How do I encrypt a Samsung Evo 840 SSD?
I've purchased a HP Envy 15-j005ea laptop which I have upgraded to Windows 8.1 Pro. I have also removed the HDD and replaced it with a 1TB Samsung Evo 840 SSD. I now wish to encrypt the drive to protect my company's source code and my personal documents but I can't work out how to do it or if its even possible.
I gather that it is not recommended to use Truecrypt on a SSD but please correct me if I'm wrong. I also understand that the 840 Evo has built-in 256 bit AES encryption so it is recommended to use that.
The Evo has been updated to the latest EXT0BB6Q firmware and I have the latest Samsung Magician. I don't know what UEFI level I have but I do know that the machine was built in December 2013 and has the F.35 BIOS made by Insyde.
This is what I have tried:
Bitlocker. The latest Samsung firmware is supposedly Windows 8.1 eDrive compatible, so I followed the instructions I found in an Anandtech article. First of all it would seem the laptop has no TPM chip, so I had to allow Bitlocker to work without TPM. Once I'd done that I tried to turn Bitlocker on. Anandtech say that "If everything is eDrive compliant you won’t be asked whether or you want to encrypt all or part of the drive, after you go through the initial setup BitLocker will just be enabled. There’s no extra encryption stage (since the data is already encrypted on your SSD). If you’ve done something wrong, or some part of your system isn’t eDrive compliant, you’ll get a progress indicator and a somewhat lengthy software encryption process." Unfortunately I was asked if I want to encrypt all or part of the drive so I cancelled that.
Setting the ATA Password in the BIOS. I don't appear to have such an option in the BIOS, only an admin password and boot-up password.
Using Magician. It has a "Data Security" tab, but I don't fully understand the options and suspect that none are applicable.
The info in this question and answer helped but didn't answer my question.
Clearly then, what I would like to know is how do I encrypt my solid state drive in the HP Envy 15 or am I in fact out of luck? Are there any alternative options or do I have to either live without encryption or return the laptop?
There is a similar question on Anandtech but it remains unanswered.
The password has to be set in the BIOS under the ATA-security extension. Usually there's a tab in the BIOS menu titled "Security". Authentication will occur at the BIOS level, so nothing this software "wizard" does has any bearing on setting up the authentication. It's unlikely that a BIOS update will enable HDD password if it wasn't previously supported.
To say that you're setting up the encryption is misleading. The thing is that the drive is ALWAYS encrypting every bit it writes to the chips. The disk controller does this automatically. Setting a HDD password(s) to the drive is what takes your security level from zero to pretty much unbreakable. Only a maliciously-planted hardware keylogger or an NSA-sprung remote BIOS exploit could retrieve the password to authenticate ;-) <-- I guess. I'm not sure what they can do to BIOS yet. The point is it's not totally insurmountable, but depending on how the key is stored on the drive, it's the most secure method of hard drive encryption currently available. That said, it's total overkill. BitLocker is probably sufficient for most consumer security needs.
When it comes to security, I guess the question is: How much do you want?
Hardware-based full disk encryption is several orders of magnitude more secure than software-level full disk encryption like TrueCrypt. It also has the added advantage of not impeding your SSD's performance. The way SSD's stow their bits can sometimes lead to problems with software solutions. Hardware-based FDE is just less messy and more elegant and secure of an option but it hasn't "caught on" even among those who care enough to encrypt their valuable data. It's not tricky to do at all but unfortunately many BIOS's simply don't support the "HDD password" function (NOT to be confused with a simple BIOS password, which can be circumvented by amateurs). I can pretty much guarantee you without even looking in your BIOS that if you haven't found the option yet, your BIOS doesn't support it and you're out of luck. It's a firmware problem and there's nothing you can do to add the feature short of flashing your BIOS with something like hdparm which is something so irresponsible that even I wouldn't attempt it. It's nothing to do with the drive or the included software. This is a motherboard specific problem.
