Since the introduction of the SATA 3 spec, storage devices have slowly adopted an additional security feature set. This effectively allows you to password protect drives. Drive security is also often used by OEMs to lock down system disks during the boot process.
There are seven different states a drive can be in. The table below describes all of the possible states:
|SEC0||off||0||-||-||Powered down (security diabled)|
|SEC1||on||0||0||0||Security disabled (not frozen)|
|SEC2||on||0||0||1||Security disabled (frozen)|
|SEC3||off||1||-||-||Powered down (security enabled)|
|SEC4||on||1||1||0||Security enabled (drive locked)|
|SEC5||on||1||0||0||Security enabled (drive unlocked and not frozen)|
|SEC6||on||1||0||1||Security enabled (drive unlocked and frozen)|
If security is not enabled, drives will almost always be in
Security can be enabled on the drive by setting a password. Once this has been
done, the drive will start in a locked state (
SEC3). While in a locked state
it is not possible to access file systems on the drive. To access the drive, it
needs to be unlocked using a password.
In addition to locking a drive, a drive can also be frozen. This prevents the drive changing state until the system is restarted. The diagram below gives a brief overview of how the different states relate to each other:
Managing drives with hdparm
On Linux based systems, hdparm can be used to managed security
settings on ATA devices. The
-I option can be used to display information
about a drive, including if security features are supported and/or enabled:
$ hdparm -I /dev/sde ... Security: Master password revision code = 65534 supported not enabled not locked not frozen not expired: security count supported: enhanced erase more than 508min for SECURITY ERASE UNIT. more than 508min for ENHANCED SECURITY ERASE UNIT.
Before going any further with
hdparm, it's worth highlighting the warning
given by the
ATA Security Commands: Most of these are VERY DANGEROUS and can destroy all of your data! Due to bugs in older Linux kernels, use of these commands may even trigger kernel segfaults or worse. EXPERIMENT AT YOUR OWN RISK!
If you want to try any of the commands below, make sure you have a backup of the data on the drive!
Security can be enabled with the
$ hdparm --security-set-pass secret /dev/sde security_password: "secret" /dev/sde: Issuing SECURITY_SET_PASS command, password="secret", user=user, mode=high
This will move a drive from an unlock and unfrozen (
SEC1) state to
When the drive is next started up it will start in a locked state (
Before accessing the drive, it needs to be unlocked using the password. This
can be done using the
$ hdparm --security-unlock secret /dev/sde security_password: "secret" /dev/sde: Issuing SECURITY_UNLOCK command, password="secret", user=user
Any attempt to access the drive before unlocking it will result in an I/O error:
$ fdisk -l /dev/sde fdisk: cannot open /dev/sde: Input/output error
To disable security on a drive, first make sure the drive is not locked
$ hdparm -I /dev/sde | grep locked not locked
Security can then be disabled on the drive using the
$ hdparm --security-disable secret /dev/sde security_password: "secret" /dev/sde: Issuing SECURITY_DISABLE command, password="secret", user=user
Freezing a drive
Drives can be "frozen" using the
$ hdparm --security-freeze /dev/sde /dev/sde: issuing security freeze command
Once a drive has been frozen, it will no longer be possible to perform tasks like setting a security password:
$ hdparm --security-set-pass secret /dev/sde security_password: "secret" /dev/sde: Issuing SECURITY_SET_PASS command, password="secret", user=user, mode=high SECURITY_SET_PASS: Input/output error
There is no unfreeze/thaw command. Instead the drive needs to be power cycled to return to a mutable state.
The master user
All of the examples above have used the standard user
user. There is also a
master user account. This account normally has a manufacturer specific
password preset. This can be used to disable security, if you forget the
In the case of my Western Digital drive, the master password is set to
WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW, so security on the drive could be disabled
$ hdparm --user-master m --security-disable "$(python -c 'print "WDC"*10+"W"')" /dev/sde security_password: "WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW" /dev/sde: Issuing SECURITY_DISABLE command, password="WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW", user=master
Note: the command above will only work if the master password matches and
the "maximum security" mode has not previously been set with the
--security-mode m option.
It's worth knowing about the security features in the SATA spec, however for
most use cases encryption is a better solution. If the warnings in the man page
hdparm are not enough to scare you off, it's worth considering that data
is still stored in clear text; even if the drive firmware makes it slightly
harder to access.