Samsung SSD 840/850 Pro with Encryption: how does portability work

The password has to be set in the BIOS under the ATA-security extension. Usually there's a tab in the BIOS menu titled "Security". Authentication will occur at the BIOS level, so nothing this software "wizard" does has any bearing on setting up the authentication. It's unlikely that a BIOS update will enable HDD password if it wasn't previously supported.

To say that you're setting up the encryption is misleading. The thing is that the drive is ALWAYS encrypting every bit it writes to the chips. The disk controller does this automatically. Setting a HDD password(s) to the drive is what takes your security level from zero to pretty much unbreakable. Only a maliciously-planted hardware keylogger or an NSA-sprung remote BIOS exploit could retrieve the password to authenticate ;-) <-- I guess. I'm not sure what they can do to BIOS yet. The point is it's not totally insurmountable, but depending on how the key is stored on the drive, it's the most secure method of hard drive encryption currently available. That said, it's total overkill. BitLocker is probably sufficient for most consumer security needs.

When it comes to security, I guess the question is: How much do you want?

Hardware-based full disk encryption is several orders of magnitude more secure than software-level full disk encryption like TrueCrypt. It also has the added advantage of not impeding your SSD's performance. The way SSD's stow their bits can sometimes lead to problems with software solutions. Hardware-based FDE is just less messy and more elegant and secure of an option but it hasn't "caught on" even among those who care enough to encrypt their valuable data. It's not tricky to do at all but unfortunately many BIOS's simply don't support the "HDD password" function (NOT to be confused with a simple BIOS password, which can be circumvented by amateurs). I can pretty much guarantee you without even looking in your BIOS that if you haven't found the option yet, your BIOS doesn't support it and you're out of luck. It's a firmware problem and there's nothing you can do to add the feature short of flashing your BIOS with something like hdparm which is something so irresponsible that even I wouldn't attempt it. It's nothing to do with the drive or the included software. This is a motherboard specific problem.

ATA is nothing more than a set of instructions for the BIOS. What you're trying to set is an HDD User and Master password, which will be used to authenticate to the unique key stored securely on the drive. "User" password will allow the drive to be unlocked and boot to proceed as normal. Same thing with "Master". Difference is that a "Master" password is needed to change passwords in the BIOS or erase the encryption key in the drive, which renders all its data inaccessible and irrecoverable instantly. This is called the "Secure Erase" feature. Under the protocol, a 32-bit string of characters is supported, meaning a 32-character password. Of the few laptop manufacturers that support setting an HDD password in the BIOS, most limit characters to 7 or 8. Why every BIOS company doesn't support it is beyond me. Maybe Stallman was right about proprietary BIOS.

The only laptop (pretty much no desktop BIOS supports HDD password) I know will allow you to set a full-length 32-bit HDD User and Master password is a Lenovo ThinkPad T- or W- series. Last I heard some ASUS notebooks have such an option in their BIOS. Dell limits HDD password to a weak 8 characters.

I am much more familiar with the key storage in Intel SSD's than Samsung. Intel was I believe the first to offer on-chip FDE in their drives, the 320 series and on. Although that was AES 128-bit. I haven't looked extensively into how this Samsung series implements key storage, and nobody really knows at this point. Obviously customer service was of no help to you. I get the impression only five or six people in any tech company actually know anything about the hardware they sell. Intel seemed reluctant to cough up the specifics but eventually a company rep answered somewhere in a forum. Keep in mind that for the drive-manufacturers this feature is a total afterthought. They don't know or care anything about it and neither do 99.9% percent of their customers. It's just another advertisement bullet point on the back of the box.

Hope this helps!

I figured out my problem: it turns out that my Windows installation was not in UEFI mode. You have to make sure your installation medium is UEFI and turn off compatibility mode in the BIOS to ensure that you install Windows mode UEFI.

I did a re-install of Windows 8.1 and then tried encryption again. This time, no progress or questions; it just enabled encryption in a matter of seconds! Hardware encryption is now activated!

How To: Install Windows 8 in UEFI boot mode

Below is the link that guided me through installing Windows 8 in UEFI mode. The page also contains links to creating a UEFI-compatible installation medium; in my case, I used a USB boot drive formatted using RUFUS. Note that the format of the installation medium is important; if you don't do this part right then it can screw up the whole Windows 8 installation and you won't know it until it is too late!

How to Check if Windows is booted in UEFI mode:

You can check by pressing (Windows)+R and typing msinfo32.  Under "System Summary", look for an item that says "Bios Mode".  If it says "UEFI", then you have a UEFI Windows install.

– Member lahma, post found on Cricial Support Forum.

Step by step guide for Installing Windows 8.1 in UEFI boot mode

How to Install Windows 8 or Windows 8.1 using the "Unified Extensible Firmware Interface" (UEFI)

Step by Step Guide for Encrypting Samsung SSD

Here are the complete steps I followed to get my Samsung EVO 840 to work with hardware encryption. This should also work with the Samsung EVO 850, the Samsung Pro 840, and the Samsung Pro 850. You will need to download the latest version of Samsung Magician from the Samsung website.

1. Update your drive firmware using the Samsung Magician software if your firmware is not up to date. I have heard rumours that, if you update the firmware after you encrypt the drive, the data might be lost. Better safe then sorry and do it before you encrypt your data.
2. Create a Windows installation USB thumbdrive. How to Create a Bootable UEFI USB Flash Drive for Installing Windows 7, Windows 8, or Windows 8.1. This is important!! The medium must support UEFI and there are ways to create a standard boot device which does not support this and then encryption will fail!!
3. Set Encrypted Drive to Ready to Enable in the Data Security tab of Samsung Magician.
4. Create a bootable CD or USB drive with Secure Erase.
5. Make sure all your data is backed up; we will now proceed to wipe your drive clean!!
6. Boot to Secure Erase and follow the steps to wipe your drive. If you get an error stating you need to unplug your drive, that's OK; follow the instructions. I had that happen as well and after unplugging the power cord to the drive and plugging it back in it worked.
7. Change the BIOS settings to disable Compatibility Mode boot devices. This is optional but it does prevent you from accidentally deploying Windows 8 in non-UEFI.
8. Boot to your medium and follow these steps. How to Install Windows 8 or Windows 8.1 using the "Unified Extensible Firmware Interface" (UEFI).
9. Install Samsung Magician. Your drive should now read Encrypted Drive = Enabled.
10. Verify that your Windows installation is booting in UEFI mode by checking the setting in Windows using the mechanism I described earlier.
11. Turn on Encryption
    • Windows BitLocker – Once you have installed Windows, you should now be able to re-enable using USB instead of a TPM chip and then enable BitLocker according to Hardware Accelerated BitLocker Encryption: Microsoft Windows 8 eDrive Investigated with Crucial M500 at Anandtech. If you followed the steps correctly, the encrypt process of the drive should take a matter of seconds once you click the confirm button in the wizard.
    • Alternatively you can use an ATA password in your BIOS if your BIOS supports this. This password will be required on bootup and the password will be used for encrypting/decrypting the encryption key found on the hard disk. Check your BIOS or manual to see if this is supported.