08-18-2013 07:01 AM
I recently purchased an EliteBook 8570w with Windows 7 Pro and a MTFDDAK256MAM-1K12 self-encrypting SSD drive (SED).
However, I cannot find an option to enable the self-encrypting feature. I've tried checking in the pre-boot options without luck (hitting Esc at boot). For instance, I see menu options for DriveLock and Auto DriveLock but these are disabled in the BIOS menu.
And I have tried looking in the HP Protect Tools software but this appears to have only activated software encryption on the drive.
Any advice on how I can enable the hardware encryption (SED) feature?
08-31-2013 10:36 PM
Thanks for the link. The document you linked to reads:
That the drive must be provisioned and "Provisioning an SED requires SED management software."
and refers to ATA Drive Lock (HP BIOS).
However, when I enter BIOS via F10, the Drive Lock menu option is disabled. Do you know how I can enable this menu option in BIOS?
09-01-2013 01:14 AM
>"Provisioning an SED requires SED management software."
>when I enter BIOS via F10, the Drive Lock menu option is disabled. Do you know how I can enable this menu option in BIOS?
I think you need extra software to enable it. I.e. the SED is already encrypting/decrypting. You need to have software to prompt you for the authentication key and this must be done in some boot code.
The above document says "HP ProtectTools is included with all HP workstations that ship with an SED".
Which may imply that it would only work if you bought that SED with a HP workstation but you have a laptop.
09-02-2013 07:15 AM
>Which may imply that it would only work if you bought that SED with a HP workstation but you have a laptop.
The HP 8570w is an Elitebook Mobile Workstation.
09-02-2013 09:22 AM - edited 09-02-2013 09:24 AM
>The HP 8570w is an Elitebook Mobile Workstation.
Unfortunately the whitepaper is not specific enough to mention which workstations and what software is needed.
In any case, did your laptop come with the SED?
09-10-2013 09:30 AM
Self Encrypting Drives manage (and hide) all data encryption in the drive controller. You can enable protection of the SED by setting a password in the drive. Once that is done, the drive will only acknowledge any I/O when it is "unlocked' by providing that password
Now, there are 2 ways to set and manage that password (as the white paper suggested). You can have an Enterprise Management software with an agent that manages SED access corporate-wide (or workgroup-wide), OR, you can have the BIOS manage the SED password via Drivelock. What you may be missing is the fact that as a security precaution, you are required to setup a BIOS admin password to enable Drivelock. That way, someone else with access to the laptop could not go back into the BIOS, reset, the Drivelock and access your drive (whose data you are trying to protect) with impunity
Hope this helps, and sorry for the long response
07-31-2014 09:08 PM - edited 07-31-2014 09:16 PM
soccer_dan, thanks for that helpful info.
I have some additional questions that I hope you can help to answer...
- From what you stated, to use/enable the self-encrypting drive (SED) feature of the 256GB SSD such that the data stored on the drive is (hardware) encrypted and secured by a password, in the BIOS, I just need to set DriveLock Password (which will automatically prompt me to set a BIOS admin password), correct?
- Can there be more than 1 DriveLock password to unlock the drive?
- We have a bunch of HP EliteBook 9470m notebooks that have 256GB SED SSDs in them. Are the SSDs in the 9470m notebooks "Micron C400" drives? I ask because some of the "Enterprise Encryption Management" software such as Sophos SafeGuard mentions compatibility with specific OEM SSD models (Reference: http://www.sophos.com/en-us/support/knowledgebase/
- Is WinMagic one of the Enterprise Encryption Management software providers that has compatibility with all of the SED SSDs used by HP computers? (Reference: http://www.winmagic.com/products/enterprise-server
- What is SecureBoot Configuration? Is that for Two-Factor Authentication to unlock the SSD?
- When running Windows 7 Pro, does the Boot Mode need to change from Legacy to UEFI Hybrid or UEFI Native or is that completely unrelated to the SSD/encryption?
Thanks in advance for any feedback.
08-01-2014 04:57 AM
1. Correct. BIOS will manage access to SED once you enable DriveLock - BIOS Setup password required before this can be done to avoid potential changes by unauthorized users
3.Possibly, but no guarantees all the same
4. WinMagic is one of HP's preferred drive encryprion partners as they can not only manage SED of OPAL 1 and 2 versions but the same console can provide s/w encryption for non-SED drives and manage all as common profiles
5. SecureBoot is an UEFI component developed by Microsoft for Windows 8 (and 8.1) to prevent unauthorized code to be loaded (run) by the BIOS. It helps prevent rootkits and such things
6. Although Windows 7 has some UEFI capability and GPT partitioning support, it is best to have the BIOS in Legacy mode.
08-03-2014 08:29 PM
- When I first tried to set the DriveLock password, I got an alert that stated, "Drivelock is temporarily not available for this drive. Please power the system off and enter Computer Setup again to access the Drivelock features," which was a bit worrying (*see photo link below for reference).
