All we need is an easy explanation of the problem, so here it is.
My SSD HD supports ATA Security. Does Macbook EFI and linux support it? I know hdparm does. Who will do the unlock at each bootup? Can I still set a password without erasing the disk?
Update: removed “SED full hard disk encryption” from the title based on comment by @ataboy. Some might still refer to this ATA security incorrectly as “encryption” however.
How to solve :
I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.
Currently it is not possible to use ATA Security with Macs, the EFI does not implement this and freezes (locks) the drive after EFI initialization. So no further ATA security manipulation can be done with
hdparm or alike. Even if you circumvent the ATA freeze (which is possible) in Linux and then set a password – or set a password when the HDD is in another PC which supports ATA security – you have no means of unlocking the device at startup from efi to start your favourite OS from the SSD on the Mac(book Pro).
As above mentioned by other people there are BIOS extensions or EEPROM mods which can be applied to regular PCs to enable unlocking at startup for motherboards which do not support booting ATA protected devices by themselves. These are however to my knowledge not applicable to Mac and EFI.
All you can do is file a bug report with Apple.
I hope this will be implemented in the future …
This is my understanding of ATA Security and SED:
ATA Security is different from SED. SED (self encryption drive) means the drive will scramble the data on write commands using encryption. A SED drive always encrypt the data, regardless of the ATA security settings (and/or capability). Note that a SED drive cannot store data unencrypted. Encryption benefit is that you cannot get the original data by reading the drive plates in lab. ATA Security is not an encryption function, only a lock/unlock function. The user (the BIOS) sets a password which must be sent again at each drive power on. Without the password the drive controller forbids read/write commands. The data on the disk are not affected. If the drive is SED, they are already encrypted, if not a SED they are not. ATA Security should be bypassable by reading the plate in lab with another controller.
It seems there are extensions to enable ATA Security in BIOS. See: http://www.fitzenreiter.de/ata/ata_eng.htm
Added 31 Jan:
pvj: sorry I cannot add a comment to my previous answer, seems because I’m not a registrated user. Here some addionnal infos:
Regarding how to activate ATA Security feature (HDD passwords) on your motherboard: I don’t know the answer and I’m also looking for it (my case is an Asus board). That said, let me explain this position I got after a thorough research.
Laptop boards supports usually ATA Security as part of the power on process, asking for the HDD password (not to be confused with the power on / “BIOS” password) and passing it to the HDD which then unlock itself. Note the HDD will lock itself after usually 5 attempts with a wrong pwd. After that you need to power off the HDD (by switching off the computer…) to get 5 new chances. This is to make brute force attacks difficult.
Desktop boards do not support ATA Security, at least I’ve not found recent ones supporting this simple feature. This leaves me puzzled, and wondering how much BIOS manufacturers like AMI or Phoenix really care about their users, it seems they have tried to be the less innovative possible during these last 20 years. As for Apple I can’t answer.
To be clear: ATA Security feature is something that comes free with last years HDD, and is totally managed by the HDD. The only effort needed by the motherboard is to request the password to the user on behalf of the HDD, pass it to the HDD, and then forget about it. This is something very secure, though very simple, and for the usual owner of a computer this is the only feature he/she needs to effectively protect his/her private life and little secrets like mail passwords in case of theft. But BIOS are still not providing the interface to this feature.
There is a hack to modify the BIOS EEPROM so that it calls an additional routine which will request the HDD pwd and pass it to the HDD. This is the link I provided above. This modification will probably not work for “EFI” versions of BIOS, but it can help towards the solution. It may not work with a specific BIOS either, and trying this solution would require that you have support for BIOS backup / restore in case things go wrong, which is likely to occur. Note that “E” in EFI means “extensible”, and that writing extensions to support features is expected to be easy. This may lead to people writing open source ATA Security drivers in the future… (instead of BIOS manufacturers, which will add some modernism to this obscure matter).
It seems that it is possible to “insert” code between the power on process and the OS loading. This would be done by setting the proper MBR code. This code first asks for the HDD pwd, then if the HDD is unlocked calls the OS loader than would have been ran directly without the modification.
That said, I’m stuck there, exactly like you. Me too, I need HDD password support. but I see that desktop mobo don’t support it. What a shame! this may explain why people are moving to encryption which is like use a sledge-hammer to crack a nut, encryption is to prevent to remove the platters of the drive and read them with sophisticated lab material, not using a normal HDD controller chip, said otherwise this is to prevent hitech industrial espionage. I don’t see street thieves going to do that to get a couple of vacation pictures, porn videos, and hello-there mails they don’t care anyway.
Its amazing that we see this frenzy around Bitlocker, PGP, anything-Crypt software that have prerequisites, are complex, requires recovery solutions, etc, while the solution is already there on the HDD board…. but blocked by BIOS lazy guys. It has to be said, so that those guys do something to show they want to help their paying users.
Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