Self-Encrypting Drive (SED) and S3-suspend (sleep)












3















since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.



Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.



What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.



Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.



Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.



Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!



Help would be much appreciated, and I hope to get this set up over the weekend.










share|improve this question

























  • Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?

    – Ƭᴇcʜιᴇ007
    Feb 12 '16 at 14:02






  • 1





    AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.

    – Tom Yan
    Feb 13 '16 at 0:35











  • Tried asking the manufacturer? Seems almost every drive does things a little differently

    – Xen2050
    Feb 13 '16 at 16:30






  • 1





    Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!

    – TJJ
    Feb 14 '16 at 4:25
















3















since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.



Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.



What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.



Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.



Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.



Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!



Help would be much appreciated, and I hope to get this set up over the weekend.










share|improve this question

























  • Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?

    – Ƭᴇcʜιᴇ007
    Feb 12 '16 at 14:02






  • 1





    AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.

    – Tom Yan
    Feb 13 '16 at 0:35











  • Tried asking the manufacturer? Seems almost every drive does things a little differently

    – Xen2050
    Feb 13 '16 at 16:30






  • 1





    Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!

    – TJJ
    Feb 14 '16 at 4:25














3












3








3


1






since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.



Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.



What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.



Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.



Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.



Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!



Help would be much appreciated, and I hope to get this set up over the weekend.










share|improve this question
















since my laptop is aging, but I love its 4:3 screen, I don't like relying on external media (also no USB 3 ports), and SSDs are too small for my budget, but I want full encryption (previously truecrypt, but CPU doesn't support AES), I decided to go with a Seagate ST1000LM015 1TB SSHD Self-Encrypting Drive.



Now that I was reading about how setting it up, I thought it to be quite straight-forward. Only then I discovered that the unlocking is not just a simple firmware function, but that there is an entire unencrypted partition which handles the PBA and has enough space (I think I read 128 MB?) to run a small operating system doing all the unlocking stuff.



What I want to have though is S3 suspend mode. I thought about going with sedutil to manage the drive, as it supposedly supports windows and linux, and is according to the OPAL TCG standard. But then I found it doesn't support S3, which seems very logical if you think harder. Then again I found some software that is using the SED capability and still allow for S3 (WinMagic's SecureDoc for example). So there clearly is a way! I know the encryption key for this must somehow be cached in RAM, but it is an acceptable risk for me.



Now I was thinking of just using the ATA Security eXtensions. As I can set a password in BIOS for the drive, it would also lock the drive. And as I understand, the ATA Security eXtensions don't disable S3. But is the data then still encrypted? How is the controller of the harddrive handling this? I know that with normal laptop drives (without SED capability) you can render the harddrive useless with a password enabled, but the data can very easily(!) be recovered by any forensics-specialized company.



Information on this topic is very scarce. And often difficult to prove right or wrong. From my understanding so far, data that is stored on the SED is by default encrypted data, only the locking of the drive has to be enabled to make a password necessary.



Can anybody clear some of my questions up? Are there possibilities to have PBA (whether BIOS or 3rd party tool) and encryption working? Possibly for both linux and windows in dual-boot? But most importantly I want to have suspend functionality!



Help would be much appreciated, and I hope to get this set up over the weekend.







security sleep disk-encryption opal self-encrypting-drive






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 15 at 14:11









͏͏͏

2,62611214




2,62611214










asked Feb 12 '16 at 13:52









TJJTJJ

373116




373116













  • Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?

    – Ƭᴇcʜιᴇ007
    Feb 12 '16 at 14:02






  • 1





    AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.

    – Tom Yan
    Feb 13 '16 at 0:35











  • Tried asking the manufacturer? Seems almost every drive does things a little differently

    – Xen2050
    Feb 13 '16 at 16:30






  • 1





    Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!

    – TJJ
    Feb 14 '16 at 4:25



















  • Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?

    – Ƭᴇcʜιᴇ007
    Feb 12 '16 at 14:02






  • 1





    AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.

    – Tom Yan
    Feb 13 '16 at 0:35











  • Tried asking the manufacturer? Seems almost every drive does things a little differently

    – Xen2050
    Feb 13 '16 at 16:30






  • 1





    Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!

    – TJJ
    Feb 14 '16 at 4:25

















Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?

– Ƭᴇcʜιᴇ007
Feb 12 '16 at 14:02





Possible duplicate of How to verify a self-encrypted drive (SED) is really encrypted?

– Ƭᴇcʜιᴇ007
Feb 12 '16 at 14:02




1




1





AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.

– Tom Yan
Feb 13 '16 at 0:35





AFAIK the ATA security feature set (password) has nothing to do with encryption. It just provide a way to prevent the drive from being accessed. I even doubt whether the encryption implementations on most drives really added another layer of security. From what I see what they mainly provide is a quick mean to do a "full erase" of the drive, which is the re-generation of the encryption key. If someone circumvent the ATA security feature set in some way, whether the encryption key will still remains unaccessible is in doubt.

– Tom Yan
Feb 13 '16 at 0:35













Tried asking the manufacturer? Seems almost every drive does things a little differently

– Xen2050
Feb 13 '16 at 16:30





Tried asking the manufacturer? Seems almost every drive does things a little differently

– Xen2050
Feb 13 '16 at 16:30




1




1





Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!

– TJJ
Feb 14 '16 at 4:25





Yes, definitely seems like it. And those people that you get at the support line usually have no clue what you are talking about. Yes, yes, it is encrypted. No, you don't need to worry, the key is saved encrypted. How? I don't know, but you can be sure it is encrypted. Yeah, that's how it works. So it's better to go with software after all, if you wanna be sure about the implementation!

– TJJ
Feb 14 '16 at 4:25










0






active

oldest

votes











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1039013%2fself-encrypting-drive-sed-and-s3-suspend-sleep%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1039013%2fself-encrypting-drive-sed-and-s3-suspend-sleep%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Probability when a professor distributes a quiz and homework assignment to a class of n students.

Aardman Animations

Are they similar matrix