ASRock BIOS and Samsung and Intel SSD Hardware encryption

Toggle sidebar Toggle sidebar
A

Al Winston

Distinguished
Jul 23, 2013
23
0
18,510
Given the popularity of the Samsung 840 EVO and Intel SSDs which have hardware encryption built in, why has ASRock (among others) not implemented in their UEFI the option for an ATA Password? The general administrator and user passwords do not activate the hardware encryption on the SSDs, it requires a separate ATA password. Apparently Lenovo laptops take advantage of this, but no one else does.

Given that these discs are easily removed and taken elsewhere, it's vital that they be able to be encrypted without the use of costly and performance-degrading software disc encryption. All it would take is for ASRock to be the first desktop Mobo maker to offer this in their UEFI, and you would have legions of Samsung 840 EVO and Intel SSD owners wanting their boards and BIOS.

The only excuse I've read for them not doing it is some weak reasoning that it would be too successful and some idiots might lock themselves out of their drives. Thoughts?
 


Awww, Crud!! What's weird is that I did a lot of research on Mobos before doing my first build, and the feature "Supports ATA Drive Password" was never mentioned in any articles or reviews. WTF? Given how many Samsung and Intel drives are out there with this hardware encryption feature begging to be used, you'd think desktop mobo makers would wave a flag advertising this feature. Instead, almost none support it, and those that do don't tell anyone about it.

Lucky you, dumbass me.
 



Wait a sec, I just checked the manual for the Sabertooth, and I can only find it mentioning the BIOS admin and user passwords, not a separate/additional password for the hard drives. In order to have Samsung and Intel hardware encryption, the BIOS must support the additional ATA Drive password feature, seen on Lenovo laptops, for example. Simply the BIOS password is not helpful, because as it says in the Sabertooth manual, all you have to do is clear the CMOS, and the password is reset.

Now, if it had the additional passwords for the drives, you could do all you want with the CMOS. Those drives will be useless unless put on a machine with ATA password functionality in the BIOS and if you know the drive access password (which is different from the BIOS password needed just to boot the BIOS).
 


I just double checked, cuz my job has a couple test machines and i might have gotten it confused, and it is the Sabretooth Z87 that has the ATA password feature.
 


Really?? I looked at the manual online, again page 3-30 and it mentions nothing about setting an ATA password, only the BIOS passwords (Admin, User, or both), and this BIOS password is useless since it's cleared by merely clearing the CMOS. The drives could also easily be taken out and simply opened on another machine, so no help there. Again, a screenshot of what you believe to be the ATA password would be great. Also, apparently I'm not the only one frustrated by Mobo makers' lack of putting this feature in their BIOS: http://forums.anandtech.com/showthread.php?t=2324002

A test of whether your passwords indeed encrypt the drives would be to put them in, then take the drive out and put it in another machine. From what I can see, it would be perfectly accessible and readable. When an SSD is truly encrypted by a BIOS ATA Drive Password, when the drive is removed and put in another machine without the password or a machine that can't provide an ATA Drive Password in the BIOS, all you'll see is garbage (if the drive is even recognized).


 
Weird. Can't find it anywhere online that the ASUS Bios on the Sabertooth has that. Just the opposite, in fact. I don't suppose there's a chance of a screenshot?
 


Don't go back into work until monday. So if i remember i'll take a photo.
 
You the man. Thanks. If you look on the web, you'll see there's not a lot on this subject, despite the ubiquity of Samsung and Intel SSDs extolling their advantage with hardware encryption abilities.
 
Actually, if you do show the screenshot of the ATA Password, it will only underscore the bizarre mystery of motherboard UEFI BIOS programmers and the marketers who sell the product. Why would you not mention the ability to take advantage of hardware encryption in the Samsung 840/850 EVO and Intel drives? It would be a HUGE marketing plus given how ubiquitous these SSDs are.

This form is hardware encryption beats software. How secure is hardware encryption of these SSDs? This paper:

https://www1.informatik.uni-erlangen.de/filepool/projects/sed/seds-at-risks.pdf

If the SSD loses power (i.e. it's taken out of the machine, or the machine is powered off or unplugged if a desktop), you can forget about any attack successfully decrypting that disc. It is POSSIBLE to decrypt the SSD, but only if power is maintained to it while it's being stolen and/or hacked into. Yeah, that's not likely to happen often, and if you're that worried, power off your machine.

