How to enable SSD encryption?












3















I just bought a samsung evo 840, which supports encryption AES-256.



Reading the very little documentation that I could find about SSD encryption, I found that I have to enter my bios, go to the security tab, select HDD encryption, and set a password. The problem is my bios medion ms-7728, under the security tab, only has two options: Admin password, User password.



I couldn't find any specs of that bios where I could read if it doesn't support HDD encryption, or if it does and I just have to update the controller.



Do I have to update the controler so the bios recognizes the HDD encryption? And if not, what alternatives do I have to set up a password for my SSD?










share|improve this question













migrated from security.stackexchange.com Dec 1 '15 at 18:58


This question came from our site for information security professionals.



















  • The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.

    – Mike Ounsworth
    Dec 1 '15 at 18:14











  • If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.

    – Nathan
    Dec 1 '15 at 18:22
















3















I just bought a samsung evo 840, which supports encryption AES-256.



Reading the very little documentation that I could find about SSD encryption, I found that I have to enter my bios, go to the security tab, select HDD encryption, and set a password. The problem is my bios medion ms-7728, under the security tab, only has two options: Admin password, User password.



I couldn't find any specs of that bios where I could read if it doesn't support HDD encryption, or if it does and I just have to update the controller.



Do I have to update the controler so the bios recognizes the HDD encryption? And if not, what alternatives do I have to set up a password for my SSD?










share|improve this question













migrated from security.stackexchange.com Dec 1 '15 at 18:58


This question came from our site for information security professionals.



















  • The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.

    – Mike Ounsworth
    Dec 1 '15 at 18:14











  • If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.

    – Nathan
    Dec 1 '15 at 18:22














3












3








3


1






I just bought a samsung evo 840, which supports encryption AES-256.



Reading the very little documentation that I could find about SSD encryption, I found that I have to enter my bios, go to the security tab, select HDD encryption, and set a password. The problem is my bios medion ms-7728, under the security tab, only has two options: Admin password, User password.



I couldn't find any specs of that bios where I could read if it doesn't support HDD encryption, or if it does and I just have to update the controller.



Do I have to update the controler so the bios recognizes the HDD encryption? And if not, what alternatives do I have to set up a password for my SSD?










share|improve this question














I just bought a samsung evo 840, which supports encryption AES-256.



Reading the very little documentation that I could find about SSD encryption, I found that I have to enter my bios, go to the security tab, select HDD encryption, and set a password. The problem is my bios medion ms-7728, under the security tab, only has two options: Admin password, User password.



I couldn't find any specs of that bios where I could read if it doesn't support HDD encryption, or if it does and I just have to update the controller.



Do I have to update the controler so the bios recognizes the HDD encryption? And if not, what alternatives do I have to set up a password for my SSD?







encryption aes disk-encryption bios






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Dec 1 '15 at 18:07







Nathan











migrated from security.stackexchange.com Dec 1 '15 at 18:58


This question came from our site for information security professionals.









migrated from security.stackexchange.com Dec 1 '15 at 18:58


This question came from our site for information security professionals.















  • The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.

    – Mike Ounsworth
    Dec 1 '15 at 18:14











  • If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.

    – Nathan
    Dec 1 '15 at 18:22



















  • The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.

    – Mike Ounsworth
    Dec 1 '15 at 18:14











  • If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.

    – Nathan
    Dec 1 '15 at 18:22

















The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.

– Mike Ounsworth
Dec 1 '15 at 18:14





The core of this question seems to be about configuring your bios, rather than about the encryption itself. I'm voting to move it to another site where this sort of thing is more on-topic.

– Mike Ounsworth
Dec 1 '15 at 18:14













If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.

– Nathan
Dec 1 '15 at 18:22





If you tell me what site I should place this question, I will be pleased to delete this question and re-post it on the other site.

– Nathan
Dec 1 '15 at 18:22










1 Answer
1






active

oldest

votes


















0














I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.



