cancel
Showing results for 
Search instead for 
Did you mean: 

Intel 320 SSD: How to set the AT HD Password encryption correctly.

idata
Esteemed Contributor III

I have recently bought the 80GB 320 and I am still trying to get a simple answer to the FDE AT HD password question and think it would be very helpful if the answer were included in the HD manual and the FAQ.

If, as is the case, my pc has a bios and an HD password option and I set both of these when installing the SSD, have I in fact set up the bespoke password FDE, or do I need to, as the pdf intel guidance suggests, use the toolbox to then do a new secure erase on the same HD. It's just that the tablet PC in question only has one sata connection meaning that any secure erase would have to happen on a desktop PC with no HD password option enabled in the bios.

Basically a simple step by step answer to how to set it up would be appreciated.

I have assumed up until now that by setting an HD password in the Bios on first using the drive that the FDE is encrypted with reference to the HD password that was set but am increasing believing it isn't. I am therefore of the thinking that in order for the HD password to be relevant to the encryption of the drive a password has to be in place prior to then doing the secure erase and see no easy way to accomplish this.

Noone seems to have a simple answer to how to do this

TIA

G

6 REPLIES 6

idata
Esteemed Contributor III

I am also keen to know what happens if I have to move the drive to another computer. Can I just set the same ATA password on it's Bios and the drive will allow it to work with the new PC or do I end up locked out of it.

G

idata
Esteemed Contributor III

BUMP

idata
Esteemed Contributor III

IIRC from documents and various posts read many months ago, the information stored on the 320 is always encrypted on-the-fly when it is stored and decrypted by the drive when it is read. When no ATA (hard drive) password is set, the decrypted data are always passed to the PC - the drive essentially acts like any unencrypted drive as far as the PC is concerned.

I believe the encryption key is randomly generated each time the drive is securely erased, and is unrelated to the ATA password. The secure erase simply changes the encryption key, rendering all previously saved data permanently unrecoverable.

When the ATA password is set, the drive will not allow access to the data unless the password is provided each time the drive is powered on. Since the data is encrypted on the chips, opening the drive and probing the chips can at best only provide encrypted data. Changing the ATA password does not re-encrypt any data on the drive.

The ATA password is not (in theory) ever stored in the PC's NVRAM - it is simply passed to the hard drive. There is a long thread on this forum that (I think) suggests that it is securely stored as a hash in an inaccessible place on the SSD, though some questioned if it might be crackable.

So the basic step-by-step is simply set the ATA password. Remove the password before firmware updates, and set it up again after the update. Also remove the password before moving the drive to another PC, as there is no guarantee that each PC's bios will handle the password string identically before passing it to the hard drive (some may hash it, some have been known to drop special characters). Moving the drive to the same model PC with the same bios version should not require removing the password and setting it again on the new box. [Edit: Some Lenovo Thinkpads treat the string differently depending on a bios setting before supplying it to the hard drive - best to always remove the password when moving the drive to another PC.]

Disclaimer: I'm not an expert - anyone please chime in if I've given bad info.

idata
Esteemed Contributor III

The ATA password is not used for encryption. Does this mean that the ATA password is just used for unlocking the drive, or is it also used to decrypt the saved data decryption key which is needed to decrypt user data?