wikiATA Security Feature Set
ATA Security Feature Set offers with its Security Feature Set a password system that can be used to restrict access to data on (Serial-)ATA devices such as hard disks or SSDs. This function is particularly helpful for laptops. If you set a user password in the laptop's BIOS, this password must be entered each time the laptop is started up before the laptop's hard drive or SSD grants access to the data.
Security Feature Set passwords
The Security Feature Set is part of the ATA specification.[1] It provides two passwords, each with a maximum length of 32 bytes:
- User Password
- Master Password
User password
If an User Password is set (SECURITY SET PASSWORD), the data carrier will initially block access to the data during future restarts. By re-entering the "User Password", access to the data will be reactivated when the system is restarted.
By setting of User Password, the Master Password Capability is also set (view below).
Master password
Depending on the Master Password Capability, a previously set Master Password can be used for the following purposes:
- High: the Master Password can be used like the User Password for unlocking data accesses (SECURITY UNLOCK) or deactivating the User Password (SECURITY DISABLE PASSWORD)
- Maximum: the Master Password can only be used for deleting the device (SECURITY ERASE UNIT). The device can then be used again. However, the stored data is lost.
Security Feature Set commands
The Security Feature Set provides the following ATA commands. These commands are also used by BIOS (for example when hard disk passwords are set in the BIOS or to unlock a protected hard disk or SSD during the boot process):
- SECURITY SET PASSWORD (see draft chapter 7.47)
- SECURITY UNLOCK (see draft chapter 7.48)
- SECURITY ERASE PREPARE (see draft chapter 7.44)
- SECURITY ERASE UNIT (see draft chapter 7.45 as well as SSD Secure Erase)
- SECURITY FREEZE LOCK (see draft chapter 7.46)
- SECURITY DISABLE PASSWORD (see draft chapter 7.43)
SSD encryption via user password
The following Intel SSDs encrypt all stored data and can protect the key used for this purpose with a "user password":
More information on this topic:
- Technology Brief: Data security features in the Intel® Solid-State Drive 320 Series
- Intel 320-series SSD and FDE (Full Disk Encryption) questions... (communities.intel.com)
Password protection in the server environment
For the use of a User Password, the respective storage controller (for example the BIOS for SATA-ports, which are controlled directly via the motherboard's chipset) must support the Security Feature Set in a computer system.
In the server environment, the User Password can be used to support the file content in case of a theft of data carriers. However, you don't want to have to enter the password manually every time you restart the server. It would therefore have to be stored in the BIOS itself or in the corresponding RAID controller or HBA.
We are not aware of any storage controllers to date that offer functions for the ATA Security Feature Set. LSI offers the MegaRAID SafeStore software for Self-Encrypting Drives (SEDs).[2] These SEDs, however, must be SAS drives.
References
- ↑ Draft: ATA/ATAPI Command Set - 2 (ACS-2) - T13/2015-D - Revision 7, June 22, 2011 (t13.org); note: T13 drafts are freely accessible, the final standards are only available for a fee.
- ↑ MegaRAID SafeStore Software
More information
- Wie ATA-Sicherheitsfunktionen Ihre Daten gefährden (c't 08/2005)
- Hard disk ATA Security (csnc.ch)
- Parallel ATA - HDD passwords and security (en.wikipedia.org)
 |
Author: Werner Fischer Werner Fischer, working in the Knowledge Transfer team at Thomas-Krenn, completed his studies of Computer and Media Security at FH Hagenberg in Austria. He is a regular speaker at many conferences like LinuxTag, OSMC, OSDC, LinuxCon, and author for various IT magazines. In his spare time he enjoys playing the piano and training for a good result at the annual Linz marathon relay.
|
 |
Translator: Alina Ranzinger Alina has been working at Thomas-Krenn.AG since 2024. After her training as multilingual business assistant, she got her job as assistant of the Product Management and is responsible for the translation of texts and for the organisation of the department.
|
