some drives support hardware based full disk encryption (self-encrypting drive, SED), i.e. data gets encrypted before written to disk. To protect the key the disk uses to en-/decrypt the data, the ata password is used.
It is a nice feature and usually faster than software based encryptions such as LUKS, true/veracrypt, bitlocker, encfs, whatever.
The user password is able to use the
SECURITY UNLOCK command.
In high security mode, the master password is able to use the
DISABLE PASSWORD and
SECURITY ERASE UNIT commands, whilst in maximum security mode, the master password is only able to use the
SECURITY ERASE UNIT command.
$ hdparm --security-unlock USERPASSWORD /dev/sda $ hdparm --user-master m --security-unlock MASTERPASSWORD /dev/sda # when in high security mode
The device is only required to be unlocked when coming from state
SEC3 (e.g. power off to power on). Rebooting does not lock the drive.
Please note that using hibernate might result in falling back to state
Make sure you know how to unlock the disk before setting a passphrase. You will want to set the master passphrase first, because by default the disk is using a manufacturer's default password in high security mode. Knowing this password will enable anyone to unlock the disk and/or disable the security.
To set the passphrases, the drive must not be in frozen (
Set the master password and enable the maximum security mode (high security is default):
$ hdparm --user-master m --security-set-pass MASTERPASSWORD --security-mode m /dev/sda
Now set the user password which results in the disk being locked at next power on:
$ hdparm --user-master u --security-set-pass USERPASSWORD /dev/sda
There is a nice piece of software which can be loaded into the BIOS or a PCI device's firmware called ATA Security Extension BIOS. Unfortunately, it won't work in AHCI mode.
Update: there's a different rom called AHCI BIOS Security Extension which supports AHCI and which might work for you.
Since I didn't want to fsck up my BIOS I flashed the rom onto an Intel Pro/1000 NIC:
# get bus, pci and vendor id $ lspci -nn | grep Ethernet 04:01.0 Ethernet controller : Intel Corporation 82541PI Gigabit Ethernet Controller [8086:107c] (rev 05) ^^^^^^^ ^^^^ ^^^^ # check if the device is supported $ flashrom -p nicintel_spi:pci=04:01.0 flashrom v0.9.9-r1955 on Linux 4.9.6-200.fc25.x86_64 (x86_64) flashrom is free software, get the source code at https://flashrom.org Calibrating delay loop... OK. Found Atmel flash chip "AT25FS010" (128 kB, SPI) on nicintel_spi. No operations were specified. # save the original firmware $ flashrom -p nicintel_spi:pci=04:01.0 -r backup.rom # get image size $ stat -c %s backup.rom 131072 # pad rom to this size $ dd if=/dev/null of=ahci_sbe.rom bs=1 count=0 seek=131072 # flash it $ flashrom -p nicintel_spi:pci=04:01.0 -w ahci_sbe.rom flashrom v0.9.9-r1955 on Linux 4.9.6-200.fc25.x86_64 (x86_64) flashrom is free software, get the source code at https://flashrom.org Calibrating delay loop... OK. Found Atmel flash chip "AT25FS010" (128 kB, SPI) on nicintel_spi. Reading old flash chip contents... done. Erasing and writing flash chip... Erase/write done. Verifying flash... VERIFIED.
Enable network boot in BIOS and there you go.
Ugly, but works somehow (proof of concept)
hdparm command does not support unlocking, you'll need to apply this patch first.
Install grub on a disk or a usb stick (not on the locked drive, bummer). At boot, enter grub's command line and run:
$ hdparm --security-unlock USERPASSWORD (hd0) # or (ahci0) in ahci mode
If your disks are in
AHCI mode and grub is not, it really gets ugly:
$ nativedisk # use native disk driver, usually loads the ahci module $ hdparm --security-unlock USERPASSWORD (ahci0) # (and then press ctrl-alt-del to reboot, since grub2 switched from bios- to nativedisk mode)
To use grub with in native
AHCI mode, run
$ grub2-install --disk-module=native /dev/sda
that should make the above steps obsolete.
Still on my maybe-todo list: make grub2 ask for a password once it detects the boot drive is locked.
Of course, the
/boot partition needs to be located on an unlocked disk.
Unpack this package in, say,
/lib/dracut/modules.d/06atasx and rebuild your initrd by running
The script will scan for locked disks, ask for a passphrase and unlock the disk. Afterwards, it rescans the partition table and, if applicable, rescans the