I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012 but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...



But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:




Information on this is incredibly hard to find



In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.




That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(





Here's some red herring info I dug up, on the way to the conclusion above.



I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."



But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.



The brochure says:




Samsung offers Self-Encrypting Drives (SEDs) which
are hardware-encrypted and automatically encrypt or decrypt all data
transferred to and from the SSDs.




So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:




Invisible to the user, hardware encryption built directly into the
drive electronics maximizes performance. In contrast, software
encryption burdens the central processing unit (CPU) and lowers
performance. Hardware-based SED encryption includes a built-in circuit
in the controller chip that automatically encrypts all data
transferred to the storage device. With hardwarebased encryption, the
drive controller encrypts and decrypts all data



...



hardware-based
encryption is performed in the actual hardware, and user
authentication is performed by the drive before it unlocks,
independent of the operating system (OS).



...



in collaboration with independent
software vendors (ISVs)
who provide security management tools
for SEDs, Samsung provides SEDs that are compliant with the TCG
Opal specification, developed by the Trusted Computing Group, and
the IEEE 1667 standards, as supported (for example) by Microsoft
BitLocker
in Windows 8.



...



Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)



Wave Systems is an ISV that offers secure data access control on
mobile platforms, access to the cloud and safe network logon with
users’ personal devices. Wave System solutions augment Samsung
SED security technology by Managing authorized users’ access to
the drives and data is where Wave comes in.




So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:




While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.



Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.



Enabling AES Encryption



AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.





  • Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1007792%2fhow-to-enable-ssd-encryption%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown
























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.



    I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012 but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...



    But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:




    Information on this is incredibly hard to find



    In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.




    That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(





    Here's some red herring info I dug up, on the way to the conclusion above.



    I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."



    But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.



    The brochure says:




    Samsung offers Self-Encrypting Drives (SEDs) which
    are hardware-encrypted and automatically encrypt or decrypt all data
    transferred to and from the SSDs.




    So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:




    Invisible to the user, hardware encryption built directly into the
    drive electronics maximizes performance. In contrast, software
    encryption burdens the central processing unit (CPU) and lowers
    performance. Hardware-based SED encryption includes a built-in circuit
    in the controller chip that automatically encrypts all data
    transferred to the storage device. With hardwarebased encryption, the
    drive controller encrypts and decrypts all data



    ...



    hardware-based
    encryption is performed in the actual hardware, and user
    authentication is performed by the drive before it unlocks,
    independent of the operating system (OS).



    ...



    in collaboration with independent
    software vendors (ISVs)
    who provide security management tools
    for SEDs, Samsung provides SEDs that are compliant with the TCG
    Opal specification, developed by the Trusted Computing Group, and
    the IEEE 1667 standards, as supported (for example) by Microsoft
    BitLocker
    in Windows 8.



    ...



    Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)



    Wave Systems is an ISV that offers secure data access control on
    mobile platforms, access to the cloud and safe network logon with
    users’ personal devices. Wave System solutions augment Samsung
    SED security technology by Managing authorized users’ access to
    the drives and data is where Wave comes in.




    So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:




    While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.



    Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.



    Enabling AES Encryption



    AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.





    • Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.






    share|improve this answer




























      0














      I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.



      I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012 but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...



      But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:




      Information on this is incredibly hard to find



      In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.




      That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(





      Here's some red herring info I dug up, on the way to the conclusion above.



      I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."



      But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.



      The brochure says:




      Samsung offers Self-Encrypting Drives (SEDs) which
      are hardware-encrypted and automatically encrypt or decrypt all data
      transferred to and from the SSDs.




      So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:




      Invisible to the user, hardware encryption built directly into the
      drive electronics maximizes performance. In contrast, software
      encryption burdens the central processing unit (CPU) and lowers
      performance. Hardware-based SED encryption includes a built-in circuit
      in the controller chip that automatically encrypts all data
      transferred to the storage device. With hardwarebased encryption, the
      drive controller encrypts and decrypts all data



      ...



      hardware-based
      encryption is performed in the actual hardware, and user
      authentication is performed by the drive before it unlocks,
      independent of the operating system (OS).