- After I got the above note, I powered the machine off, entered (BIOS) Setup, and instead of going into DriveLock, I first clicked on "Setup BIOS Administrator Password" to set up that password. I was then able to proceed with the DriveLock setup but I don't know if that step was what actually fixed the "DriveLock temporarily not available" issue.
- The DriveLock setup involves setting up USER and MASTER passwords. The MASTER password is able to reset the USER password.
Photos of screens in the links below for reference.
Hope this is helpful for others.
11-17-2014 08:04 AM
Thanks for the response,
Can you, please, clarify the following quote from HP's whitepaper?
"DriveLock is a part of the ATA standard, and restricts access to the SED unless the correct password is entered during POST
11-19-2014 02:11 PM
On non-self encrypting (SED) drives, DriveLock is the ability to put a password on the controller of the drive. This password is not encrypted. The BIOS can ask for the password from the user/admin during setup, or (at least) in our products, can generate its own password and place it on the drive. Then, every time the drive powers on by command from the motherboard, it will first ask for this DriveLock password. If the BIOS does not offer it, the drive will not power up.
On SEDs, the drive encrypts the data in and out by using keys generated in the drive controller that never, ever, are seen outside the drive. By default, Windows will write to the drive, which encrypts and stores the data. On a read, the drive toes the opposite, decrypting the needed data and returning that to Windows. When DriveLock is enabled on a SED, it provides a password to the drive to secure access to the data. If the BIOS provides this password at power on the drive powers on and data is encrypted and decrypted normally. If the BIOS does not (e.g. drive was moved to another computer), the drive powers on but all data is inaccessible and only a reformat will get back the drive to operating condition
At a high level...
11-20-2014 11:41 AM
>only a reformat will get back the drive to operating condition
Are you sure about that? Once a drive is locked, you can't do any I/O operations on it.
You would need to do a Revert, which also crypto erases the drive.
02-10-2015 02:54 PM
You are correct about a revert being necessary and it will crypto erase the drive. Some SED vendors make a utility to perform this operation and others do not. For instance, Samsung makes a utility, but they keep it secret and you have to dig a lot to find it. Crucial does not make one, but will replace the drive under warranty, although they techically say they don't need to do it (speaking from experience). However, they also will direct you to a program in beta testing that should perform a revert on any OPAL 2 SED. The program is called MSED and can be found at:
Again, this is in beta testing. I ran it successfully once to revert an SED and it failed to revert a second drive. It had to be replaced under warranty.
Soccer_Dan, I'd appreciate it if you could answer a few questions regarding the DriveLock.
Does it work on all SEDs, both Opal 1 and Opal 2 compliant? From some things I've been reading, it seems like at least some DriveLock versions will only operate on Opal 1 compliant drives. If so, is there a document telling which PCs/Laptops support which Opal version?
You said DriveLock can also lock down standard drives but placing the unencrypted password in the controller of the drive. Will this drive be accessible if the drive is moved to another PC, since it will just be accessed as a data drive and it is unencrypted? It seems as long as the drive is in the original PC, DriveLock will keep it secure.
Does DriveLock work with all standard (non-SED) drives? Thanks for your help.
02-10-2015 03:07 PM
DriveLock will work with whatever version of SED type drive supported by HP with that platform. If a platform supported OPAL 1 only (say a model from a couple of years back, then no OPAL 2 drives would be supported on that platform BIOS' DriveLock. Hope this makes sense. Basically, whatever drive type is supported by HP on a notebook, it is supported by that model's DriveLock.
The original DriveLock technology developed by Compaq and other vendors (i think Intel, maybe) was designed to lock down a drive and provide some at rest security. The BIOS adds a pwd to the controller of the drive (if the drive supported Drivelock in the f/w, and then the drive would ask for the password every time it powered on. If you move the drive to another system, the BIOS in that system would not know the Drivelock password and the drive will then not power on. It becomes a brick (at least for most folks)
HP started using DriveLock as a means to also creating the encrypted protection path for SEDs, so that after an SED turns on, the contents are protected until the BIOS provides the encryption 'stuff' which allows the drive to continue working as a normal drive - of course, all data is encrypted and decrypted automatically on access
Hope this helps
02-10-2015 04:03 PM
Thanks for the information. So we can fairly safely say that since the OPAL 2 standard was released in February of 2012, all computers released prior to that and most likely also in 2012 only have DriveLock that supports OPAL 1 drives. Other than that, it is really hard to find information on what OPAL standard is supported.
