HDD GURU FORUMS

I bought a new drive (Seagate Momentus 7200.3) to use in my Dell Latitude E6500 laptop (current model dockable corporate desktop replacement), running XP.

It works fine, but I want to secure the data using ATA disk passwords.

I can set the ATA User Password just fine in the BIOS setup, but Dell's (Phoenix) BIOS setup doesn't have a way to set the ATA Master Password. Seagate documentation says the ATA Master Password is set at the factory to a number that's physically printed on the drive's housing.

So, if I understand correctly, even though I set the User Password, if the drive is stolen, someone could just stick the drive in any laptop and use the Master Password (printed on the drive) to access the data. That's not very secure, is it?

I want to change the ATA Master Password. Seems like a perfectly reasonable thing that I should be able to do.

However, the BIOS freezes ATA Security at boot-time (so you can't disable or change the passwords at runtime). This is expected of any modern-day BIOS as an anti-virus measure, of course. So I can't use Victoria or MHDD or anything else at runtime to set the master password.

I've even booted from DOS on CD-ROM with Victoria and MHDD, waiting until after BIOS POST to pop the drive in. But neither Victoria nor MHDD could access the drive.

I've read that folks have changed their Master Password by popping their drive in a system with a BIOS setup that DOES allow the Master Password to be set.

Is that really my only option? Do I really have to research and buy another computer with the right BIOS just so I can secure my hard disk?

Please HDD Gurus, say it isn't so.

How do HDD Gurus set their Master Password on a system that doesn't allow for it in the BIOS setup? Surely there must be a way, right?

Why not just encrypt the hard drive? Use something like Truecrypt......free and easy to use.

CK wrote:Why not just encrypt the hard drive? Use something like Truecrypt......free and easy to use.

Well, eventually I want to set the master password for another Seagate drive I have - this one with hardware encryption. To take full advantage of the hardware encryption on that drive, you absolutely have to lock ATA password security on it (otherwise it can be accessed just like any other drive). But if the master password is printed on the drive, it's not really locked. I really do need to figure out a way to change the master password.

I'll use software encryption for some things as well. It has its benefits, and is indispensible for some things, but hardware encryption offers things that software encryption can't (better performance, immunity to some sophisticated attacks).

Even if you change Master Password it will be easy to recover it and also user password and get acess to your data.
Use truecrypt.
ATA Lock is not encryption and can be bypassed very easy.

Spildit wrote:Even if you change Master Password it will be easy to recover it and also user password and get acess to your data.
Use truecrypt.
ATA Lock is not encryption and can be bypassed very easy.

Spildit, perhaps you missed that I'm working with an FDE (Full Disk Encryption) drive. That is, I'm NOT attempting to protect my drive merely with ATA password security on a run-of-the-mill SATA drive (which, of course, would not be very effective).

The ATA passwords are not easy to recover on hardware encrypted drives like Seagate's Momentus FDE because they are stored (maybe even in encrypted format) inside a custom security chip, and never leave the chip (also, the chip isn't even physically accessible without dismantling the drive electronics). Unlike a regular old drive, the password is NOT stored in the clear somewhere accessible (like on the disk itself, for instance).

Read this short article to learn more about FDE drives:

http://headworx.slupik.com/2008/02/fde- ... drive.html

Software encryption like Truecrypt is great in most respects, but it can still be vulnerable to DRAM attacks. See:

http://www.freedom-to-tinker.com/blog/f ... encryption

The bottom line is that software encryption must store the encryption key in DRAM, and so it is thus vulnerable. A successful DRAM attack is not trivial, of course, but hardware encryption offers the assurance that the encryption key never even leaves a chip on the drive electronics.

Of course, you can use both hardware and software security if you like and the combination will always be more secure than either used alone.

***

Switching back to the original topic of this post, I guess no one here has any idea how I can change my master password without tracking down (at least temporarily) a laptop that explicitly supports setting the master password in the BIOS setup. Given that, can anyone suggest laptop makes and/or models that DO allow setting of the master password?

I gather some (all?) Lenovo models do. Any others? Anyone have a Lenovo laptop they can check on? How about Acer?

Remember ATA Master password is not really Master in the sense most people expect

If the drive is put in MAXIMUM Security mode, then only the USER password can access it
The only thing the Master password can do is allow the drive to be low level formatted?

(As opposed to HIGH Security mode where both Master and User passwords can unlock and access it)

See the HDD password section of http://en.wikipedia.org/wiki/Advanced_T ... Attachment


The Victoria low level disk utility will let you set the Master password

FDE will have a back door to it...... Simples....

Guru say

FDE will have a back door to it...... Simples....

Is the solution in relation with the SID ?

Or Have you a other way to explore ?
Please give me some clues, I will search ?

tinkerdude wrote:The ATA passwords are not easy to recover on hardware encrypted drives like Seagate's Momentus FDE because they are stored (maybe even in encrypted format) inside a custom security chip, and never leave the chip

This assumption is incorrect

guru wrote:FDE will have a back door to it...... Simples....

If you refer to some video on some site, then you need to watch it closely. That method requires original user password to be provided