1

I have a new Samsung 850 Evo and would like to do a clean install. This time, I want full drive encryption enabled. So reading through the options, the most obvious one was: enable a hdd password in the bios / uefi and according to Samsung this would enable AES-256 encryption.

So I went into the bios of my Asus P8Z77-V Pro and set a admin and user password and installed windows. However when I then (on the same machine) booted a live debian and mounted the new SSD (read-only) I could access all the folders in "clear-text". So what went wrong there?

How can I check that my motherboard supports the necessary feature? (its not THAT old, so I think it should be able to do it).

What alternatives are there (ideally so that when I need to attach the drive to another system to rescue data it should work out of the box, i.e. without having to install bitlocker on unix or something..)

Improve this question
4
  • Did you set a hard drive password in your bios, not just a "view/change bios" password? Are you typing in the password at every boot? If it's a hard drive password then after booting the whole drive is probably decrypted for whatever's running (win/linux/etc). Last I read about the built-in encryption on those drives, using the bios was the best (only?) way, and a big advantage is that you don't have to use any programs like bitlocker. The only alternative would be to upgrade the bios, or get a motherboard that does support it
    – Xen2050
    Commented Feb 23, 2017 at 14:05
  • See superuser.com/questions/692172/… and superuser.com/questions/1007792/how-to-enable-ssd-encryption
    – Xen2050
    Commented Feb 23, 2017 at 14:20
  • @Xen2050 in the bios you can set an admin password and a user password. I wondered if the user password might be actually the hdd password, but apparently the only difference is, that you have to type in the user password as well at each boot. I connected the "supposed to be encrypted" drive using a usb-sata adapter after booting unix.
    – Xaser
    Commented Feb 23, 2017 at 21:25
  • That does sound like a regular bios/boot password only, not a hard drive password, since the drive's still visible (unencrypted) with the usb adapter - you could be 100% sure by checking on another computer. Another bios or motherboard may be the easiest way to get the hard drive password going, or it's possible it's buried in your current bios somewhere (they're not always well designed & clear), or I think a linked Q mentions other programs/ways to access a hard drive password (ata password I think?) but those may need to boot & run before the encrypted drive would be decrypted...?
    – Xen2050
    Commented Feb 24, 2017 at 16:51

1 Answer 1

Reset to default
1

To utilize this technology I would recommend you check out Window's Bitlocker, this is the software that can activate your SSD's encryption chip and should offer only minor performance penalty (note you probably will need windows Pro edition).

Now generally to utilize this technology to it's fullest potential your motherboard ideally would need to support a "TPM" module to store encryption keys of your system, a quick lookup of your Asus motherboard reveals it does not seem to have a TPM slot. Alternatively bitlocker allows you to store the encryption key data to a USB stick, meaning this USB stick is now essential to getting in your PC, though bitlocker does offer further secondary backup options.

For Samsung SSDs specifically I recommend starting with the "Samsung Magician" application which offers instructions on how to enable it. I believe the process starts by (re)initializing your drive with a "ready to enable" flag that lets you initialize hardware encryption as seen here: http://prntscr.com/ecdfsj.

A full guide can be found here: https://helgeklein.com/wp-content/uploads/2014/12/xSamsung-SSD-Magician-ready-Encrypted-Drive-status.png.pagespeed.ic.UMbvG3KTPm.webp

Going through the above steps does not yet offer password protection, just data security. As a password you could set a disk PIN, https://www.howtogeek.com/262720/how-to-enable-a-pre-boot-bitlocker-pin-on-windows/

hope it helps!

Improve this answer
3
  • Thanks. AFAIK the Samsung has hardware encryption anyway, so apparently there is a common practice used by different encryption solution (including bitlocker if I'm right) that just encrypt the shipped key in the hard drive again to make it password protected. So no TPM necessary even?
    – Xaser
    Commented Feb 22, 2017 at 23:10
  • I believe Bitlocker is the main tool shipped with windows that offers support for (hardware) encrypted drives and that it prefers you have a TPM (likely data safety related). I've updated my answer with a bit more details. Maybe checkout this guide: helgeklein.com/wp-content/uploads/2014/12/… as well as: arstechnica.com/civis/viewtopic.php?t=1312261
    – Robin Gould
    Commented Feb 23, 2017 at 11:17
  • thanks for the updates Robin, I had found these links as well, however they aren't quite up to date since the samsung magician software has been updated and apparently reduced significantly in features since then.
    – Xaser
    Commented Feb 23, 2017 at 21:27

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .