-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to disable FDE (Full DIsk Encryption) ? #97
Comments
Hi @Zibri, There is no way to disable the encryption when data is written to the medium as that part of the firmware or hardware performing the encryption is always active for self encrypting drives (SED). If your drive supports TCG Opal, there is a feature where you can disable "SID" which is essentially disabling the ability to set a password on the drive. This disables using any other part of TCG opal unless you perform a revertSP to restore all settings to factory defaults using the PSID from the label. For TCG Enterprise, this feature doesn't really exist, but there is something similar that can prevent setting a password on the drive, but this may be a Seagate unique feature implemented by Seagate's firmware. There are also "ISE" or "Instant Secure Erase" drives that have full disk encryption, but do not use passwords or the other security features offered by TCG Opal or TCG Enterprise. As these do not have a password, there is no additional configuration available. For ATA security, there is the freezelock command which blocks using any part of the feature until the drive power cycles. Some motherboards will issue this automatically on startup, and I believe Windows does this too (unless it's a modern version of Windows PE). At this time openSeaChest does not have the capabilities to make these changes to the TCG features, but it is present in the closed source SeaChest tools available from https://www.seagate.com/support/software/seachest/ |
Question: is there a way to SET the KEY directly ... AFAIK it's only possible to change it using erase/sanitize crypto ext. |
@Zibri, As for the "handy store" this sounds a lot like the TCG Opal spec's "shadow MBR" which allows putting a piece of software in this location to allow launching and unlocking the drive with a password. It can be used by plugging in a drive and accessing it, or it also allows an OS to write a small bootloader to place here and perform the unlock. Microsoft Bitlocker does this in hardware encryption mode. |
According to the drive manual |
Any idea?
The text was updated successfully, but these errors were encountered: