Self-encrypting (FDE) Hard Disks & Linux

Recently I have upgraded to Dell Latitude E6510 with 4 cores / 8 threads processor, plenty of RAM, and a fast hard disk. Nevertheless, the interactive performance of Ubuntu becomes sloppy beyond any measure when a virtual machine or two start trashing the disks.

There seems to be known performance problems in Linux kernel, like Bug 12309. And full disk encryption makes things even worse. It appears that new FDE technology will give laptop users a chance to move the burden of encryption to hard drives.

Some vendors already offer devices doing all the crypto stuff by themselves, on-the-fly, and supposedly with no performance impact whatsoever. I have heard about these drives a while ago, but just now came across this document from Seagate, which convinced me that their drive are likely to work in my laptop and Linux, or pretty much any laptop/OS with BIOS supporting password-protected hard drives.

I have just ordered ST9500421AS - Momentus 7200 FDE.2 500-GB Hard Drive for a bit over 62 euro before tax, we will see how it works out...

Comments

lemme know how it worked out (filip)

I'd really like to run the seagate FDE drive with FIPS 140-2 encryption under Ubuntu or other linux distro. Were you able to use this as a boot device? Any BIOS issues with Dell? There is very little information on this and I need the performance that FDE can provide...

Thx!

How did this work out for you? By the way love MagicTree!

Here is an update on my attempt to use FDE hard drive with Ubuntu Linux.

In short – it works flawlessly. I have plugged it into my laptop and it just worked.

As far as I can tell, FDE disk behaves no different from non-FDE disk. According to the vendor, the disk always encrypts the data you store there, but the encryption key is kept in plain by default. FDE disks can be protected by BIOS HDD password, exactly like their non-FDE counterparts. Non-FDE disks use this password to unlock the disk and FDE ones use it to unlock the encryption key.

I had no problem with setting BIOS password. My Dell Latitude E6510 also has suggested to enable "Secure Erase" feature. Supposedly it will prevent the data from being read by Dell tech-support. I have enabled this option.

Now my laptop asks for a password during bootstrap. I enter the password and it just boots into Linux and works as if there was no encryption.

Performance of my disks subsystem has almost doubled after the upgrade (I run 32-bit Ubuntu 10.10 now):

abb@e6510:~$ sudo hdparm -t /dev/sda
/dev/sda:
Timing buffered disk reads: 292 MB in 3.01 seconds = 97.01 MB/sec

Hope it helps.

Just talked to a friend who has tried to use FDE on his Dell XPS laptop. All went smoothly, but he was not asked to disable the recovery feature and the master password revision code (can be seen with 'hdparm -I /dev/sda') didn't change after BIOS HDD password activation, it is still 65534.

I wonder if his disk can still be unlocked using some default password? This webpage suggests it might be the case...

Additional reading about the hard disk passwords.

This is true of my Dell Inspiron E1505. The password is only 8 character numbers and case insensitive alpha(letter) characters. This 8 charater password crackable and, hard to remember. Finding the Dell "master password" program on the internet has become to easy.
Everyone knowing your master password would not be a problem if Dell BIOS set the password security to "Maximum". If Dell BIOS set the password security to "Maximum" all the Master Password could to is secure erase the hard drive.

Dell BIOS sets the password security to "High" this allows the "Master Password" to unlock the hard drive for full access.
With your Dell "Master Password" easily obtainable on the internet, your hardrive is not secure using the Dell BIOS HDD password.
This has been noted on the Dell forums. Reading the Dell forums, I have the impression Dell will not fix this flaw.

By the way, the Hard drive password can be 32 byte long so. a very secure password could be used.

A work-around:
Lenovo BIOS will allow 12 Character Password and you can set the master password yourself so,
if you can borrow as Lenovo Laptop and set your own master password, set to maximum security you will be safe. Oh, when setting the User password on the lenovo, use 8 character; for Dell only allows 8 Character passwords.
One last thought: even 12 Charater password is breakable. That's why the lastest Fips hardrive have tamper indicators on the case and circuit board. 12 or 8 charater with "Maximum" security set will only protect you from your nose neighbor or your common drug addicted theif. For most people that is enough.

I don't see a "Master Password Revision Code" in the ATA\ATAPI standard.
If you are refering to the "Master Password Identifier" a value of 65534 for a hard drive just received from the manufature indicates the hard drive has a master password preset. The "Master Password Identifer" can be set by the user(host controller) to any value except 0xffff or, 0X0000.
Seagate has chosen to ship there FDE drives with a Master Password preset and printed and bar coded on the hard drive label. "Master Password Identifer" is for clerical purposes i.e. adminstrator could map identifers to groups of master passwords.