      ...



      in collaboration with independent
      software vendors (ISVs)
      who provide security management tools
      for SEDs, Samsung provides SEDs that are compliant with the TCG
      Opal specification, developed by the Trusted Computing Group, and
      the IEEE 1667 standards, as supported (for example) by Microsoft
      BitLocker
      in Windows 8.



      ...



      Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)



      Wave Systems is an ISV that offers secure data access control on
      mobile platforms, access to the cloud and safe network logon with
      users’ personal devices. Wave System solutions augment Samsung
      SED security technology by Managing authorized users’ access to
      the drives and data is where Wave comes in.




      So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:




      While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.



      Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.



      Enabling AES Encryption



      AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.





      • Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.






      share|improve this answer


























        0












        0








        0







        I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.



        I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012 but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...



        But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:




        Information on this is incredibly hard to find



        In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.




        That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(





        Here's some red herring info I dug up, on the way to the conclusion above.



        I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."



        But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.



        The brochure says:




        Samsung offers Self-Encrypting Drives (SEDs) which
        are hardware-encrypted and automatically encrypt or decrypt all data
        transferred to and from the SSDs.




        So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:




        Invisible to the user, hardware encryption built directly into the
        drive electronics maximizes performance. In contrast, software
        encryption burdens the central processing unit (CPU) and lowers
        performance. Hardware-based SED encryption includes a built-in circuit
        in the controller chip that automatically encrypts all data
        transferred to the storage device. With hardwarebased encryption, the
        drive controller encrypts and decrypts all data



        ...



        hardware-based
        encryption is performed in the actual hardware, and user
        authentication is performed by the drive before it unlocks,
        independent of the operating system (OS).



        ...



        in collaboration with independent
        software vendors (ISVs)
        who provide security management tools
        for SEDs, Samsung provides SEDs that are compliant with the TCG
        Opal specification, developed by the Trusted Computing Group, and
        the IEEE 1667 standards, as supported (for example) by Microsoft
        BitLocker
        in Windows 8.



        ...



        Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)



        Wave Systems is an ISV that offers secure data access control on
        mobile platforms, access to the cloud and safe network logon with
        users’ personal devices. Wave System solutions augment Samsung
        SED security technology by Managing authorized users’ access to
        the drives and data is where Wave comes in.




        So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:




        While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.



        Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.



        Enabling AES Encryption



        AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.





        • Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.






        share|improve this answer













        I don't think your Medion motherboard/BIOS supports it. I think you'll need a newer BIOS or motherboard, and a laptop looks more likely to support it.



        I did find a BIOS Update page on medion.com for Version:2.09 , System:Win 7 64bit , Release date:11.01.2012 but it looks like the Samsung SSD 840 EVO was released in 2013, so it just may not be supported by your motherboard's update either...



        But VxLabs' SSDs with usable built-in hardware-based full disk encryption page tells me:




        Information on this is incredibly hard to find



        In some cases, the manufacterer uses the HDD password or ATA password (configurable via many laptop BIOSes, very few desktop BIOSes, or the ATASX BIOS extension) to encrypt the AES keys.




        That last link sounds like a solution, at least for an AMI-BIOS. I don't think that's what you've got, so I don't think you can enable it. Or perhaps it already is enabled, but you can't change the password so it's always "unlocked" :-(





        Here's some red herring info I dug up, on the way to the conclusion above.



        I thought it was a feature that can be used by software encryption programs, like dm-crypt/cryptsetup/BitLocker/FileVault/truecrypt, etc... after reading about it, it sounds nearly identical to a LUKS volume, where the "random" key is used to encrypt the whole drive, and a user password & master password can be set to unlock the drive, and erasing the "random" key renders the drive effectively locked "forever."



