How to enable SSD encryption?
I just bought a samsung evo 840, which supports encryption AES-256.
Reading the very little documentation that I could find about SSD encryption, I found that I have to enter my bios, go to the security tab, select HDD encryption, and set a password. The problem is my bios medion ms-7728, under the security tab, only has two options: Admin password, User password.
I couldn't find any specs of that bios where I could read if it doesn't support HDD encryption, or if it does and I just have to update the controller.
Do I have to update the controler so the bios recognizes the HDD encryption? And if not, what alternatives do I have to set up a password for my SSD?
encryption aes disk-encryption bios
migrated from security.stackexchange.com Dec 1 '15 at 18:58
This question came from our site for information security professionals.
add a comment |
I just bought a samsung evo 840, which supports encryption AES-256.
Reading the very little documentation that I could find about SSD encryption, I found that I have to enter my bios, go to the security tab, select HDD encryption, and set a password. The problem is my bios medion ms-7728, under the security tab, only has two options: Admin password, User password.
I couldn't find any specs of that bios where I could read if it doesn't support HDD encryption, or if it does and I just have to update the controller.
Do I have to update the controler so the bios recognizes the HDD encryption? And if not, what alternatives do I have to set up a password for my SSD?
encryption aes disk-encryption bios
migrated from security.stackexchange.com Dec 1 '15 at 18:58
This question came from our site for information security professionals.
The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.
– Mike Ounsworth
Dec 1 '15 at 18:14
If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.
– Nathan
Dec 1 '15 at 18:22
add a comment |
I just bought a samsung evo 840, which supports encryption AES-256.
Reading the very little documentation that I could find about SSD encryption, I found that I have to enter my bios, go to the security tab, select HDD encryption, and set a password. The problem is my bios medion ms-7728, under the security tab, only has two options: Admin password, User password.
I couldn't find any specs of that bios where I could read if it doesn't support HDD encryption, or if it does and I just have to update the controller.
Do I have to update the controler so the bios recognizes the HDD encryption? And if not, what alternatives do I have to set up a password for my SSD?
encryption aes disk-encryption bios
I just bought a samsung evo 840, which supports encryption AES-256.
Reading the very little documentation that I could find about SSD encryption, I found that I have to enter my bios, go to the security tab, select HDD encryption, and set a password. The problem is my bios medion ms-7728, under the security tab, only has two options: Admin password, User password.
I couldn't find any specs of that bios where I could read if it doesn't support HDD encryption, or if it does and I just have to update the controller.
Do I have to update the controler so the bios recognizes the HDD encryption? And if not, what alternatives do I have to set up a password for my SSD?
encryption aes disk-encryption bios
encryption aes disk-encryption bios
asked Dec 1 '15 at 18:07
Nathan
migrated from security.stackexchange.com Dec 1 '15 at 18:58
This question came from our site for information security professionals.
migrated from security.stackexchange.com Dec 1 '15 at 18:58
This question came from our site for information security professionals.
The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.
– Mike Ounsworth
Dec 1 '15 at 18:14
If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.
– Nathan
Dec 1 '15 at 18:22
add a comment |
The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.
– Mike Ounsworth
Dec 1 '15 at 18:14
If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.
– Nathan
Dec 1 '15 at 18:22
The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.
– Mike Ounsworth
Dec 1 '15 at 18:14
The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.
– Mike Ounsworth
Dec 1 '15 at 18:14
If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.
– Nathan
Dec 1 '15 at 18:22
If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.
– Nathan
Dec 1 '15 at 18:22
add a comment |
1 Answer
1
active
oldest
votes
I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.
I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012
but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...
But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:
Information on this is incredibly hard to find
In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.
That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(
Here's some red herring info I dug up, on the way to the conclusion above.
I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."
But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.
The brochure says:
Samsung offers Self-Encrypting Drives (SEDs) which
are hardware-encrypted and automatically encrypt or decrypt all data
transferred to and from the SSDs.
So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:
Invisible to the user, hardware encryption built directly into the
drive electronics maximizes performance. In contrast, software
encryption burdens the central processing unit (CPU) and lowers
performance. Hardware-based SED encryption includes a built-in circuit
in the controller chip that automatically encrypts all data
transferred to the storage device. With hardwarebased encryption, the
drive controller encrypts and decrypts all data
...
hardware-based
encryption is performed in the actual hardware, and user
authentication is performed by the drive before it unlocks,
independent of the operating system (OS).
...
in collaboration with independent
software vendors (ISVs) who provide security management tools
for SEDs, Samsung provides SEDs that are compliant with the TCG
Opal specification, developed by the Trusted Computing Group, and
the IEEE 1667 standards, as supported (for example) by Microsoft
BitLocker in Windows 8.
...
Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)
Wave Systems is an ISV that offers secure data access control on
mobile platforms, access to the cloud and safe network logon with
users’ personal devices. Wave System solutions augment Samsung
SED security technology by Managing authorized users’ access to
the drives and data is where Wave comes in.
So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:
While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.
Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.
Enabling AES Encryption
AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.
- Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1007792%2fhow-to-enable-ssd-encryption%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.
I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012
but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...
But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:
Information on this is incredibly hard to find
In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.
That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(
Here's some red herring info I dug up, on the way to the conclusion above.
I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."
But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.
The brochure says:
Samsung offers Self-Encrypting Drives (SEDs) which
are hardware-encrypted and automatically encrypt or decrypt all data
transferred to and from the SSDs.
