Sunday, January 27, 2013

INTEL problem with Dell Bios Passwords

http://communities.intel.com/thread/20537


This question has been Answered.tristpost Mar 26, 2011 10:10 AMI am considering to buy a couple of new solid state drives for my company. A requirement is FDE and according to some info I found the new 320 series should support this. I have a few questions: 1. As far as I know none of our computers have any support in BIOS for disk password. Is this required for FDE to work with the 320 series or how exactly does the encyption / password entry work? 2. If we would like to use a RAID configuration (RAID 0 striping) is it still possible to use FDE and if so do one have to enter a password for each disk? 3. What about using two disks in the samer computer (non-raid) that is used to dual boot two different operating systems (say Linux and Windows 7) installed one OS on each drive - does FDE work in this case and would one have to enter a password twice? 4. Is the FDE solution dependent on some support in the OS (in that case what OS does it work with) or is it independent? 5. Do you have some white paper about the FDE with for instance information about how much slower it is compared to a non FDE drive? 6. I have read that TRIM does not work with SSDs in RAID configuration. Is this still the case and how dependent is the 320-series of TRIM? /Trist CORRECTION : I just found that our Dell Precision M6500 computers do have a field in the BIOS for disk password so I am interested in the questions above (two disks in the machine with or without RAID) also for this configuration. How do I know if the 320-serias FDE is compatible with the disk password setting in the dell M6500 machines? Is there a standard for this that all BIOS manufacturers follows or??Correct Answer by SSDelightful  on Apr 4, 2011 4:50 PMHey folks,Hope the following responses help with your questions:1.   Intel® SSD 320 Series drives are always encrypting the user data stored on the media, whether or not an ATA Password is set.  In order to control access to your data or lock your SSD you do need to enable an ATA Password. Background:The encryption keys are securely held within the SSD device, hidden and encrypted using standard security techniques.  These keys cannot be read by the user.  All Intel SSD 320 Series drives do this.  No user intervention is needed to enable data encryption on the NAND devices within the SSD. If you were to remove a NAND component from the SSD, all data contained within the component is encrypted and keys are securely encrypted and hidden, therefore it is extremely low probability that any data could be recovered.  Executing a SECURE ERASE function, such as that found in the Intel® SSD Toolbox, will cause the Intel SSD 320 Series drives to generate a new internal encryption key. The ATA Password security interface is used to control the SSD's internal access to the encryption keys, and therefore the user's access to their data through the SATA interface.  In order to lock access to the user data you do need to enable an ATA Password.    2.   Support for ATA Passwords within BIOS or other means are system implementation specific.  Most commercially available notebook / netbook systems include ATA Password functionality within their BIOS.  The ATA Password is often referred to as an "HDD Password" in system BIOS.  If the system allows, it is recommended that both "User" and "Master" passwords are configured for maximum security.  Consult your system manufacturer's documentation, or contact your system manufacturer for support. The Intel® Desktop Board DQ67SW, DQ67OW, and DQ67EP support the ATA Password functionality, called "HDD Password".  On these boards, the HDD password support works in all SATA modes (IDE, RAID, or AHCI).  The HDD password will only be applied to the drive on SATA port 0. Note: The ATA Password is not a standard BIOS system password, as a standard BIOS system passwords control access to the specific platform / BIOS, not the SSD.  Consult your system manufacturer's documentation, or contact your system manufacturer for support. 3.   The ATA Password standards, and therefore Intel SSD 320 Series drives, allow for up to 32 byte passwords and contain no specific password "strength" requirements.  32 bytes enables users to create passwords with significant security "strength".  It has been noted that some systems support ATA Passwords which are significantly shorter than 32 characters in length, and contain no password "strength" requirements.  The utilization of the ATA Password security interface in system BIOS is system implementation specific.  Consult your system manufacturer's documentation, or contact your system manufacturer for support. 4.   In order to provide the absolute best security possible, there are no available password recovery solutions.  If you lose or forget your ATA User Password and Master Password, your SSD will remain locked without access to read, write, or erase any data within the device.  In this case, your SSD and your data are lost, and cannot be recovered by Intel. 5.   ATA Password support in RAID or multi-drive installations are host system BIOS implementation specific.  Consult your system manufacturer's documentation, or contact your system manufacturer for support.See the answer in contextHelpful Answer by Pit 178523 ViewsTags: raid, fdeCategories: Compatibility , Install & Configuration , Software & DriversTranslate

1. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Pit Mar 27, 2011 11:28 AM (in response to tristpost)I'm not sure but it seems that Intel approach is no differ then SandForce 12xx one. It means: this is ONLY internal encryption with random generated passwords and without user defined passphrese. This solution does NOT increase security against thieves. It speeds secure erasing and add minor layer of security against controller switching (for ATA-pass overriding) and flash memory dumping. Highly rare and uncommon situations these days.Like (0) Translate

2. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Trist Mar 28, 2011 1:01 AM (in response to Pit )Hmmm in that case it is pretty lame - moving a disk between two controllers is even something I WANT TO BE ABLE TO DO.... it is really the data theft issue one want to address (in particular on laptops).... /TristLike (0) Translate

3. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Pit Mar 28, 2011 10:02 AM (in response to Trist )The controller switching is rather outdated hack method (mainly for platter drives) based on swapping hdd's electronic board (containing drive's controller and internal bios) to bypass some security methods. It does not concern motherboard controller, the drive's electronics only.There are IMO much better solutions for securing mass storage these days. Much more flexible then bios-based passwords (with its 8 characters limitation - too small against brute force attacks). All of them are based on preboot authentication (and to be honest they have theirs own issues) but I highly dubt Intel implemented that. We are talking about budget drives.Like (0) Translate

4. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

SSDelightful Mar 28, 2011 12:44 PM (in response to tristpost)Hey tristpost,Just want to let you know that I'm working on answers for you! Everyone else should look for a 320 post sometime today. Thx!-Scott, Intel CorporationReport Abuse Like (0) Translate

5. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

SpRoUsA Mar 28, 2011 1:30 PM (in response to tristpost)Requires BIOS level password setup to enable user-unique encryption.  According to http://download.intel.com/design/flash/nand/325212.pdfLike (0) Translate

6. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Jerry Mar 28, 2011 3:12 PM (in response to tristpost)I would like to know the answer as well. Is the ATA password set in the BIOS directly linked to the key stored in the Intel 320 drive? If not, the encryption feature in the drive wouldn't really be accessable to the user.Like (0) Translate

7. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Robert Mar 29, 2011 7:14 AM (in response to SSDelightful)Bump for information!Like (0) Translate

8. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Atavism Mar 29, 2011 11:41 AM (in response to Pit )While many bios seem to have 8 character limitations, is there any technical reason for it? As far as the ATA specs go, up to 32 characters should be fine to use.Report Abuse Like (0) Translate

9. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Guest Mar 29, 2011 2:22 PM (in response to Atavism)@AtavismAFAIK there in no technical reason for 8 chars limitation. And you are absolutely right. ATA security specification defines 32-bytes for pasphrase. Well... it seems that unofficial bios modding for adding security ATA extensions will be more common these days. This is the only way I can think of... I've lost any hope that my desktop mobo's manufacturer get rid of the essential flaws in its BIOS anytime soon. Adding security module sounds like sci-fi for me and it is unreal for most of us, unfortunately. tristpost asked excellent question about passwords linking. This is the clue.Intel's documentation suggests that AES keys are generated during Secure Erase procedure. And this is understandable. But the thing is: ATA password seems to be unrelated to AES encryption engine which to be honest reverse the proper implementations upside down. In truecrypt (and many soft-based solutions) for instance password is the first and based on it and random or pseudo-random generator (mouse based in truecrypt) final AES keys are obtained.Intel's paper suggests that in 320 case AES encryption and SATA pass are separated. You can use AES (well you are forced to, but not complaining) and NOT use ATA-pass at the same time. ATA pass is optional.These two security mechanisms are not nested. They are not nested!When you crack ATA password AES becomes obsolete and vice-versa. They are not in logical conjunction.Impications? Well look at the market. Dozens of manufacturers and theirs ATA pass implementations. And you can crack almost any of them. There are specialized commertial firms witch offer ATA pass removal. And all these security implementation are hardware!! ATA pass is stored in drives firmware or data firmware areas! The only solution to secure such encryption mechanism I can think of is to encrypt (strong encrypt) generated AES keys with ata pass internally.Otherwise sooner or later some skilled hacker will find "authorization bit" and this whole sophisticated AES will be absolutely useless. In my opinion this is not looking like enterprice class security. If I'm wrong, feel free to prove otherwise.Like (0) Translate

10. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Tom Mar 30, 2011 9:19 AM (in response to tristpost)I'm also interested in this, any word from Intel yet?Like (0) Translate

11. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

tristpost Mar 30, 2011 10:05 AM (in response to SSDelightful)Looking forward to your "official" answer. Still mostly speculation in the thread.... /TristReport Abuse Like (0) Translate

12. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Shiek Mar 30, 2011 10:39 AM (in response to SSDelightful)Hi, another interesting question is (in my opinion) how the Intel 320-series FDE could work together with a new MacBook Pro (early 2011). Because there's no BIOS - 'only' EFI. I'm really looking forward to your answer! (hopefully for all questions in the thread)  /ShiekLike (0) Translate

13. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

SSD Mar 30, 2011 10:57 AM (in response to Shiek )Hi SSDelightful . We are still waiting for the answers you promised two days ago. Please respond. ThxLike (0) Translate

14. Re: Intel 320-series SSD and FDE (Full Disk Encryption) questions...

Pit Mar 30, 2011 12:01 PM (in response to tristpost)Another interesting question:What about Intel's FDE and hot-swapping ATA password secured SSD Drive? Is it hot plug/hot swap possible with such security system enabled?


No comments:

Post a Comment