How to start using hardware encryption of an SSD using the Samsung EVO 850 and sedutil as an example
This is just a short hint, which I hope can be used for other drives with built-in encryption (SED, self encrypting drives). There is no in-depth explanation of principles and terms.
Samsung EVO or PRO always stores data in encrypted (AES) form, even if you haven’t done anything for it. Just until you turn on protection, it always returns this data decrypted. And when you turn on protection, it will require a password for decryption. This means that setting a password will not cause the disk speed to drop, everything is encrypted without it. And also means that you don’t have to encrypt the drive from start to finish - it is already encrypted.
However, there is no information about which encryption key is used. Perhaps it is the same for all model disks, or, for example, for those that are supplied to us. And with serious efforts (for example, soldering a piece from a donor disk in which a password is not set), you can read the data.
But if you just, like me, are unpleasant that someone can shamelessly delve into the data of a laptop stolen from you or lost, then the proposed method is quite enough.
You can close the data on Samsung EVO disks in one of three ways (no need to try to combine them, just break everything):
1. set the password of the ATA drive in the BIOS
This is the easiest way, but almost useless. In addition to the user password, the BIOS, as a rule, also prescribes a master password, which is known to the service department of the computer manufacturer, and then kind people can help decrypt the data to anyone who requests help. See, for example, the iXBT conference, “Remove password from BIOS (BIOS)”.
The network describes examples of the ugly work of the BIOS when setting the ATA password, caching the password in the BIOS and reading it from there, using hdparm instead of the BIOS to set the password, reading the disk with the password set on a computer of the same model, etc. If you wish, you can read and evaluate yourself, but this method disappointed me.
2. enable eDrive functionality and use BitLocker
Not bad, but only suitable for expensive versions of Windows, and not suitable for linux, if that.
3. use the TCG OPAL functions through the sedutil utility
In large strokes: the idea of this method is that when the protection is activated, after turning on the power, the disk, instead of its real contents, shows a small service section. You can write anything there, but usually it’s a utility that will ask you for a password and try to feed it to the drive so that it works for real.
The advantage of this method is that the password is entered before the operating system is loaded, that is, nothing needs to be changed in the operating system, and there is no one to intercept this password.
Cons are:
- The computer cannot be put into standby state. After resuming power to the drive, it will be in a locked state. An operating system that wakes up in RAM will crash sharply.
- Extra reboot - after entering the password, when the disk has opened its true contents, the machine reboots so that the BIOS re-determines what kind of disk it is.
Before continuing, we ask ourselves a question: is it possible, as a result of improper actions, to turn a disk into a brick, that is, into a mass-dimensional model of a disk that does not respond to external stimuli?
Well, you can easily lose data if you set the password incorrectly when you close the disk, or forget it right away, for example. Therefore, it is MANDATORY to backup before all subsequent actions.
In the case when the disk cannot be decrypted, it can usually be reset to its original (factory) state, however, at the cost of complete data loss.
Total: a brick can be brought back to life, but data can be lost.
Back to the Samsung drives.
There are no ready-made utilities on the service partition for Samsung drives. There are commercial programs that can register themselves there, but we will use the free open source utility - sedutil (msed).
We go to https://github.com/Drive-Trust-Alliance/sedutil/wiki
Downloading files from the executable distributions section (do not forget to open the .gz archives !!!):
The sedutil_WIN.zip archive is what we will animate encryption on drive if we are running Windows. The following is a description of how it works under Windows. Work with the linux version is practically the same. Unless the drive names are different, for example, instead of \\. \ PhysicalDrive0 there will be / dev / sda. LINUXPBARelease.img.gz
archives orUEFI64_Release.img.gz - contain what will be loaded from a small partition of the disk when its main content becomes blocked after turning off the power. Different options for machines with BIOS and UEFI.
Archive Rescue.img.gz - contains the image of the recovery utility - if something goes wrong and you want to return everything, and the computer does not boot.
