I've purchased a HP Envy 15-j005ea laptop which I have upgraded to Windows 8.1 Pro. I have also removed the HDD and replaced it with a 1TB Samsung Evo 840 SSD. I now wish to encrypt the drive to protect my company's source code and my personal documents but I can't work out how to do it or if its even possible.
I gather that it is not recommended to use Truecrypt on a SSD but please correct me if I'm wrong. I also understand that the 840 Evo has built-in 256 bit AES encryption so it is recommended to use that.
The Evo has been updated to the latest EXT0BB6Q firmware and I have the latest Samsung Magician. I don't know what UEFI level I have but I do know that the machine was built in December 2013 and has the F.35 BIOS made by Insyde.
This is what I have tried:
-
Bitlocker. The latest Samsung firmware is supposedly Windows 8.1 eDrive compatible, so I followed the instructions I found in an Anandtech article. First of all it would seem the laptop has no TPM chip, so I had to allow Bitlocker to work without TPM. Once I'd done that I tried to turn Bitlocker on. Anandtech say that "If everything is eDrive compliant you won’t be asked whether or you want to encrypt all or part of the drive, after you go through the initial setup BitLocker will just be enabled. There’s no extra encryption stage (since the data is already encrypted on your SSD). If you’ve done something wrong, or some part of your system isn’t eDrive compliant, you’ll get a progress indicator and a somewhat lengthy software encryption process." Unfortunately I was asked if I want to encrypt all or part of the drive so I cancelled that.
-
Setting the ATA Password in the BIOS. I don't appear to have such an option in the BIOS, only an admin password and boot-up password.
-
Using Magician. It has a "Data Security" tab, but I don't fully understand the options and suspect that none are applicable.
The info in this question and answer helped but didn't answer my question.
Clearly then, what I would like to know is how do I encrypt my solid state drive in the HP Envy 15 or am I in fact out of luck? Are there any alternative options or do I have to either live without encryption or return the laptop?
There is a similar question on Anandtech but it remains unanswered.
(Windows)+R and typing
Best Answer
The password has to be set in the BIOS under the ATA-security extension. Usually there's a tab in the BIOS menu titled "Security". Authentication will occur at the BIOS level, so nothing this software "wizard" does has any bearing on setting up the authentication. It's unlikely that a BIOS update will enable HDD password if it wasn't previously supported.
To say that you're setting up the encryption is misleading. The thing is that the drive is ALWAYS encrypting every bit it writes to the chips. The disk controller does this automatically. Setting a HDD password(s) to the drive is what takes your security level from zero to pretty much unbreakable. Only a maliciously-planted hardware keylogger or an NSA-sprung remote BIOS exploit could retrieve the password to authenticate ;-) <-- I guess. I'm not sure what they can do to BIOS yet. The point is it's not totally insurmountable, but depending on how the key is stored on the drive, it's the most secure method of hard drive encryption currently available. That said, it's total overkill. BitLocker is probably sufficient for most consumer security needs.
When it comes to security, I guess the question is: How much do you want?
Hardware-based full disk encryption is several orders of magnitude more secure than software-level full disk encryption like TrueCrypt. It also has the added advantage of not impeding your SSD's performance. The way SSD's stow their bits can sometimes lead to problems with software solutions. Hardware-based FDE is just less messy and more elegant and secure of an option but it hasn't "caught on" even among those who care enough to encrypt their valuable data. It's not tricky to do at all but unfortunately many BIOS's simply don't support the "HDD password" function (NOT to be confused with a simple BIOS password, which can be circumvented by amateurs). I can pretty much guarantee you without even looking in your BIOS that if you haven't found the option yet, your BIOS doesn't support it and you're out of luck. It's a firmware problem and there's nothing you can do to add the feature short of flashing your BIOS with something like hdparm which is something so irresponsible that even I wouldn't attempt it. It's nothing to do with the drive or the included software. This is a motherboard specific problem.
ATA is nothing more than a set of instructions for the BIOS. What you're trying to set is an HDD User and Master password, which will be used to authenticate to the unique key stored securely on the drive. "User" password will allow the drive to be unlocked and boot to proceed as normal. Same thing with "Master". Difference is that a "Master" password is needed to change passwords in the BIOS or erase the encryption key in the drive, which renders all its data inaccessible and irrecoverable instantly. This is called the "Secure Erase" feature. Under the protocol, a 32-bit string of characters is supported, meaning a 32-character password. Of the few laptop manufacturers that support setting an HDD password in the BIOS, most limit characters to 7 or 8. Why every BIOS company doesn't support it is beyond me. Maybe Stallman was right about proprietary BIOS.
The only laptop (pretty much no desktop BIOS supports HDD password) I know will allow you to set a full-length 32-bit HDD User and Master password is a Lenovo ThinkPad T- or W- series. Last I heard some ASUS notebooks have such an option in their BIOS. Dell limits HDD password to a weak 8 characters.
I am much more familiar with the key storage in Intel SSD's than Samsung. Intel was I believe the first to offer on-chip FDE in their drives, the 320 series and on. Although that was AES 128-bit. I haven't looked extensively into how this Samsung series implements key storage, and nobody really knows at this point. Obviously customer service was of no help to you. I get the impression only five or six people in any tech company actually know anything about the hardware they sell. Intel seemed reluctant to cough up the specifics but eventually a company rep answered somewhere in a forum. Keep in mind that for the drive-manufacturers this feature is a total afterthought. They don't know or care anything about it and neither do 99.9% percent of their customers. It's just another advertisement bullet point on the back of the box.
Hope this helps!