So, we've got a super-fast, hardware encryption that can't be cracked, and we don't have to worry about performance hits with software encryption nor do we have to worry about Microsoft's Bitlocker having a backdoor given to the NSA.

The problem? NO MOTHERBOARD MAKERS are regularly implementing the ATA password in their UEFI BIOS. Even if they did, I dare anyone to find a motherboard review or advertisement where they say "We support hardware SSD encryption with ATA Password features", and I can't find a review or 'round up' where they mention ATA Password in their feature sets. Despite the ubiquity of the Samsung 840 EVO and Intel SSDs, and despite all the Snowden paranoia, no one cares. IT DOESN'T MAKE SENSE!!

Mass media. Go figure.
 
Palorim12, I found another great post on this topic. It seems that some mobo makers, ASUS included, do not routinely provide a BIOS with ATA Password ability. Seems they are concerned about how effective a security measure it is and should a user forget their ATA Password, there's no way to recover the data on the drive. Hence, some mobo makers (ASUS) actually provide a special BIOS on request that has this feature enabled! Did you happen to ask for a special BIOS?

http://www.pugetsystems.com/labs/articles/Introduction-to-Self-Encrypting-Drives-SED-557/

 


We bought ours on Newegg.
 
I wanna apologize, i went to take a pic of the bios and i found out that on friday, i was looking at the BIOS of a different system. We use a KVM switch for our test desktops and someone had switched the Sabretooth connection with an HP desktop. The HP is the one that has the ATA password feature, not the sabretooth.
 
OK, I've got some news here. Because I want to make sure this is found by people wanting an ATA Password, I'm going to throw in buzzwords like ASRock Extreme6 Z97 motherboard, Samsung 840 EVO SSD with AES encryption (or Class 0 as they call it in Driver Magician), the Intel 320 and 520 and 530 systems with AES hardware encryption. There. Now, I received an email today from somewhere in Asia where they write the BIOS for ASRocks UEFI BIOS. They said they wrote "me" a new BIOS, but I'm going to suspect that they had it but didn't release it because they were afraid people would lock themselves out of their drives. The bottom line is, there is an ASRock UEFI BIOS 1.07B, an addition to the 1.07 BIOS. This B version has ATA Password capability for each drive in your system. Now, I've not tested how many characters, nor have I looked to see if it can do hash marks, or symbols or caps vs lowercase. What I have tested is encrypting it with the ATA password on my ASRock machine and then putting the SSD into another machine . . . it would either not be recognized or completely unreadable, even by some forensic software I've got. This was true for a Samsung 840 EVO 1tb and for an Intel 520 480gb. Sooo, if you have an ASRock motherboard, you're in luck. You can email the ASRock team in Taiwan (I think that's the .tw domain, right?). For all those with Samsung 840/850 EVO and Intel SSDs, if you buy an ASRock motherboard, you can do hardware encryption with all the advantages noted above. HOWEVER: based on what I've read, if you power off the machine and then forget your ATA Password . . . no one can help you. Not Samsung, Intel, ASRock or the NSA. Unless somehow you can brute force it.
 


See below. ASRock solved it for the Extreme6 motherboard at least. I'm still reeling that they rewrote the BIOS in a week. How hard is it to do that (am not a programmer)?

 


I’m trying to resolve the same issue pre-sales in selecting a motherboard for a new build. Thanks for sharing your experience.

I’m trying to reconcile the BIOS versions you reference with the versions on the ASRock BIOS download page for the Z97 Extreme6 motherboard. You refer to versions 1.07 and 1.07B. The download page lists version 1.00 up to 1.70 with no 1.07. Is it possible you have transposed the “0” and the “7” and are actually running a 1.70B? Or perhaps the version numbers on their download page are versions for the download package that differ from the version numbers for the BIOS itself?

Also, they offer three download alternatives for a version – Instant Flash, DOS, and Windows. Which did they supply you for the “B” version you have with SED support?

Lastly, could you say a little more about what steps are involved in ATA password management and entry in the "B' BIOS you obtained when multiple drives are involved?
 