We write the recovery utility on the USB flash drive just in case (proposed by the Win32DiskImager program) and verify that we can boot from it. At the same time, we will see that it works from the linux command line, and make sure that we are not afraid of it.
Also on the site it is recommended to write to another USB flash drive LINUXPBARelease.img and verify that when loading and entering any password, we will see a list of disks. But this is not so, the site has an outdated description that they forgot to change (as of 01/01/2017). If the disk is not yet encrypted, we will receive only error messages and go to reboot. Don't worry, this is normal (described in Issues on github).
So, from the command line, let's see which of the drives we are capable of self-encryption:
V:\sedutil>sedutil-cli --scan
Scanning for Opal compliant disks
\\.\PhysicalDrive0 12 Samsung SSD 850 EVO 1TB EMT01B6Q
\\.\PhysicalDrive1 12 Samsung SSD 850 EVO mSATA 500GB EMT41B6Q
No more disks present ending scanWe close both drives, but there will be one password for them. Since we will enter it on the command line, it is necessary that it does not contain characters that have special meanings on the command line, like any spaces-slashes-quotes-less-more-more. In addition, the characters that you will use should be available when entering from the keyboard when the computer boots up (read, QWERTY keyboard characters). Finally, type the password into a text file, save it to a USB flash drive, and paste it using Copy-Paste into the subsequent commands.
Let's say the boot disk we have is PhysicalDrive1.
Let the password be MyPassword.
V:\sedutil>sedutil-cli --initialsetup MyPassword \\.\PhysicalDrive1
- 13:21:04.000 INFO: takeOwnership complete
- 13:21:04.436 INFO: Locking SP Activate Complete
- 13:21:05.982 INFO: LockingRange0 disabled
- 13:21:05.513 INFO: LockingRange0 set to RW
- 13:21:06.028 INFO: MBRDone set on
- 13:21:06.558 INFO: MBRDone set on
- 13:21:07.057 INFO: MBREnable set on
- 13:21:07.057 INFO: Initial setup of TPer complete on \\.\PhysicalDrive1We load the bootloader image into the service section (here you must determine which bootloader option you need: BIOS or UEFI)
V:\sedutil>sedutil-cli --loadPBAimage MyPassword <образ.img> \\.\PhysicalDrive1
- 13:01:34.000 INFO: Writing PBA to \\.\PhysicalDrive1
| [*********************] 1049600 bytes written
- 13:03:38.317 INFO: PBA image <образ > written to \\.\PhysicalDrive1
V:\sedutil>sedutil-cli --setMBREnable on MyPassword \\.\PhysicalDrive1
- 13:05:02.000 INFO: MBRDone set on
- 13:05:03.562 INFO: MBREnable set onThe very moment after which the drive begins to behave differently after turning off the power:
V:\sedutil>sedutil-cli --enableLockingRange 0 MyPassword \\.\PhysicalDrive1We will also encrypt the second disk (not bootable). Everything is the same, only the bootloader can not be written to it.
V:\sedutil>sedutil-cli --initialsetup MyPassword \\.\PhysicalDrive0
V:\sedutil>sedutil-cli --enableLockingRange 0 MyPassword \\.\PhysicalDrive0After turning the power off and on again, we will see a password request. If you entered it incorrectly - reboot and re-query. If correct, reboot and start the operating system from the disk partition that opens.
In case of success, you can watch how the icons of disks have changed in Windows - they have open yellow locks:
In case of failure ... Hmm ... The weekend is long today. Start by exploring the sedutil utility in more detail using the link above.
First of all, the “Remove OPAL” section talks about how to restore the normal behavior of the drive so that it works again without changing the partitions at startup and without asking for a password.
The “PSID Revert” section provides extreme measures when you forget / do not know the password, but want to revive the disk at the cost of data loss. You will need to find out the unique disk number (PSID), usually written somewhere on his case.
Successes.