HOWTO: hardware encrypt HDD?

Has anyone used this feature? Is it effective? How?

I'm currently relaying on Windows EFS to keep my data "safe". What worries me is my laptop being lost/stolen someday and my data being pryed at by whoever. I have broken some password protected Windows myself, so I know EFS it's pretty easy to overcome. I also prefer not to have any software-based solution to avoid delays, incompatibilities and bugs.

So back to my question, can anyone ellaborate a little on how to activate the hardware encription in the Sony VPC-SAxxx models?

Thanks!

 

This should be activatable by enabling the password in BIOS (I always mix which one is the Disk FDE password and which is something else)

There is a considerable issue with that FDE encryption. The entire disk is encrypted with the same key/salt. On an SSD, this is not much of an issue (since data is not always in the same place, and one cannot assume what LBA a PBA actually is before testing the password), but on an HDD every sector has a specific purpose and is easier to crack.

 

Thanks for your answer.
Are you saying that by enabling the BIOS password the full disk is being encrypted? I don't think so. If you open the hatch and connect such disk to another PC you can surely read it

 

There are 2 passwords in BIOS - one is for the HDD, one is for the BIOS or something.
The disk, IF it supports encryption, is always actually encrypted with a random data encryption key (DEK). That key (DEK) is encrypted with a key-encryption-key (KEK) and stored in a known place on the HDD (internal, not the data blocks).
By default, the KEK is known, i.e. NULL, so anyone can read the disk. If the password is set in BIOS, the KEK is changed to it and a password is required.

That is all FDE on the disks/SSDs does. It changes the KEK.

If the disk does not actually support FDE internally ("in disk hardware"), then the password is just a password on that machine I think and you can read the disk anywhere.

 

Wow! that's a lot clearer, thanks! :thumbsup:

So according to what you say, a (FDE supported) disk is always encrypted internally, just the KEK may not be. If so, I deduct that to encrypt an entire disk that is not encrypted wouldn't take a lot of time, since only the KEK need to be encrypted, not the actual data, am I correct?

What are the odds of a modern disk to support FDE?

 

Correct, since there is no actual encryption of data itself really, it is virtually instant. This is what the Secure Erase command does for example really.
I think literally all SATA SSDs support this form of FDE, as do many enterprise HDDs. I don't know about regular HDDs

I don't know of a way to change the DEK on any drive frankly. Doing so would obviously render the current data useless, but if the intent is to format the drive, that is not an issue. Otherwise, I don't personally trust those passwords - they are manufacturer generated, and nothing really prevents them from actually knowing them

 

Enable both system and user password in bios. Install the os using the system password and then use the userpassword post-os install. Do note though that hardware encryption on ssds is usually 256bit aes and that nsa has universal key, so try setting up the drives in raid 0 mode and have the os(system password)'s validate hardware function enabled per ms 1284.4 specifications.
This forces even the nsa to rely on bruteforcing which of a 256bit aes would take them decades even by the most powerful enterprise rigs available today.

 

Universal key? Do you mean the manufacturers give thme all keys to all drives, or that all drives have the same key?
I sure doubt it is the second one, though considering how few people even try to use FDE, I would not be surprised.

 

Universal key to ALL aes encryption. ALL drives...

 

Unless they use quantum computers, in which case you're screwed