Self-Encrypting Drive (SED) and S3-suspend (sleep)
since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.
Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.
What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.
Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.
Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.
Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!
Help would be much appreciated, and I hope to get this set up over the weekend.
security sleep disk-encryption opal self-encrypting-drive
edited Jan 15 at 14:11
͏͏͏
2,62611214
asked Feb 12 '16 at 13:52
TJJTJJ
373116
add a comment |
since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.
Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.
What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.
Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.
Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.
Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!
Help would be much appreciated, and I hope to get this set up over the weekend.
security sleep disk-encryption opal self-encrypting-drive
edited Jan 15 at 14:11
͏͏͏
2,62611214
asked Feb 12 '16 at 13:52
TJJTJJ
373116
Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?
– Ƭᴇcʜιᴇ007
Feb 12 '16 at 14:02
1
AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.
– Tom Yan
Feb 13 '16 at 0:35
Tried asking the manufacturer? Seems almost every drive does things a little differently
– Xen2050
Feb 13 '16 at 16:30
1
Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!
– TJJ
Feb 14 '16 at 4:25
add a comment |
since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.
Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.
What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.
Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.
Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.
Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!
Help would be much appreciated, and I hope to get this set up over the weekend.
security sleep disk-encryption opal self-encrypting-drive
edited Jan 15 at 14:11
͏͏͏
2,62611214
asked Feb 12 '16 at 13:52
TJJTJJ
373116
since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.
Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.
What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.
Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.
Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.
Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!
Help would be much appreciated, and I hope to get this set up over the weekend.
security sleep disk-encryption opal self-encrypting-drive
security sleep disk-encryption opal self-encrypting-drive
edited Jan 15 at 14:11
͏͏͏
2,62611214
asked Feb 12 '16 at 13:52
TJJTJJ
373116
edited Jan 15 at 14:11
͏͏͏
2,62611214
asked Feb 12 '16 at 13:52
TJJTJJ
373116
edited Jan 15 at 14:11
͏͏͏
2,62611214
edited Jan 15 at 14:11
͏͏͏
2,62611214
edited Jan 15 at 14:11
͏͏͏
2,62611214
2,62611214
asked Feb 12 '16 at 13:52
TJJTJJ
373116
asked Feb 12 '16 at 13:52
TJJTJJ
373116
asked Feb 12 '16 at 13:52
TJJTJJ
373116
373116
Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?
– Ƭᴇcʜιᴇ007
Feb 12 '16 at 14:02
1
AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.
– Tom Yan
Feb 13 '16 at 0:35
Tried asking the manufacturer? Seems almost every drive does things a little differently
– Xen2050
Feb 13 '16 at 16:30
1
Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!
– TJJ
Feb 14 '16 at 4:25
add a comment |
Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?
– Ƭᴇcʜιᴇ007
Feb 12 '16 at 14:02
1
AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.
– Tom Yan
Feb 13 '16 at 0:35
Tried asking the manufacturer? Seems almost every drive does things a little differently
– Xen2050
Feb 13 '16 at 16:30
1
Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!
– TJJ
Feb 14 '16 at 4:25
Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?
– Ƭᴇcʜιᴇ007
Feb 12 '16 at 14:02
Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?
– Ƭᴇcʜιᴇ007
Feb 12 '16 at 14:02
1
1
AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.
– Tom Yan
Feb 13 '16 at 0:35
AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.
– Tom Yan
Feb 13 '16 at 0:35
Tried asking the manufacturer? Seems almost every drive does things a little differently
– Xen2050
Feb 13 '16 at 16:30
Tried asking the manufacturer? Seems almost every drive does things a little differently
– Xen2050
Feb 13 '16 at 16:30
1
1
Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!
– TJJ
Feb 14 '16 at 4:25
Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!
– TJJ
Feb 14 '16 at 4:25
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1039013%2fself-encrypting-drive-sed-and-s3-suspend-sleep%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1039013%2fself-encrypting-drive-sed-and-s3-suspend-sleep%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?
– Ƭᴇcʜιᴇ007
Feb 12 '16 at 14:02
1
AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.
– Tom Yan
Feb 13 '16 at 0:35
Tried asking the manufacturer? Seems almost every drive does things a little differently
– Xen2050
Feb 13 '16 at 16:30
1
Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!
– TJJ
Feb 14 '16 at 4:25