        But reading the Security Encryption Brochure (that's pretty thick with "marketingspeak") on your link I did't think it had anything to do with any BIOS settings, or really any settings on your computer. I'm not even sure if you would type in a password when you turn it on, it sounds more like a remotely managed system where the keys are set & verified by a remote server, so only the "safe" drives are allowed to decrypt & work, and any that try to turn on at the wrong time or place remain locked.



        The brochure says:




        Samsung offers Self-Encrypting Drives (SEDs) which
        are hardware-encrypted and automatically encrypt or decrypt all data
        transferred to and from the SSDs.




        So it didn't sound like it had anything to do with any software running at all. But that wouldn't make much sense unless you used an actual physical key to unlock the drive, and that wouldn't be very convenient. Reading further:




        Invisible to the user, hardware encryption built directly into the
        drive electronics maximizes performance. In contrast, software
        encryption burdens the central processing unit (CPU) and lowers
        performance. Hardware-based SED encryption includes a built-in circuit
        in the controller chip that automatically encrypts all data
        transferred to the storage device. With hardwarebased encryption, the
        drive controller encrypts and decrypts all data



        ...



        hardware-based
        encryption is performed in the actual hardware, and user
        authentication is performed by the drive before it unlocks,
        independent of the operating system (OS).



        ...



        in collaboration with independent
        software vendors (ISVs)
        who provide security management tools
        for SEDs, Samsung provides SEDs that are compliant with the TCG
        Opal specification, developed by the Trusted Computing Group, and
        the IEEE 1667 standards, as supported (for example) by Microsoft
        BitLocker
        in Windows 8.



        ...



        Safeguard access to data with Wave Cloud and Wave Embassy Remote Administration Server (ERAS)



        Wave Systems is an ISV that offers secure data access control on
        mobile platforms, access to the cloud and safe network logon with
        users’ personal devices. Wave System solutions augment Samsung
        SED security technology by Managing authorized users’ access to
        the drives and data is where Wave comes in.




        So it sounded like a large business / enterprise level system. But reading Samsung's Whitepaper 06- Protect Your Privacy - Security & Encryption Basics reads:




        While they do feature SED technology, the 840 and 840 Pro Series SSDs do not support the OPAL storage specification management interface. OPAL drives are geared towards enterprises that need to manage security protocols and want to have advanced control over authentication. With third-party software support, IT managers can set detailed security provisions to restrict access by partition, physical location of the laptop, etc. Anyone interested in this level of security management should research enterprise-class TCG/OPAL SED options.



        Someone who wants to manage a personal machine or an SMB that depends on its employees to handle most of their own IT support, however, will find that the SED feature of Samsung’s 840 and 840 Pro Series SSDs is well-suited to their needs. These SSDs offer basic, yet robust, security with minimal effort and expense.



        Enabling AES Encryption



        AES encryption is always active on an 840 or 840 Pro Series SSD. In order to benefit from the encryption feature, however, the user must enable an ATA password to limit access to the data. Failure to do so will render AES-encryption ineffective – akin to having a safe but leaving the door wide open. To set an ATA password, simply access the BIOS, navigate to the “Security” menu, enable “Password on boot” and set an “HDD Password.” Administrators also have the option of setting a “Master Password,” which can allow a lost user password (“HDD Password) to be recovered. The “Master Password” may also be used to unlock and/or erase the drive (depending on the settings), effectively destroying, and thus protecting, the data but allowing the drive to be reused. The setup procedure may differ slightly depending on the BIOS version installed on a particular machine. It is best to consult the user manual if there is any confusion.





        • Probably not helpful, but Lenovo ThinkPads are supposed to automatically show the hard drive encryption options in their BIOS when a qualifying drive is present, and there's a utility to force the options to appear.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 3 '15 at 9:59









        Xen2050Xen2050

        11.1k31636




        11.1k31636






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1007792%2fhow-to-enable-ssd-encryption%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            RAC Tourist Trophy