Hi all,

I just tried to prepare an external harddisk by setting a password to
make it safe for travelling.

All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
accept locking / unlocking via password through hdparm commands via USB
(kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:

$ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
security_password: "newpass"

/dev/sdb:
Issuing SECURITY_SET_PASS command, password="newpass", user=user,
mode=high
The running kernel lacks CONFIG_IDE_TASK_IOCTL support for this device.
SECURITY_SET_PASS: Invalid argument

B.t.w., I cannot even remove or overwrite the manufacturer's secret
master password. So, this is a severe security risk since someone could
know it and unlock those drives.

Has anyone already managed to lock / unlock such a drive?

Any idea how to proceed?

Thanks a lot!

Best regards,

Markus

--
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm

Am Samstag, 03. September 2022, um 18:45:20 Uhr schrieb Markus Robert
Kessler:

> I just tried to prepare an external harddisk by setting a password to
> make it safe for travelling.

I can't help you with your problem, but setting this password won't
protect people from accessing it if they know how to remove it. The
data is still unencrypted. I recommend setting up LUKS to encrypt the
data, so you don't need to care about such a password anymore.

On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler <no_reply@dipl-ing-kessler.de> wrote:

> Hi all,
>
> I just tried to prepare an external harddisk by setting a password to
> make it safe for travelling.
>
> All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
> accept locking / unlocking via password through hdparm commands via USB
> (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:
>
> $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
> security_password: "newpass"
>
> /dev/sdb:
> Issuing SECURITY_SET_PASS command, password="newpass", user=user,
> mode=high
> The running kernel lacks CONFIG_IDE_TASK_IOCTL support for this device.
> SECURITY_SET_PASS: Invalid argument
>
> B.t.w., I cannot even remove or overwrite the manufacturer's secret
> master password. So, this is a severe security risk since someone could
> know it and unlock those drives.
>
> Has anyone already managed to lock / unlock such a drive?
>
> Any idea how to proceed?

Are you using a usb connection?
https://sourceforge.net/p/hdparm/support-requests/7/

Regards, Dave Hodgins

On Sat, 03 Sep 2022 15:05:39 -0400 David W. Hodgins wrote:

> On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler
> <no_reply@dipl-ing-kessler.de> wrote:
>
>> Hi all,
>>
>> I just tried to prepare an external harddisk by setting a password to
>> make it safe for travelling.
>>
>> All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
>> accept locking / unlocking via password through hdparm commands via USB
>> (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:
>>
>> $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
>> security_password: "newpass"
>>
>> /dev/sdb:
>> Issuing SECURITY_SET_PASS command, password="newpass", user=user,
>> mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
>> this device.
>> SECURITY_SET_PASS: Invalid argument
>>
>> B.t.w., I cannot even remove or overwrite the manufacturer's secret
>> master password. So, this is a severe security risk since someone could
>> know it and unlock those drives.
>>
>> Has anyone already managed to lock / unlock such a drive?
>>
>> Any idea how to proceed?
>
> Are you using a usb connection?
> https://sourceforge.net/p/hdparm/support-requests/7/

Yes and no. First, I tried to connect via USB, since this worked for
every other disk I have, but accessing EVO 870 failed.

In the BIOS I could set the user password, but not the factory-set master-
password. So, everyone knowing the master-pw can gain access to the data.
This is inacceptable.

So, I then put it into one of my notebooks and booted from a live dvd
(Mageia 8 / x64).

I could see the drive, but, unfortunately, when the live-dvd is up, there
is no way to set/unset user/master password with hdparm, since prior to
booting, the BIOS has "frozen" the settings of the disk.
There is no "do not freeze the disk" checkbox in my BIOS.

So, currently, I am stuck here. But, anyway, Samsung did not integrate
such an evil backdoor in the former models like EVO 840..860.
Just now, into EVO 870. -- Anyone can tell me why?