ATA is nothing more than a set of instructions for the BIOS. What you're trying to set is an HDD User and Master password, which will be used to authenticate to the unique key stored securely on the drive. "User" password will allow the drive to be unlocked and boot to proceed as normal. Same thing with "Master". Difference is that a "Master" password is needed to change passwords in the BIOS or erase the encryption key in the drive, which renders all its data inaccessible and irrecoverable instantly. This is called the "Secure Erase" feature. Under the protocol, a 32-bit string of characters is supported, meaning a 32-character password. Of the few laptop manufacturers that support setting an HDD password in the BIOS, most limit characters to 7 or 8. Why every BIOS company doesn't support it is beyond me. Maybe Stallman was right about proprietary BIOS.
The only laptop (pretty much no desktop BIOS supports HDD password) I know will allow you to set a full-length 32-bit HDD User and Master password is a Lenovo ThinkPad T- or W- series. Last I heard some ASUS notebooks have such an option in their BIOS. Dell limits HDD password to a weak 8 characters.
I am much more familiar with the key storage in Intel SSD's than Samsung. Intel was I believe the first to offer on-chip FDE in their drives, the 320 series and on. Although that was AES 128-bit. I haven't looked extensively into how this Samsung series implements key storage, and nobody really knows at this point. Obviously customer service was of no help to you. I get the impression only five or six people in any tech company actually know anything about the hardware they sell. Intel seemed reluctant to cough up the specifics but eventually a company rep answered somewhere in a forum. Keep in mind that for the drive-manufacturers this feature is a total afterthought. They don't know or care anything about it and neither do 99.9% percent of their customers. It's just another advertisement bullet point on the back of the box.
Hope this helps!
I finally got this to work today and like you I believe I do not have an ATA password setup in the BIOS either (at least not that I can see). I did enable the BIOS user/admin passwords and my PC does have a TPM chip but BitLocker should work without one (USB key). Like you I was also stuck in the exact same spot at the BitLocker prompt do I want to encrypt just the data or the whole disk.
My problem was that my Windows installation was not UEFI although my Motherboard does support UEFI. You can check your installation by typing msinfo32
in the run command and checking Bios Mode. If it reads anything other than UEFI
then you need to re-install windows from scratch.
See this Steb-by-Step Instructions to Encrypt Samsung SSD guide in a related post on this forum.
I don't know if you saw this or fixed this yet, but here's a link specifically from Samsung on your EVO 840. http://www.samsung.com/global/business/semiconductor/minisite/SSD/global/html/about/whitepaper06.html
Essentially what they say to enable the hardware AES encryptor built into the ssd is to set the HDD Password under the System BIOS. The "User/Admin/Setup" passwords are just that. However, setting the HDD Password should pass through to the SSD. This will require you to manually enter the password every time you turn on the computer, and does not work with TPM chips or other PassKeys. Also, I cannot stress enough, ANYONE who uses encryption needs to make sure that their data is backed up. Recovering data from a failed/corrupted encrypted drive is next to impossible without going through a specialized service.
"I don't need NSA-proof levels of security "
Well why not use it anyway, since it's free?
After taking grad school classes in computer security and computer forensics, I decided to encrypt my drive. I looked at many options and am VERY happy I selected DiskCrypt. It's easy to install, easy to use, open source with PGP signatures provided, instructions on how to compile it yourself to insure that the exe matches the source, it auto-mounts the drives, you can set the pre-boot PW prompt and wrong-pw action, and it will use AES-256.
Any modern CPU will do a round of AES encryption in a SINGLE machine instruction (encrypting a sector's worth of data takes a couple of dozen rounds). On my own benchmarks, AES runs eleven times faster than software-implemented ciphers like blowfish. DiskCryptor can encrypt data many times faster than the PC can read and write it from the disk. There is NO measurable overhead.
I'm running a TEC-cooled, hopped-up, speed freq 5 GHz machine, so your mileage would vary, but not by much. The CPU time required for encrypt/decrypt was too low to measure (i.e., under 1%).
Once you set it up, you can totally forget it. The only noticeable effect is that you have to type your PW at boot, which I am delighted to do.
