search

Drive-Trust-Alliance / sedutil

DTA sedutil Self encrypting drive software
610 stars 236 forks source link

[Clarification] PSID revert on encrypted drive #277

Open pwn0r opened 5 years ago

pwn0r commented 5 years ago

Sorry if this issue is covered elsewhere, I was unable to find specifics in either the FAQ or closed issues.

Drive: Samsung 850 EVO Firmware: Latest

This drive used to be a system drive for windows with bitlocker hardware encryption, but now I'm using another ssd for the current install.

In short I want to repurpose the drive and use it elsewhere. In my opinion using diskpart clean is not enough (correct me if I'm wrong). Samsung secure erase tool famously does not work if encrypted drive was enabled. I was looking for a way to reset the ssd to factory defaults.

I tried sedutil first on Windows, where it is currently unusable due to bug #242. Then booted live Mint 19.1 and tried from there. However somehow was still unable to revert PSID. Eventually I had to use a leaked tool from samsung (from 2009 lol!) which is named TCG_Revert_Release.exe. That tools works. After that I was able to reboot and run secure erase tool.

Now the actual questions are as follows:

  1. Does sedutil support PSID revert if SSD is in "encrypted drive mode" rather than TCG OPAL?
  2. Maybe there is another way to run secure erase in this state? Recommended way using hdparm btw does NOT work.
aj-git commented 5 years ago

You reference Bug 242 : Do you have a Ryzen Machine?

regarding 1): I believe a PSID Revert is only possible if Opal has been activated/fully initialized. (It is not available if the drive is unencrypted or the ATA-Security/Class-0 feature is in use.) What is this "encrypted drive mode"? If it is Samsung-specific it might be a preparation state, which unlocks the opal capability of the drive (= it is needed to be able to proceed with the opal initialization, e.g. sedutil-cli --initialsetup). If thats the case, then the drive is still not encrypted and can't be PSID-reverted. (Sorry, never used encryption on a Samsung drive.)

pwn0r commented 5 years ago

You reference Bug 242 : Do you have a Ryzen Machine?

Yes. Was unusable on windows, freezes the system almost entirely, and I have a few HDDs as well.

regarding 1): I believe a PSID Revert is only possible if Opal has been activated/fully initialized. (It is not available if the drive is unencrypted or the ATA-Security/Class-0 feature is in use.)

This is yet another encryption mode for Samsung EVO and I believe PRO series. One can only choose one mode (in Samsung Magician)-- Class 0, TGC Opal or EDrive. After that a user is supposed to do security erase (with samsung tool). That is currently done with a linux image (usb bootable). They used FreeDOS before.

What is this "encrypted drive mode"? If it is Samsung-specific it might be a preparation state, which unlocks the opal capability of the drive (= it is needed to be able to proceed with the opal initialization, e.g. sedutil-cli --initialsetup). If thats the case, then the drive is still not encrypted and can't be PSID-reverted. (Sorry, never used encryption on a Samsung drive.)

According to various (but not in-depth) docs online eDrive is TGC Opal + IEEE 1667 compliance. This is required to use BitLocker in hardware encryption mode.

aj-git commented 5 years ago

Ah, sorry! You meant "encrypted drive mode" = eDrive!? (in your question 1) Then: Yes, sedutil is able PSID Revert a drive which is in eDrive-Mode...did that multiple times with Crucial SEDs (MX100/MX300/MX500/...) which had been eDrive-activated by the windows setup. (Not sure why you should ask that because as you said it yourself: eDrive = TCG Opal 2 + IEEE 1667, which means an eDrive is basically OPAL encrypted and that is what sedutil has been created for... I have no clue why you had to use this misterious TCG_Revert_Release.exe - do you remember sedutil's error message?)

...and regarding 2): if your drive was in eDrive-Mode, an ATA Secure Erase (with hdparm) can't succeed. (ATA-Security/Class 0 can only be used if Opal/eDrive is not active and vice versa.)

pwn0r commented 5 years ago

OK thanks. That was the point first of all to find out if such mode is at all supported. unfortunately been a while and that was booted from LiveUSB so I don't really have that error message anymore.

There could be a potential difference between e.g. crucial ssds and samsung EVOs. Can you confirm if crucial has a separate edrive(==encrypted drive) mode at all? Because IIRC it does not. However samsung magician does:

magician-data-security

Regarding the name -- that's I guess is MS/Vendors fault. They refer to it both as eDrive (older docs) and now as Encrypted drive.

aj-git commented 5 years ago

On Crucial SSDs I've only seen a "TCG status" using their msecli/StorageExecutive software. That can have at least the following values: Deactivated (not as eDrive configured), Activated (eDrive + drive unlocked, you can access the data), Locked (eDrive + drive locked, you can't access your data). I don't believe they differ between "TCG Opal" and "eDrive" (like Magician does), can't find any sign of that.

Regarding the name -- that's I guess is MS/Vendors fault. They refer to it both as eDrive (older docs) and now as Encrypted drive.

The naming is not very lucky, I guess. For me your "encrypted drive" sounded too generic why I didn't connect it to Bitlocker/eDrive...