Best regards,

Markus

--
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm

On 04.09.22 0:20, Markus Robert Kessler wrote:
> On Sat, 03 Sep 2022 15:05:39 -0400 David W. Hodgins wrote:
>
>> On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler
>> <no_reply@dipl-ing-kessler.de> wrote:
>>
>>> Hi all,
>>>
>>> I just tried to prepare an external harddisk by setting a password to
>>> make it safe for travelling.
>>>
>>> All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
>>> accept locking / unlocking via password through hdparm commands via USB
>>> (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:
>>>
>>> $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
>>> security_password: "newpass"
>>>
>>> /dev/sdb:
>>> Issuing SECURITY_SET_PASS command, password="newpass", user=user,
>>> mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
>>> this device.
>>> SECURITY_SET_PASS: Invalid argument
>>>
>>> B.t.w., I cannot even remove or overwrite the manufacturer's secret
>>> master password. So, this is a severe security risk since someone could
>>> know it and unlock those drives.
>>>
>>> Has anyone already managed to lock / unlock such a drive?
>>>
>>> Any idea how to proceed?
>>
>> Are you using a usb connection?
>> https://sourceforge.net/p/hdparm/support-requests/7/
>
> Yes and no. First, I tried to connect via USB, since this worked for
> every other disk I have, but accessing EVO 870 failed.
>
> In the BIOS I could set the user password, but not the factory-set master-
> password. So, everyone knowing the master-pw can gain access to the data.
> This is inacceptable.
>
> So, I then put it into one of my notebooks and booted from a live dvd
> (Mageia 8 / x64).
>
> I could see the drive, but, unfortunately, when the live-dvd is up, there
> is no way to set/unset user/master password with hdparm, since prior to
> booting, the BIOS has "frozen" the settings of the disk.
> There is no "do not freeze the disk" checkbox in my BIOS.
>
> So, currently, I am stuck here. But, anyway, Samsung did not integrate
> such an evil backdoor in the former models like EVO 840..860.
> Just now, into EVO 870. -- Anyone can tell me why?
>
> Best regards,
>
> Markus
>
>
Why not put your data in a password protected
zipfile on the HD?
That way you dont need to block the drive.

On 9/3/2022 6:20 PM, Markus Robert Kessler wrote:
> On Sat, 03 Sep 2022 15:05:39 -0400 David W. Hodgins wrote:
>
>> On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler
>> <no_reply@dipl-ing-kessler.de> wrote:
>>
>>> Hi all,
>>>
>>> I just tried to prepare an external harddisk by setting a password to
>>> make it safe for travelling.
>>>
>>> All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
>>> accept locking / unlocking via password through hdparm commands via USB
>>> (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:
>>>
>>> $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
>>> security_password: "newpass"
>>>
>>> /dev/sdb:
>>> Issuing SECURITY_SET_PASS command, password="newpass", user=user,
>>> mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
>>> this device.
>>> SECURITY_SET_PASS: Invalid argument
>>>
>>> B.t.w., I cannot even remove or overwrite the manufacturer's secret
>>> master password. So, this is a severe security risk since someone could
>>> know it and unlock those drives.
>>>
>>> Has anyone already managed to lock / unlock such a drive?
>>>
>>> Any idea how to proceed?
>>
>> Are you using a usb connection?
>> https://sourceforge.net/p/hdparm/support-requests/7/
>
> Yes and no. First, I tried to connect via USB, since this worked for
> every other disk I have, but accessing EVO 870 failed.
>
> In the BIOS I could set the user password, but not the factory-set master-
> password. So, everyone knowing the master-pw can gain access to the data.
> This is inacceptable.
>
> So, I then put it into one of my notebooks and booted from a live dvd
> (Mageia 8 / x64).
>
> I could see the drive, but, unfortunately, when the live-dvd is up, there
> is no way to set/unset user/master password with hdparm, since prior to
> booting, the BIOS has "frozen" the settings of the disk.
> There is no "do not freeze the disk" checkbox in my BIOS.

Sometimes an add-on card is "unfrozen".

https://commons.wikimedia.org/wiki/File:Noname_JMB363-based_P-_%26_SATA_controller_card.png

I could set an HPA (Host Protected Area) using the
JMB363 on my previous motherboard, whereas
the motherboard BIOS module for the ICH10
SATA ports was "frozen". I've never tried
any password procedures, so cannot even tell
you whether setting a password makes sense.

The Flash memory on that card can be re-flashed.
It can be flashed with RAID or non-RAID code.

What happens when UEFI boots up, is unknown.

The various manufacturers, have either good or bad
BIOS module designers. Perhaps JMicron or ITE might
make unfrozen stuff. I don't know what VIA products
are like (you'd want an 8237-S for it to work anyway).
Asmedia is probably frozen (they tend to be technically
proficient so BIOS code won't leave with holes in it).
Intel is definitely frozen. No reason for AMD
to be any different.

The ability to set an HPA or use one of those
passwords, will not appear in any product documentation.
Intel will not tell you that their SATA ports
are frozen. You have to test it yourself to find out.
On my motherboard (the motherboard that is dead now),
the ICH10 was frozen and useless, whereas the JMB363 allowed
some experiments.

It is a murky topic, poorly documented, and for
people with lots of time and money (for controller cards)
to waste.

The manual page for HDParm, in many cases, is the only
educational material :-)

Paul

On Sun, 04 Sep 2022 00:34:52 +0200 Sjouke Burry wrote:

> On 04.09.22 0:20, Markus Robert Kessler wrote:
>> On Sat, 03 Sep 2022 15:05:39 -0400 David W. Hodgins wrote:
>>
>>> On Sat, 03 Sep 2022 14:45:20 -0400, Markus Robert Kessler
>>> <no_reply@dipl-ing-kessler.de> wrote:
>>>
>>>> Hi all,
>>>>
>>>> I just tried to prepare an external harddisk by setting a password to
>>>> make it safe for travelling.
>>>>
>>>> All other harddisks like (older) Samsung, Western Digital, Hitachi
>>>> etc.
>>>> accept locking / unlocking via password through hdparm commands via
>>>> USB (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:
>>>>
>>>> $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
>>>> security_password: "newpass"
>>>>
>>>> /dev/sdb:
>>>> Issuing SECURITY_SET_PASS command, password="newpass", user=user,
>>>> mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
>>>> this device.
>>>> SECURITY_SET_PASS: Invalid argument
>>>>
>>>> B.t.w., I cannot even remove or overwrite the manufacturer's secret
>>>> master password. So, this is a severe security risk since someone
>>>> could know it and unlock those drives.
>>>>
>>>> Has anyone already managed to lock / unlock such a drive?
>>>>
>>>> Any idea how to proceed?
>>>
>>> Are you using a usb connection?
>>> https://sourceforge.net/p/hdparm/support-requests/7/
>>
>> Yes and no. First, I tried to connect via USB, since this worked for
>> every other disk I have, but accessing EVO 870 failed.
>>
>> In the BIOS I could set the user password, but not the factory-set
>> master-
>> password. So, everyone knowing the master-pw can gain access to the
>> data. This is inacceptable.
>>
>> So, I then put it into one of my notebooks and booted from a live dvd
>> (Mageia 8 / x64).
>>
>> I could see the drive, but, unfortunately, when the live-dvd is up,
>> there is no way to set/unset user/master password with hdparm, since
>> prior to booting, the BIOS has "frozen" the settings of the disk.
>> There is no "do not freeze the disk" checkbox in my BIOS.
>>
>> So, currently, I am stuck here. But, anyway, Samsung did not integrate
>> such an evil backdoor in the former models like EVO 840..860.
>> Just now, into EVO 870. -- Anyone can tell me why?
>>
>> Best regards,
>>
>> Markus
>>
>>
> Why not put your data in a password protected zipfile on the HD?
> That way you dont need to block the drive.

Hi,

this was one my favorite options in the beginning, yes.
But in this case, someone can install trojans, keyloggers etc. to, sooner
or later, get access.

Besides this, the archive can be stolen and be decrypted via cloud
services, no matter, how long it takes. He will get access.

Best regards,

Markus

--
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm

On Sat, 03 Sep 2022 21:04:45 +0200 Marco Moock wrote:

> Am Samstag, 03. September 2022, um 18:45:20 Uhr schrieb Markus Robert
> Kessler:
>
>> I just tried to prepare an external harddisk by setting a password to
>> make it safe for travelling.
>
> I can't help you with your problem, but setting this password won't
> protect people from accessing it if they know how to remove it. The data
> is still unencrypted. I recommend setting up LUKS to encrypt the data,
> so you don't need to care about such a password anymore.

Some years ago, I had to prepare for a business trip and therefore I
tried to do a harddisk encryption.

Well, yes, this did work. But, whenever something went wrong and I had to
simply switch the notebook off, instead of shutting down, the whole thing
crashed and I had to reinstall all.

This happened 2 or 3 times and finally I gave up. I switched to SATA
password and everything was fine :-)

Best regards,

Markus

--
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm

On Sat, 03 Sep 2022 18:45:20 +0000 Markus Robert Kessler wrote:

> Hi all,
>
> I just tried to prepare an external harddisk by setting a password to
> make it safe for travelling.
>
> All other harddisks like (older) Samsung, Western Digital, Hitachi etc.
> accept locking / unlocking via password through hdparm commands via USB
> (kernel 5.10.46 / x64), but Samsung EVO 870 refuses to do so:
>
> $ hdparm --user-master u --security-set-pass 'newpass' /dev/sdb
> security_password: "newpass"
>
> /dev/sdb:
> Issuing SECURITY_SET_PASS command, password="newpass", user=user,
> mode=high The running kernel lacks CONFIG_IDE_TASK_IOCTL support for
> this device.
> SECURITY_SET_PASS: Invalid argument
>
> B.t.w., I cannot even remove or overwrite the manufacturer's secret
> master password. So, this is a severe security risk since someone could
> know it and unlock those drives.
>
> Has anyone already managed to lock / unlock such a drive?
>
> Any idea how to proceed?
>
> Thanks a lot!
>
> Best regards,
>
> Markus

Hi all,
many thanks for all your hints!

In the meantime I found more adapters here and accomplished some more
tests.

Just to summarize -- I found the following:

- both, Samsung EVO 840 and 870 can be fully accessed by hdparm through
USB

- both, Samsung EVO 840 and 870 do have a built-in master password (which
should be overwritten prior to use)

- USB-to-SATA adapters from "Logilink" do or do not work. At least, this
one does not support HPA and other hdparm features: SN 39993001701

- Renkforce "SATA Docking Station Cloner" is fully supporting hdparm
command set. So, whenever a machine has to be equipped with a new SSD
that has a master password, and the machine does not allow to disable it
in the BIOS, the password can be set this way.

So, once again, thanks for all your ideas!

Best regards,

Markus

--
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm

> Hi,
>
> this was one my favorite options in the beginning, yes.
> But in this case, someone can install trojans, keyloggers etc. to, sooner
> or later, get access.
>
> Besides this, the archive can be stolen and be decrypted via cloud
> services, no matter, how long it takes. He will get access.

Nuts. With modern encryption this is just wrong. He will not get access.
The earth will get fried in a supernova or red giant before it is
decrypted, assuming you do not use idiotically weak passwords.

And why would anyone spend that kind of time and effort and money on
your data?

>
> Best regards,
>
> Markus
>
>

On Sun, 04 Sep 2022 06:55:18 -0400, Markus Robert Kessler <no_reply@dipl-ing-kessler.de> wrote:
> So, once again, thanks for all your ideas!

Glad you got it working. One thing I'd like to clarify. Using "hardware" based
encryption does not provide any extra security over using software based
encryption.

The "hardware" based encryption is just using software that is stored in the
firmware of the device, which you may or may not be able to update when
problems are found. The only benefit of using it is that an attacker has to
have a similar drive, and the tools/skill needed to switch parts from one
drive to another to access the encrypted data.

Once they have access to the encrypted data, the software used in the firmware
is more likely to have un-patched flaws that can be exploited, then up-to-date
file system encryption software such as luks.

A major drawback of hardware based encryption is that it can make it much more
difficult to move storage from one computer to new one if the old computer fails.

Regards, Dave Hodgins

William Unruh wrote on 5/9/22 12:28 am:
>> Hi,
>>
>> this was one my favorite options in the beginning, yes.
>> But in this case, someone can install trojans, keyloggers etc. to, sooner
>> or later, get access.
>>
>> Besides this, the archive can be stolen and be decrypted via cloud
>> services, no matter, how long it takes. He will get access.
>
> Nuts. With modern encryption this is just wrong. He will not get access.
> The earth will get fried in a supernova or red giant before it is
> decrypted, assuming you do not use idiotically weak passwords.
>
> And why would anyone spend that kind of time and effort and money on
> your data?

EXACTLY!! Back in the 80's/90's, I was in Australian Army, dealing with
Radio and Crypto equipment.

At one stage, I was told that the daily crypto-keys (64 or 128 bit, I
think) they were using then were rated as good for 25-28 hours because
it would take the bad guys that long to break the code!!

Sure, the code-breaker equipment has gotten better/faster, but so too
then has the Crypto-Equipment.

And all just to find out that someone was being posted somewhere else!! ;-P
--
Daniel