As for not using encryption on SSDs, that's a rumor I haven't heard before. It's also unwarranted. Encrypted data is written and read from the drive exactly like normal data. Only the bits in the data buffer are scrambled. You can chkdsk/f and run any other disk utility on an encrypted drive.
And BTW, unlike other programs, diskkeeper doesn't keep your pw in memory. It uses a one-way hashed key for encryption, overwrites your mistyped pwds in memory, and goes to great lengths to insure that it doesn't ride out on a paging file during PW entry and validation.
https://diskcryptor.net/wiki/Main_Page
Software Encryption
TrueCrypt 7.1a is just fine for use on SSDs, but note that it will likely reduce IOPs performance by a considerable amount, though the drive will still perform more than 10 times better IOPs than HDD. So if you cannot make use of the options listed in Magician, TrueCrypt is an option for encrypting the drive, but it reportedly does not function very well with Windows 8 and later file systems. For this reason, BitLocker with full disk encryption is a better option for these operating systems.
TCG Opal
TCG Opal is basically a standard which allows for a sort of mini operating system to be installed to a reserved part of the drive that is only for the purpose of allowing the drive to boot and present the user with a password for granting access to the drive. There are various tools available for installing this feature, including some reportedly stable open source projects, but Windows 8 and later BitLocker should support this feature.
I do not have Windows 8 or later, so I cannot provide instruction on how to set this up, but my reading indicates that this is only available when installing Windows, and not after it is installed. Experienced users feel free to correct me.
ATA Password
The ATA password locking is an optional feature of the ATA standard supported by the Samsung 840 and later series drives, as well as thousands of others. This standard is not related to a BIOS and can be accessed through any number of methods. I do not recommend using a BIOS for setting or managing the ATA password as the BIOS may not be properly conforming to the ATA standard. I have experience with my own hardware appearing to support the feature, but actually not being in compliance.
Note that searching on this feature will produce a lot of discussion claiming that the ATA lock feature should not be considered safe for protecting data. This is generally only correct for HDDs that are not also Self Encrypting Drives (SED). Since the Samsung 840 and later series drives are SSDs and SEDs, these discussions are simply not applicable. The ATA password locked Samsung 840 series and later should be secure enough for your usage, as described in this question.
The best way to be sure your BIOS can support unlocking an ATA password locked drive is to lock a drive, install it into the computer, then boot the computer and see if it asks for a password and if the password entered can unlock the drive.
This test should not be performed on a drive with data you do not want to lose.
Fortunately, the test drive does not have to be the Samsung drive, as it can be any drive that supports the ATA standard security set and can be installed in the target computer.
The best way I have found for accessing the ATA features of a drive are with the Linux command line utility hdparm
. Even if you don't have a computer with Linux, there are many distributions whose install disk image also supports running the OS 'live' from the install media. Ubuntu 16.04 LTS, for example, should easily and quickly install to the vast majority of computers and the same image can also be written to flash media for running on systems without optical drives.
Detailed instructions on how to enable ATA password security are beyond the scope of this question, but I found this tutorial to be one of the best for this task.
Enabling ATA Security on a Self-Encrypting SSD
Note that the maximum password length is 32 characters. I recommend doing the test with a 32-character password to be sure that the BIOS supports the standard correctly.
With the target computer powered down and the drive ATA password locked, install the drive and boot the system. If the BIOS does not ask for a password to unlock the drive, then the BIOS does not support ATA password unlock. Also, if it seems like you are entering the password completely correctly, but it is not unlocking the drive, it may be that the BIOS does not properly support the ATA standard, and thus should not be trusted.
It may be a good idea to have some way to verify that the system is properly reading the unlocked drive, such as by having an operating system installed and loading properly, or installing along side an OS drive that loads and can mount the test drive and read and write files without issue.
If the test is successful and you feel confident in repeating the steps, enabling the ATA password on a drive, including one with an OS installed, will not change anything in the data portion of the drive, so it should boot up normally after entering the password in the BIOS.