How to enable hardware based encryption on Samsung 850 Pro
I have a new Samsung 850 pro which touts hardware-based encryption. According to that page I should just go in my bios and set a hard-drive password (no problem right). The only relevant thread I found on the issue also says something along those same lines. I have no such option in my BIOS (I have a Gigabyte board with a Z87 chipset, model number escaping me at this time). If I were to buy a new motherboard to get this to work, what feature(s) does the board need to support?
ssd bios opal self-encrypting-drive opal-ssc
edited Jan 15 at 14:49
͏͏͏
2,67411214
asked Oct 29 '14 at 19:35
ErlVoltonErlVolton
268138
add a comment |
I have a new Samsung 850 pro which touts hardware-based encryption. According to that page I should just go in my bios and set a hard-drive password (no problem right). The only relevant thread I found on the issue also says something along those same lines. I have no such option in my BIOS (I have a Gigabyte board with a Z87 chipset, model number escaping me at this time). If I were to buy a new motherboard to get this to work, what feature(s) does the board need to support?
ssd bios opal self-encrypting-drive opal-ssc
edited Jan 15 at 14:49
͏͏͏
2,67411214
asked Oct 29 '14 at 19:35
ErlVoltonErlVolton
268138
add a comment |
I have a new Samsung 850 pro which touts hardware-based encryption. According to that page I should just go in my bios and set a hard-drive password (no problem right). The only relevant thread I found on the issue also says something along those same lines. I have no such option in my BIOS (I have a Gigabyte board with a Z87 chipset, model number escaping me at this time). If I were to buy a new motherboard to get this to work, what feature(s) does the board need to support?
ssd bios opal self-encrypting-drive opal-ssc
edited Jan 15 at 14:49
͏͏͏
2,67411214
asked Oct 29 '14 at 19:35
ErlVoltonErlVolton
268138
I have a new Samsung 850 pro which touts hardware-based encryption. According to that page I should just go in my bios and set a hard-drive password (no problem right). The only relevant thread I found on the issue also says something along those same lines. I have no such option in my BIOS (I have a Gigabyte board with a Z87 chipset, model number escaping me at this time). If I were to buy a new motherboard to get this to work, what feature(s) does the board need to support?
ssd bios opal self-encrypting-drive opal-ssc
ssd bios opal self-encrypting-drive opal-ssc
edited Jan 15 at 14:49
͏͏͏
2,67411214
asked Oct 29 '14 at 19:35
ErlVoltonErlVolton
268138
edited Jan 15 at 14:49
͏͏͏
2,67411214
asked Oct 29 '14 at 19:35
ErlVoltonErlVolton
268138
edited Jan 15 at 14:49
͏͏͏
2,67411214
edited Jan 15 at 14:49
͏͏͏
2,67411214
edited Jan 15 at 14:49
͏͏͏
2,67411214
2,67411214
asked Oct 29 '14 at 19:35
ErlVoltonErlVolton
268138
asked Oct 29 '14 at 19:35
ErlVoltonErlVolton
268138
asked Oct 29 '14 at 19:35
ErlVoltonErlVolton
268138
268138
add a comment |
add a comment |
5 Answers
5
active
oldest
votes
Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).
TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.
Edit:
As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.
Edit 2:
There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.
answered Oct 29 '14 at 19:47
Chris SChris S
5,8791521
Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?
– ErlVolton
Oct 29 '14 at 19:49
See edit, not good news for you.
– Chris S
Oct 29 '14 at 19:54
add a comment |
As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.
answered Jan 29 '15 at 6:01
Michael RomeoMichael Romeo
8111
add a comment |
TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.
The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.
I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.
answered Jan 8 '15 at 6:50
Al WinstonAl Winston
314
Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?
– ZAB
Jun 14 '15 at 18:25
add a comment |
It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.
Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.
If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.
My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.
answered Dec 17 '14 at 5:30
TexasDexTexasDex
961
add a comment |
- Storage type must be ACHI.
- The computer must always boot natively from UEFI.
- The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
TPM chip is optional.
- Secure boot is optional.
- GPT and MBR are both supported.
- If there is RST software/drivers, it has to be at least version 13.2.4.1000.
This can be done with 2 disks or one.