So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:
Invisible to the user, hardware encryption built directly into the
drive electronics maximizes performance. In contrast, software
encryption burdens the central processing unit (CPU) and lowers
performance. Hardware-based SED encryption includes a built-in circuit
in the controller chip that automatically encrypts all data
transferred to the storage device. With hardwarebased encryption, the
drive controller encrypts and decrypts all data
...
hardware-based
encryption is performed in the actual hardware, and user
authentication is performed by the drive before it unlocks,
independent of the operating system (OS).
...
in collaboration with independent
software vendors (ISVs) who provide security management tools
for SEDs, Samsung provides SEDs that are compliant with the TCG
Opal specification, developed by the Trusted Computing Group, and
the IEEE 1667 standards, as supported (for example) by Microsoft
BitLocker in Windows 8.
...
Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)
Wave Systems is an ISV that offers secure data access control on
mobile platforms, access to the cloud and safe network logon with
users’ personal devices. Wave System solutions augment Samsung
SED security technology by Managing authorized users’ access to
the drives and data is where Wave comes in.
So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:
While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.
Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.
Enabling AES Encryption
AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.
- Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.
add a comment |
I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.
I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012
but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...
But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:
Information on this is incredibly hard to find
In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.
That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(
Here's some red herring info I dug up, on the way to the conclusion above.
I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."
But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.
The brochure says:
Samsung offers Self-Encrypting Drives (SEDs) which
are hardware-encrypted and automatically encrypt or decrypt all data
transferred to and from the SSDs.
So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:
Invisible to the user, hardware encryption built directly into the
drive electronics maximizes performance. In contrast, software
encryption burdens the central processing unit (CPU) and lowers
performance. Hardware-based SED encryption includes a built-in circuit
in the controller chip that automatically encrypts all data
transferred to the storage device. With hardwarebased encryption, the
drive controller encrypts and decrypts all data
...
hardware-based
encryption is performed in the actual hardware, and user
authentication is performed by the drive before it unlocks,
independent of the operating system (OS).
...
in collaboration with independent
software vendors (ISVs) who provide security management tools
for SEDs, Samsung provides SEDs that are compliant with the TCG
Opal specification, developed by the Trusted Computing Group, and
the IEEE 1667 standards, as supported (for example) by Microsoft
BitLocker in Windows 8.
...
Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)
Wave Systems is an ISV that offers secure data access control on
mobile platforms, access to the cloud and safe network logon with
users’ personal devices. Wave System solutions augment Samsung
SED security technology by Managing authorized users’ access to
the drives and data is where Wave comes in.
So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:
While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.
Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.
Enabling AES Encryption
AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.
- Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.
add a comment |
I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.
I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012
but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...
But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:
Information on this is incredibly hard to find
In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.
That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(
Here's some red herring info I dug up, on the way to the conclusion above.
I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."
But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.
The brochure says:
Samsung offers Self-Encrypting Drives (SEDs) which
are hardware-encrypted and automatically encrypt or decrypt all data
transferred to and from the SSDs.
So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:
Invisible to the user, hardware encryption built directly into the
drive electronics maximizes performance. In contrast, software
encryption burdens the central processing unit (CPU) and lowers
performance. Hardware-based SED encryption includes a built-in circuit
in the controller chip that automatically encrypts all data
transferred to the storage device. With hardwarebased encryption, the
drive controller encrypts and decrypts all data
...
hardware-based
encryption is performed in the actual hardware, and user
authentication is performed by the drive before it unlocks,
independent of the operating system (OS).
...
in collaboration with independent
software vendors (ISVs) who provide security management tools
for SEDs, Samsung provides SEDs that are compliant with the TCG
Opal specification, developed by the Trusted Computing Group, and
the IEEE 1667 standards, as supported (for example) by Microsoft
BitLocker in Windows 8.
...
Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)
Wave Systems is an ISV that offers secure data access control on
mobile platforms, access to the cloud and safe network logon with
users’ personal devices. Wave System solutions augment Samsung
SED security technology by Managing authorized users’ access to
the drives and data is where Wave comes in.
So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:
While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.
Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.
Enabling AES Encryption
AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.
- Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.
I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.
I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012
but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...
But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:
Information on this is incredibly hard to find
In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.
That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(
Here's some red herring info I dug up, on the way to the conclusion above.
I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."
But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.
The brochure says:
Samsung offers Self-Encrypting Drives (SEDs) which
are hardware-encrypted and automatically encrypt or decrypt all data
transferred to and from the SSDs.
So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:
Invisible to the user, hardware encryption built directly into the
drive electronics maximizes performance. In contrast, software
encryption burdens the central processing unit (CPU) and lowers
performance. Hardware-based SED encryption includes a built-in circuit
in the controller chip that automatically encrypts all data
transferred to the storage device. With hardwarebased encryption, the
drive controller encrypts and decrypts all data
...
hardware-based
encryption is performed in the actual hardware, and user
authentication is performed by the drive before it unlocks,
independent of the operating system (OS).
...
in collaboration with independent
software vendors (ISVs) who provide security management tools
for SEDs, Samsung provides SEDs that are compliant with the TCG
Opal specification, developed by the Trusted Computing Group, and
the IEEE 1667 standards, as supported (for example) by Microsoft
BitLocker in Windows 8.
...
Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)
Wave Systems is an ISV that offers secure data access control on
mobile platforms, access to the cloud and safe network logon with
users’ personal devices. Wave System solutions augment Samsung
SED security technology by Managing authorized users’ access to
the drives and data is where Wave comes in.
So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:
While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.
Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.
Enabling AES Encryption
AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.
- Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.
answered Dec 3 '15 at 9:59
Xen2050Xen2050
10.7k31536
10.7k31536
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1007792%2fhow-to-enable-ssd-encryption%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.
– Mike Ounsworth
Dec 1 '15 at 18:14
If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.
– Nathan
Dec 1 '15 at 18:22