How to disable FDE (Full DIsk Encryption) ?

[Zibri]

Any idea?

[vonericsen]

Hi @Zibri,

There is no way to disable the encryption when data is written to the medium as that part of the firmware or hardware performing the encryption is always active for self encrypting drives (SED).
The different security features may offer ways to disable certain parts of the feature, but that doesn't stop the encryption when writing to the medium (platters/NAND).

If your drive supports TCG Opal, there is a feature where you can disable "SID" which is essentially disabling the ability to set a password on the drive. This disables using any other part of TCG opal unless you perform a revertSP to restore all settings to factory defaults using the PSID from the label.

For TCG Enterprise, this feature doesn't really exist, but there is something similar that can prevent setting a password on the drive, but this may be a Seagate unique feature implemented by Seagate's firmware.

There are also "ISE" or "Instant Secure Erase" drives that have full disk encryption, but do not use passwords or the other security features offered by TCG Opal or TCG Enterprise. As these do not have a password, there is no additional configuration available.

For ATA security, there is the freezelock command which blocks using any part of the feature until the drive power cycles. Some motherboards will issue this automatically on startup, and I believe Windows does this too (unless it's a modern version of Windows PE).
Be aware that drives with ATA security and TCG features have interactions between them. So if you enable ATA security (set a password), that same password can be used with certain TCG opal features. I do not remember all of the interactions between the features though, but ATA security is much more limited in capabilities than what is offered through TCG.
Not all devices with ATA security encrypt the medium though. openSeaChest_Security -d <handle> --ataSecurityInfo will read the ATA security info as well as a bit that the drive can set if it uses full disk encryption and report it there.

At this time openSeaChest does not have the capabilities to make these changes to the TCG features, but it is present in the closed source SeaChest tools available from https://www.seagate.com/support/software/seachest/
These options are limited to Seagate drives though.

[Zibri]

Question: is there a way to SET the KEY directly ... AFAIK it's only possible to change it using erase/sanitize crypto ext.
As of now I am able (using direct sg_raw commands) to set user or admin password, lock and unlock the drive.
I wonder if it's possible to set the key to a known value., but I think it's not.
Also:
I noticed that in "my book" firmware is possible to access (read/write) 15 arbitrary 512 bytes blocks they call "handy store".
I didn't find it in the drive oem manual, so I guest they are implemented on the usb bridge somehow...

[vonericsen]

@Zibri,
I had to ask one of our security engineers about this, but the short answer is you cannot specify a value for the key with anything from the standards. You can use something like the genkey, revert, or revertSP method to request the drive generate a new key, but that is all that you can do. Sanitize crypto erase does this as well.
This doc is about Seagate secure drives, but may be able to provide you more information: https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3252.pdf

As for the "handy store" this sounds a lot like the TCG Opal spec's "shadow MBR" which allows putting a piece of software in this location to allow launching and unlocking the drive with a password. It can be used by plugging in a drive and accessing it, or it also allows an OS to write a small bootloader to place here and perform the unlock. Microsoft Bitlocker does this in hardware encryption mode.

[Zibri]

According to the drive manual
it also might be some HPA.. I don't know.