encryption key is just stored on the disk as well, and hence it behaves like a normal disk. However, if you set a HDD password, the encryption key is encrypted using the HDD password, and hence without the HDD password, there is no way to get to the data (assuming that everything is implemented correctly - which I haven't been able to get as much information about as I would like to have).

 

Thanks for explaining what is causing this. I just experienced this problem. Here is another solution: Remove your password protected HDD or SDD, boot into BIOS where you set the HDD master and user password to equal the one you have set on the HDD or SDD you just removed. This will set the password on the internal SSD to match the one from the HDD or SDD you removed. Now put the HDD or SDD back in and you will be able to boot with the password. So the solution is to make sure that the password on both drives match.