HDD password on Dell Precision

[screengazer]

Does anyone know exactly how Dell Precision handles HDD passwords?

The BIOS seems to allow to set a password for any internal drive, plus an eSata drive. However, during boot, it asks for authentication for HDD-0 only (primary HDD). I assigned different passwords for primary and secondary drives, but it just unlocks the secondary drive without asking a password. I assume then, it stores the password for the secondary drive in BIOS memory. Wouldn't that make it insecure?

Also, ATA specification provides for two passwords: Master and User. Since Dell BIOS allows to set only one password per HDD, I assume it is a User password. What about Master password? Setting only User password would be useless, since Master password can bypass User password, therefore, leaving my data vulnerable. Does the BIOS Admin password perhaps double as a Master password for all HDDs in the system? The BIOS, User Manual and Dell website in general are moot on this issue.

I want to use HDD passwords to secure data on Intel 540-series SSD (which is a self-encrypting drive) and I don't want to use TPM.

I am also interested in finding a Windows-based program for issuing ATA security commands against external (USB-connected) hard drives. The only thing I have found on the Net so far is a hdparm utility for Linux.

Thank you!

 

[drtweak]

I have an old post of doing testing using SED drives and the built in HDD password on Dell PCs (Was testing with Optiplexs)

Using the built in HDD password is consider a FIPS 140-0 Compliance and can be EASILY bypassed! The Master Password CAN overwrite the SED password if used on another machine. With dells, you can bypass the HDD password using the Master password (It doesn't unlock the drive at this point)

You can then access the BIOS, go into the hard drive password and CHANGE IT without knowing the old password and using the Master password of that machine to change it to something else!

So why not use Bitlocker (if you have it) or another encryption software? You don't have to use TPM. It will only use TPM is the TPM module is activated.

 

[screengazer]

Thanks for reply, drtweak!
By "Master password of that machine" do you mean Admin password? (If you meant ATA Master password -- that is supposed to travel with the disk.)

Let me get this straight -- on Comp1 you set admin and HDD passwords, then move the drive to Comp2 with different admin password, and you can clear HDD password there? Wow, that sucks! (Unfortunately, I don't have another sufficiently new computer to try out these kinds of maneuvers.)

The reason I alluded to Admin password in my original post is that Dell BIOS tells me I need to set Admin password prior to setting HDD password. That's why I thought that Admin password might have something to do with ATA Master password.

I don't want to use Bitlocker because it is another layer of complexity and performance hit, however small (Bitlocker is software encryption, right?) SED has everything I need and already paid for, if only I had a PC that would be properly configurable...

 

[drtweak]

I mean the main BIOS admin password.

Also what version of windows are you using? If windows 8 and up, and if windows is installed as a uEFI boot you can just use the built in encryption. The thing is almost ALL SSD's these days are SEDs. Using a ATA Password is easily breakable. There are ways you can use Bitlocker and you don't need a TPM (just requires a password). Look at this site here. They have a very information on bitlocker, TPM, and OPAL 2.0 SED's which will NOT take a performance hit.

Otherwise the ATA Password is good for basic people. as far as most advanced users like some of here its something that can be easily breakable (I do need to do more testing on that though)

There are also other 3rd party software like Secure Doc that an take advantage of the built in encryption as well.

Using Windows 7 or below, or using a non uEFI boot will not allow bitlocker to take advantage of the SED. Otherwise yes it would be software encryption.

 

[screengazer]

I am using Win 10, booting in legacy mode, SATA is in RAID mode (even though I have no raided disks). "Almost all SSD's are SEDs" -- that's right, which makes it even more surprising that top of the line laptops still provide so poor support for them. Here I have a 3K flagship Dell laptop and I can't even get reliable information how the damn thing works so that I can make it secure. I called tech support, they wanted to log it as premium case and charge me money for that. User manual is very poor in explaining all the BIOS options, let alone how exactly HDD passwords work. I think I need to install Linux VM on my machine and start playing around with hdparm (since I can't find any other soft to interact with drive security) to find out exactly what the BIOS is doing with my disk.
Anyway, thanks a lot for your insights, DrTweak!

 

[drtweak]

Yea if you were to reinstall windows as uEFI boot, enable secure boot, disable TPM (Or use it) bitlocker will be able to use SED encryption.

Just got a client a new Latitude. It was uEFI and i turned on TPM and Bitlocker and on reboot it was instantly encrypted.

I didn't know about the uEFI thing until recently. Wondering why other PC's still wanted to encrypt the whole drive. Didn't realize it had to be a uEFI boot and not Legacy.

I have an Optiplex 3040 in my posesion and a Samsung 850. I will play around with the whole password encrytion thing a bit more tomorrow if i have time and let you know