From a Windows install that meets the above criteria:
- Set state to ready to enable via Samsung Magician.
- Make a secure erase USB (for DOS).
- Reboot PC, change boot mode to BIOS boot (for the secure erase USB)
- Boot into secure erase, erase
- Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)
- Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.
edited Nov 3 '16 at 11:02
karel
9,25293138
answered Nov 3 '16 at 10:52
Shadowws ShadowwShadowws Shadoww
1
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f833457%2fhow-to-enable-hardware-based-encryption-on-samsung-850-pro%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
5 Answers
5
active
oldest
votes
5 Answers
5
active
oldest
votes
active
oldest
votes
active
oldest
votes
Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).
TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.
Edit:
As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.
Edit 2:
There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.
answered Oct 29 '14 at 19:47
Chris SChris S
5,8791521
Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?
– ErlVolton
Oct 29 '14 at 19:49
See edit, not good news for you.
– Chris S
Oct 29 '14 at 19:54
add a comment |
Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).
TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.
Edit:
As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.
Edit 2:
There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.
answered Oct 29 '14 at 19:47
Chris SChris S
5,8791521
Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?
– ErlVolton
Oct 29 '14 at 19:49
See edit, not good news for you.
– Chris S
Oct 29 '14 at 19:54
add a comment |
Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).
TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.
Edit:
As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.
Edit 2:
There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.
answered Oct 29 '14 at 19:47
Chris SChris S
5,8791521
Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).
TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.
Edit:
As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.
Edit 2:
There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.
answered Oct 29 '14 at 19:47
Chris SChris S
5,8791521
edited Oct 29 '14 at 20:10
answered Oct 29 '14 at 19:47
Chris SChris S
5,8791521
answered Oct 29 '14 at 19:47
Chris SChris S
5,8791521
answered Oct 29 '14 at 19:47
Chris SChris S
5,8791521
5,8791521
Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?
– ErlVolton
Oct 29 '14 at 19:49
See edit, not good news for you.
– Chris S
Oct 29 '14 at 19:54
add a comment |
Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?
– ErlVolton
Oct 29 '14 at 19:49
See edit, not good news for you.
– Chris S
Oct 29 '14 at 19:54
Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?
– ErlVolton
Oct 29 '14 at 19:49
Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?
– ErlVolton
Oct 29 '14 at 19:49
See edit, not good news for you.
– Chris S
Oct 29 '14 at 19:54
See edit, not good news for you.
– Chris S
Oct 29 '14 at 19:54
add a comment |
As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.
answered Jan 29 '15 at 6:01
Michael RomeoMichael Romeo
8111
add a comment |
As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.
answered Jan 29 '15 at 6:01
Michael RomeoMichael Romeo
8111
add a comment |
As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.
answered Jan 29 '15 at 6:01
Michael RomeoMichael Romeo
8111
As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.
answered Jan 29 '15 at 6:01
Michael RomeoMichael Romeo
8111
answered Jan 29 '15 at 6:01
Michael RomeoMichael Romeo
8111
answered Jan 29 '15 at 6:01
Michael RomeoMichael Romeo
8111
answered Jan 29 '15 at 6:01
Michael RomeoMichael Romeo
8111
8111
add a comment |
add a comment |
TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.
The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.
I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.
answered Jan 8 '15 at 6:50
Al WinstonAl Winston
314
Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?
– ZAB
Jun 14 '15 at 18:25
add a comment |
TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.
The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.
I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.
answered Jan 8 '15 at 6:50
Al WinstonAl Winston
314
Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?
– ZAB
Jun 14 '15 at 18:25
add a comment |
TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.
The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.
I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.
answered Jan 8 '15 at 6:50
Al WinstonAl Winston
314
TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.
The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.
I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.
answered Jan 8 '15 at 6:50
Al WinstonAl Winston
314
answered Jan 8 '15 at 6:50
Al WinstonAl Winston
314
answered Jan 8 '15 at 6:50
Al WinstonAl Winston
314
answered Jan 8 '15 at 6:50
Al WinstonAl Winston
314
314
Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?
– ZAB
Jun 14 '15 at 18:25
add a comment |
Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?
– ZAB
Jun 14 '15 at 18:25
Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?
– ZAB
Jun 14 '15 at 18:25
Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?
– ZAB
Jun 14 '15 at 18:25
add a comment |
It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.
Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.
If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.
My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.
answered Dec 17 '14 at 5:30
TexasDexTexasDex
961
add a comment |
It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.
Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.
If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.
My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.
answered Dec 17 '14 at 5:30
TexasDexTexasDex
961
add a comment |
It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.
Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.
If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.
My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.
answered Dec 17 '14 at 5:30
TexasDexTexasDex
961
It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.
Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.
If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.
My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.
answered Dec 17 '14 at 5:30
TexasDexTexasDex
961
answered Dec 17 '14 at 5:30
TexasDexTexasDex
961
answered Dec 17 '14 at 5:30
TexasDexTexasDex
961
answered Dec 17 '14 at 5:30
TexasDexTexasDex
961
961
add a comment |
add a comment |
- Storage type must be ACHI.
- The computer must always boot natively from UEFI.
- The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
TPM chip is optional.
- Secure boot is optional.
- GPT and MBR are both supported.
- If there is RST software/drivers, it has to be at least version 13.2.4.1000.
This can be done with 2 disks or one.
From a Windows install that meets the above criteria:
- Set state to ready to enable via Samsung Magician.
- Make a secure erase USB (for DOS).
- Reboot PC, change boot mode to BIOS boot (for the secure erase USB)
- Boot into secure erase, erase
- Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)
- Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.
edited Nov 3 '16 at 11:02
karel
9,25293138
answered Nov 3 '16 at 10:52
Shadowws ShadowwShadowws Shadoww
1
add a comment |
- Storage type must be ACHI.
- The computer must always boot natively from UEFI.
- The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
TPM chip is optional.
- Secure boot is optional.
- GPT and MBR are both supported.
- If there is RST software/drivers, it has to be at least version 13.2.4.1000.
This can be done with 2 disks or one.
From a Windows install that meets the above criteria:
- Set state to ready to enable via Samsung Magician.
- Make a secure erase USB (for DOS).
- Reboot PC, change boot mode to BIOS boot (for the secure erase USB)
- Boot into secure erase, erase
- Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)
- Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.
edited Nov 3 '16 at 11:02
karel
9,25293138
answered Nov 3 '16 at 10:52
Shadowws ShadowwShadowws Shadoww
1
add a comment |
- Storage type must be ACHI.
- The computer must always boot natively from UEFI.
- The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
TPM chip is optional.
- Secure boot is optional.
- GPT and MBR are both supported.
- If there is RST software/drivers, it has to be at least version 13.2.4.1000.
This can be done with 2 disks or one.
From a Windows install that meets the above criteria:
- Set state to ready to enable via Samsung Magician.
- Make a secure erase USB (for DOS).
- Reboot PC, change boot mode to BIOS boot (for the secure erase USB)
- Boot into secure erase, erase
- Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)
- Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.
edited Nov 3 '16 at 11:02
karel
9,25293138
answered Nov 3 '16 at 10:52
Shadowws ShadowwShadowws Shadoww
1
- Storage type must be ACHI.
- The computer must always boot natively from UEFI.
- The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).
TPM chip is optional.
- Secure boot is optional.
- GPT and MBR are both supported.
- If there is RST software/drivers, it has to be at least version 13.2.4.1000.
This can be done with 2 disks or one.
From a Windows install that meets the above criteria:
- Set state to ready to enable via Samsung Magician.
- Make a secure erase USB (for DOS).
- Reboot PC, change boot mode to BIOS boot (for the secure erase USB)
- Boot into secure erase, erase
- Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)
- Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.
edited Nov 3 '16 at 11:02
karel
9,25293138
answered Nov 3 '16 at 10:52
Shadowws ShadowwShadowws Shadoww
1
edited Nov 3 '16 at 11:02
karel
9,25293138
edited Nov 3 '16 at 11:02
karel
9,25293138
edited Nov 3 '16 at 11:02
karel
9,25293138
9,25293138
answered Nov 3 '16 at 10:52
Shadowws ShadowwShadowws Shadoww
1
answered Nov 3 '16 at 10:52
Shadowws ShadowwShadowws Shadoww
1
answered Nov 3 '16 at 10:52
Shadowws ShadowwShadowws Shadoww
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f833457%2fhow-to-enable-hardware-based-encryption-on-samsung-850-pro%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
