Why using ata security extensions to lock disks?

some drives support hardware based full disk encryption (self-encrypting drive, SED), i.e. data gets encrypted before written to disk. To protect the key the disk uses to en-/decrypt the data, the ata password is used.

It is a nice feature and usually faster than software based encryptions such as LUKS, true/veracrypt, bitlocker, encfs, whatever.

What's the difference between a user and a master password?

The user password is able to use the SECURITY UNLOCK command. In high security mode, the master password is able to use the SECURITY UNLOCK, DISABLE PASSWORD and SECURITY ERASE UNIT commands, whilst in maximum security mode, the master password is only able to use the SECURITY ERASE UNIT command.

Quick! I need to unlock the ata device NOW!

$ hdparm --security-unlock USERPASSWORD /dev/sda
$ hdparm --user-master m --security-unlock MASTERPASSWORD /dev/sda # when in high security mode

Do I need to unlock the drive at every boot?

The device is only required to be unlocked when coming from state SEC3 (e.g. power off to power on). Rebooting does not lock the drive. Please note that using hibernate might result in falling back to state SEC3.

Setting the ata passphrase

Make sure you know how to unlock the disk before setting a passphrase. You will want to set the master passphrase first, because by default the disk is using a manufacturer's default password in high security mode. Knowing this password will enable anyone to unlock the disk and/or disable the security.

To set the passphrases, the drive must not be in frozen (SEC2) state.

Set the master password and enable the maximum security mode (high security is default):

$ hdparm --user-master m --security-set-pass MASTERPASSWORD --security-mode m /dev/sda

Now set the user password which results in the disk being locked at next power on:

$ hdparm --user-master u --security-set-pass USERPASSWORD /dev/sda

Unlocking the ata device at boot time

using a BIOS or PCI extension

There is a nice piece of software which can be loaded into the BIOS or a PCI device's firmware called ATA Security Extension BIOS. Unfortunately, it won't work in AHCI mode.

Update: there's a different rom called AHCI BIOS Security Extension which supports AHCI and which might work for you.

Since I didn't want to fsck up my BIOS I flashed the rom onto an Intel Pro/1000 NIC:

# get bus, pci and vendor id
$ lspci -nn | grep Ethernet
04:01.0 Ethernet controller [0200]: Intel Corporation 82541PI Gigabit Ethernet Controller [8086:107c] (rev 05)
^^^^^^^                                                                                    ^^^^ ^^^^

# check if the device is supported
$ flashrom -p nicintel_spi:pci=04:01.0
flashrom v0.9.9-r1955 on Linux 4.9.6-200.fc25.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found Atmel flash chip "AT25FS010" (128 kB, SPI) on nicintel_spi.
No operations were specified.

# save the original firmware
$ flashrom -p nicintel_spi:pci=04:01.0 -r backup.rom

# get image size
$ stat -c %s backup.rom

# pad rom to this size
$ dd if=/dev/null of=ahci_sbe.rom bs=1 count=0 seek=131072

# flash it
$ flashrom -p nicintel_spi:pci=04:01.0 -w ahci_sbe.rom
flashrom v0.9.9-r1955 on Linux 4.9.6-200.fc25.x86_64 (x86_64)
flashrom is free software, get the source code at https://flashrom.org

Calibrating delay loop... OK.
Found Atmel flash chip "AT25FS010" (128 kB, SPI) on nicintel_spi.
Reading old flash chip contents... done.
Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.

Enable network boot in BIOS and there you go.

using grub2

Ugly, but works somehow (proof of concept)

Since grub's hdparm command does not support unlocking, you'll need to apply this patch first. Install grub on a disk or a usb stick (not on the locked drive, bummer). At boot, enter grub's command line and run:

$ hdparm --security-unlock USERPASSWORD (hd0) # or (ahci0) in ahci mode

If your disks are in AHCI mode and grub is not, it really gets ugly:

$ nativedisk # use native disk driver, usually loads the ahci module
$ hdparm --security-unlock USERPASSWORD (ahci0)
# (and then press ctrl-alt-del to reboot, since grub2 switched from bios- to nativedisk mode)

To use grub with in native AHCI mode, run

$ grub2-install --disk-module=native /dev/sda

that should make the above steps obsolete.

Still on my maybe-todo list: make grub2 ask for a password once it detects the boot drive is locked.

using initrd/dracut

Of course, the /boot partition needs to be located on an unlocked disk.

Unpack this package in, say, /lib/dracut/modules.d/06atasx and rebuild your initrd by running dracut -fv. The script will scan for locked disks, ask for a passphrase and unlock the disk. Afterwards, it rescans the partition table and, if applicable, rescans the logical volumes.