So, DriveLock works only on drives that support it. Would that have anything to do with the DriveTrust standard that Seagate came out with?
I agree with you about Wave's SED management software solutions being the best. As long as you are working with a lot of computers (you have to purchase a minimum of 20 licenses), it is great. They also offer cloud management for a yearly fee that is outstanding.
If someone wants to manage an OPAL 1 laptop/PC that they have installed a more recent OPAL 2 drive on, they can also use other software. I have installed Softex SecureDrive for a lot of my customers for a one-time cost and they offer free lifetime support.
If anyone is interested, the MSED program I mentioned earlier will now manage the drive passwords and locking and will install a PreBoot Environment. It is free, but it is in Beta testing and does *NOT* have a nice installer or user interface. This is certainly for the DIY crowd of computer geeks.
I also list other management software at my website, selfencryptingdrives.info.
02-13-2015 02:59 AM
I also have problems using SEDs on our HP 4540s notebooks. We have several 4540s and just updated the BIOS to the latest version this week. Then we changed from the normal HDD to Crucial M500 SSDs. On most of the 4540s this worked like a charm, we were able to set the drivelock password and on boot we are prompted to enter it. But on some devices we cant set a password as it is telling us after a click on drivelock password "HDD is HW encrypted". And thats it, no further actions possible and no password on boot.
We are using Windos 7 prof x64, no BitLocker.
02-13-2015 07:38 AM
How quickly things change. Crucial has a utility to work with their SSDs, now. You can download it from them here:
This will allow anyone to perform a revert on encrypted Crucial drives.
As to the issue with masl_wm, I hope that HP can shed some light on this one. Are the laptops covered under warranty and you can call for warranty support?
You might try going to http://www.r0m30.com/msed/files and downloading MSED. Then follow the directions here to query the drives to find out the state of the drives. You must first perform an "msed --scan". This will reveal the physical drive number. You will get a response from MSED looking someting like this:
Scanning for Opal compliant disks
\\.\PhysicalDrive0 2 Crucial_CT120M500SSD3 MU05
No more disks present ending scan
You must then preform an "msed --query \\.\PhysicalDrive0" based on our example above. You should replace PhysicalDrive0 with the drive you are seeing in the scan result for your Crucual M500 drive. It will probably be PhysicalDrive0.
If I had to guess, I would say that the drive somehow has flags set showing it is already locked (managed by another program, even though it isn't). You can test to see the difference between a drive that is good and bad by turning OFF DriveLock on one of the laptops where it is working. Then perform the MSED commands to scan and query on the good drive and compare to one on a laptop giving the issue. Let us know the results of that as well.
The results may be enough to help you understand what is going on. If you post the results of the Query here, I will try to help and perhaps Soccer_Dan can help as well.
02-13-2015 08:09 AM
OK, so I said follow the examples of how to Query using MSED at a site, but never said where. Here is the link to the site:
02-13-2015 08:17 AM
>Some SED vendors make a utility to perform this operation and others do not.
I have since learned everything to you need to know about Opal 2. :-)
>and it failed to revert a second drive.
02-18-2015 08:00 AM
I attached the msed query results. I also installed the Crucial Storage Executive but I couldnt find anything about locking state in there. Only the option for a PSID revert, but that would erase all data instead of just enable me to set a drivelock password through bios :(
02-18-2015 08:33 AM
The attachment shows the following:
Locking function (0x0002)
Locked = N, LockingEnabled = Y, LockingSupported = Y, MBRDone = N, MBREnabled = N, MediaEncrypt = Y
I believe this is telling us the drive has somehow been set to have LockingEnabled, which is causing your problems. It seems to be in a PARTIALLY OPAL managed state, which is why you are being told "HDD is HW encrypted". Unfortunately, there is no password set or you don't know the password, so MSED cannot be used to change LockingEnabled to No.
Therefore, I can suggest two fixes. The one I would try first is to use the Crucual PSID Revert utility. Since nothing is on the drive yet, this should not be an issue as it will certainly destroy all data on the drive. This may turn off the LockingEnabled flag and you will successfully be on your way.
If not, the second fix is to return the drives for warranty replacement. Crucial has been VERY good to me with this in the past. Please let us know how things turn out.