ATA security
Since the introduction of the SATA 3 spec, storage devices have slowly adopted an additional security feature set. This effectively allows you to password protect drives. Drive security is also often used by OEMs to lock down system disks during the boot process.
Drives states
There are seven different states a drive can be in. The table below describes all of the possible states:
| State | Power | Security Enabled | Locked | Frozen | Description |
|---|---|---|---|---|---|
| SEC0 | off | 0 | - | - | Powered down (security diabled) |
| SEC1 | on | 0 | 0 | 0 | Security disabled (not frozen) |
| SEC2 | on | 0 | 0 | 1 | Security disabled (frozen) |
| SEC3 | off | 1 | - | - | Powered down (security enabled) |
| SEC4 | on | 1 | 1 | 0 | Security enabled (drive locked) |
| SEC5 | on | 1 | 0 | 0 | Security enabled (drive unlocked and not frozen) |
| SEC6 | on | 1 | 0 | 1 | Security enabled (drive unlocked and frozen) |
If security is not enabled, drives will almost always be in SEC0 or SEC1.
Security can be enabled on the drive by setting a password. Once this has been
done, the drive will start in a locked state (SEC3). While in a locked state
it is not possible to access file systems on the drive. To access the drive, it
needs to be unlocked using a password.
In addition to locking a drive, a drive can also be frozen. This prevents the drive changing state until the system is restarted. The diagram below gives a brief overview of how the different states relate to each other:
Managing drives with hdparm
On Linux based systems, hdparm can be used to managed security
settings on ATA devices. The -I option can be used to display information
about a drive, including if security features are supported and/or enabled:
$ hdparm -I /dev/sde
...
Security:
Master password revision code = 65534
supported
not enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
more than 508min for SECURITY ERASE UNIT. more than 508min for ENHANCED SECURITY ERASE UNIT.
Before going any further with hdparm, it's worth highlighting the warning
given by the --security-help option:
ATA Security Commands: Most of these are VERY DANGEROUS and can destroy all of your data! Due to bugs in older Linux kernels, use of these commands may even trigger kernel segfaults or worse. EXPERIMENT AT YOUR OWN RISK!
If you want to try any of the commands below, make sure you have a backup of the data on the drive!
Enabling security
Security can be enabled with the --security-set-pass option
$ hdparm --security-set-pass secret /dev/sde
security_password: "secret"
/dev/sde:
Issuing SECURITY_SET_PASS command, password="secret", user=user, mode=high
This will move a drive from an unlock and unfrozen (SEC1) state to SEC5.
When the drive is next started up it will start in a locked state (SEC4).
Before accessing the drive, it needs to be unlocked using the password. This
can be done using the --security-unlock option:
$ hdparm --security-unlock secret /dev/sde
security_password: "secret"
/dev/sde:
Issuing SECURITY_UNLOCK command, password="secret", user=user
Any attempt to access the drive before unlocking it will result in an I/O error:
$ fdisk -l /dev/sde
fdisk: cannot open /dev/sde: Input/output error
Disabling security
To disable security on a drive, first make sure the drive is not locked
(SEC5):
$ hdparm -I /dev/sde | grep locked
not locked
Security can then be disabled on the drive using the --security-disable
option:
$ hdparm --security-disable secret /dev/sde
security_password: "secret"
/dev/sde:
Issuing SECURITY_DISABLE command, password="secret", user=user
Freezing a drive
Drives can be "frozen" using the --security-freeze option:
$ hdparm --security-freeze /dev/sde
/dev/sde:
issuing security freeze command
Once a drive has been frozen, it will no longer be possible to perform tasks like setting a security password:
$ hdparm --security-set-pass secret /dev/sde
security_password: "secret"
/dev/sde:
Issuing SECURITY_SET_PASS command, password="secret", user=user, mode=high
SECURITY_SET_PASS: Input/output error
There is no unfreeze/thaw command. Instead the drive needs to be power cycled to return to a mutable state.
The master user
All of the examples above have used the standard user user. There is also a
master user account. This account normally has a manufacturer specific
password preset. This can be used to disable security, if you forget the user
password.
In the case of my Western Digital drive, the master password is set to
WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW, so security on the drive could be disabled
following command:
$ hdparm --user-master m --security-disable "$(python -c 'print "WDC"*10+"W"')" /dev/sde
security_password: "WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW"
/dev/sde:
Issuing SECURITY_DISABLE command, password="WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW", user=master
Note: the command above will only work if the master password matches and
the "maximum security" mode has not previously been set with the
--security-mode m option.
Summary
It's worth knowing about the security features in the SATA spec, however for
most use cases encryption is a better solution. If the warnings in the man page
of hdparm are not enough to scare you off, it's worth considering that data
is still stored in clear text; even if the drive firmware makes it slightly
harder to access.