Как включить шифрование SSD?

3275

Я только что купил samsung evo 840, который поддерживает шифрование AES-256 .

Прочитав очень небольшую документацию, которую я смог найти о шифровании SSD, я обнаружил, что мне нужно зайти в свою биографию, перейти на вкладку безопасности, выбрать шифрование HDD и установить пароль. Проблема мои биозы MEDION MS-7728, на вкладке безопасности, имеет только два варианта: пароль администратора, пароль пользователя .

Я не смог найти какие-либо спецификации этого BIOS, где я мог бы прочитать, если он не поддерживает шифрование жесткого диска, или если это так, и мне просто нужно обновить контроллер.

Нужно ли обновлять контроллер, чтобы BIOS распознал шифрование жесткого диска? И если нет, то какие альтернативы я должен установить пароль для моего SSD?

3
Суть этого вопроса, похоже, заключается в настройке вашего BIOS, а не в самом шифровании. Я голосую за то, чтобы переместить его на другой сайт, где подобные вещи более актуальны. Mike Ounsworth 8 лет назад 0
Если вы скажете мне, на каком сайте я должен разместить этот вопрос, я буду рад удалить этот вопрос и повторно опубликовать его на другом сайте. 8 лет назад 0

1 ответ на вопрос

0
Xen2050

I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.

I did find a BIOS Update page on medion.com for Version:2.09, System:Win 7 64bit, Release date:11.01.2012 but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...

But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:

Information on this is incredibly hard to find

In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.

That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(


Here's some red herring info I dug up, on the way to the conclusion above.

I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."

But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.

The brochure says:

Samsung offers Self-Encrypting Drives (SEDs) which are hardware-encrypted and automatically encrypt or decrypt all data transferred to and from the SSDs.

So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:

Invisible to the user, hardware encryption built directly into the drive electronics maximizes performance. In contrast, software encryption burdens the central processing unit (CPU) and lowers performance. Hardware-based SED encryption includes a built-in circuit in the controller chip that automatically encrypts all data transferred to the storage device. With hardwarebased encryption, the drive controller encrypts and decrypts all data

...

hardware-based encryption is performed in the actual hardware, and user authentication is performed by the drive before it unlocks, independent of the operating system (OS).

...

in collaboration with independent software vendors (ISVs) who provide security management tools for SEDs, Samsung provides SEDs that are compliant with the TCG Opal specification, developed by the Trusted Computing Group, and the IEEE 1667 standards, as supported (for example) by Microsoft BitLocker in Windows 8.

...

Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)

Wave Systems is an ISV that offers secure data access control on mobile platforms, access to the cloud and safe network logon with users’ personal devices. Wave System solutions augment Samsung SED security technology by Managing authorized users’ access to the drives and data is where Wave comes in.

So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:

While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.

Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.

Enabling AES Encryption

AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.

  • Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.

Похожие вопросы