I am also wondering this same thing. I think he probably mean 1.70b, but it sure would be nice if he would respond and let us know. I have emailed Asrock support to try and get ahold of this "B" version bios. If I hear back from them, I will give an update here. I am using SED encryption on an 840 evo in my laptop and absolutely love it. I want to do the same with my 850 evo connected to my new Asrock Z97 Extreme6. Hopefully I can...
 




 
Welcome to the wonderful world of dyslexia. Sorry about that. I MEANT to write 1.70 is what they have posted on their site, but when you email the Taiwan ASRock tech team, they'll send you version 1.70B with the ATA Password option implemented in the BIOS.

After I downloaded it, I had both the zipped and unzipped version on the hard drive in my random download directory. When the motherboard booted up, I hit the F6 key which triggers instant flash. Without any input, it identified both of the new BIOS files and automatically updated the BIOS. The email address to get the new BIOS is Asrock_TSD@asrock.com.tw

Sorry about the delay and my poor transcription.
 
If anyone knows a way I can upload this 1.70B BIOS, I'm happy to do it. Now, regarding this whole thing, here's what I do:

1. SSD is my main drive, and using the 1.70B BIOS and an ATA password, I have it encrypted.
2. I run a clone backup using Casper to backup this SSD to an HDD in a removable swap bay, and I do NOT have this drive encrypted. I remove the HDD and put it in a separate secure location away from the computer.

That way if someone goes after the computer or SSD, they got nothing. Similarly, if for some reason the encryption on the SED messes up, I got a nonencrypted backup (inconveniently but safely secured off-site).

Now, if you want to learn all about this and more, you can save a lot of time by just going to this forum:
http://vxlabs.com/2012/12/22/ssds-with-usable-built-in-hardware-based-full-disk-encryption/

Read all the comments . . and there are a ton. But this is what got me to understand SSD full disk hardware encryption.

BTW, I emailed the Taiwan ASRock tech team and asked why the 1.70B BIOS is not posted on their download site. You'll love this: They were afraid inexperienced users would lock themselves out of their hard drives, and there is no way they can help undo this type of encryption because it's so secure. I swear. That was their answer. ASUS won't even bother providing an ATA Password for this reason in their BIOS's.
 
Al Winston, THANK YOU. I've been trying to buy a motherboard with ATA password (aka HDD password) feature, and thanks to you, I'll go with that ASRock Z97 Extreme6, with the 1.70B bios.

I found that BIOS version online. (You got yours from Asrock_TSD@asrock.com.tw ) It apparently had been on the ASRock site, in the beta-BIOS section, but I now find it only via Google's cached version. I just downloaded it from here:
http://66.226.78.22/downloadsite/bios/1150/Z97%20Extreme6(1.70B)ROM.zip

Now, that's one creepy URL, we all agree. But if you go to the current beta-bios page, you'll see that every official BIOS download comes from a similarly-creepy URL, with that same IP# domain.
Here's the current ASRock page, so you can see for yourself:
http://www.asrock.com/mb/Intel/Z97%20Extreme6/index.us.asp?cat=Beta

Here's how you install this BIOS. You must use the Instant Flash method:
http://www.asrock.com/support/BIOSUI.asp?cat=BIOS8

Details, from the (cached) beta BIOS page at ASRock:
1.70B 1/22/2015 Instant Flash 5.69MB Add HDD password function.

The latest fully-released BIOS, as of now:
1.70 12/31/2014 Instant Flash 5.71MB

Thanks again, Al. I've got my new Samsung SSD, similar to yours, and like you I'm stunned at how well-marketed this feature is, with zero help for setting this up in BIOS. (Thanks for NOTHING, Samsung!) I suspect that most SED users have Windows 8, whose version of Bitlocker supports SEDs. But I'd rather stick with Windows 7, myself. And Linux users share my problem.
 


Actually as an owner of an Asrock Fatal1ty 990FX Professional, I asked kindly asrock to provide me with a bios that has hdd password option and they did!

I'm an owner of a Samsung 840 Pro and I hesitate to buy an Asrock motherboard, I'm glad I did(a whiiiiiiiiiiiiiiiiile back)

P.S. if you have the same motherboard I can provide the bios to you
 
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom