ATA security

Since the introduction of the SATA 3 spec, storage devices have slowly adopted an additional security feature set. This effectively allows you to password protect drives. Drive security is also often used by OEMs to lock down system disks during the boot process.

Drives states

There are seven different states a drive can be in. The table below describes all of the possible states:

StatePowerSecurity EnabledLockedFrozenDescription
SEC0off0--Powered down (security diabled)
SEC1on000Security disabled (not frozen)
SEC2on001Security disabled (frozen)
SEC3off1--Powered down (security enabled)
SEC4on110Security enabled (drive locked)
SEC5on100Security enabled (drive unlocked and not frozen)
SEC6on101Security enabled (drive unlocked and frozen)

If security is not enabled, drives will almost always be in SEC0 or SEC1. Security can be enabled on the drive by setting a password. Once this has been done, the drive will start in a locked state (SEC3). While in a locked state it is not possible to access file systems on the drive. To access the drive, it needs to be unlocked using a password.

In addition to locking a drive, a drive can also be frozen. This prevents the drive changing state until the system is restarted. The diagram below gives a brief overview of how the different states relate to each other:

ATA states diagram

Managing drives with hdparm

On Linux based systems, hdparm can be used to managed security settings on ATA devices. The -I option can be used to display information about a drive, including if security features are supported and/or enabled:

$ hdparm -I /dev/sde
...
Security:
  Master password revision code = 65534
        supported
  not   enabled
  not   locked
  not   frozen
  not   expired: security count
        supported: enhanced erase
  more than 508min for SECURITY ERASE UNIT. more than 508min for ENHANCED SECURITY ERASE UNIT.

Before going any further with hdparm, it's worth highlighting the warning given by the --security-help option:

ATA Security Commands: Most of these are VERY DANGEROUS and can destroy all of your data! Due to bugs in older Linux kernels, use of these commands may even trigger kernel segfaults or worse. EXPERIMENT AT YOUR OWN RISK!

If you want to try any of the commands below, make sure you have a backup of the data on the drive!

Enabling security

Security can be enabled with the --security-set-pass option

$ hdparm --security-set-pass secret /dev/sde
security_password: "secret"

/dev/sde:
 Issuing SECURITY_SET_PASS command, password="secret", user=user, mode=high

This will move a drive from an unlock and unfrozen (SEC1) state to SEC5. When the drive is next started up it will start in a locked state (SEC4). Before accessing the drive, it needs to be unlocked using the password. This can be done using the --security-unlock option:

$ hdparm --security-unlock secret /dev/sde
security_password: "secret"

/dev/sde:
 Issuing SECURITY_UNLOCK command, password="secret", user=user

Any attempt to access the drive before unlocking it will result in an I/O error:

$ fdisk -l /dev/sde
fdisk: cannot open /dev/sde: Input/output error

Disabling security

To disable security on a drive, first make sure the drive is not locked (SEC5):

$ hdparm -I /dev/sde | grep locked
  not   locked

Security can then be disabled on the drive using the --security-disable option:

$ hdparm --security-disable secret /dev/sde
security_password: "secret"

/dev/sde:
 Issuing SECURITY_DISABLE command, password="secret", user=user

Freezing a drive

Drives can be "frozen" using the --security-freeze option:

$ hdparm --security-freeze /dev/sde

/dev/sde:
 issuing security freeze command

Once a drive has been frozen, it will no longer be possible to perform tasks like setting a security password:

$ hdparm --security-set-pass secret /dev/sde
security_password: "secret"

/dev/sde:
 Issuing SECURITY_SET_PASS command, password="secret", user=user, mode=high
SECURITY_SET_PASS: Input/output error

There is no unfreeze/thaw command. Instead the drive needs to be power cycled to return to a mutable state.

The master user

All of the examples above have used the standard user user. There is also a master user account. This account normally has a manufacturer specific password preset. This can be used to disable security, if you forget the user password.

In the case of my Western Digital drive, the master password is set to WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW, so security on the drive could be disabled following command:

$ hdparm --user-master m --security-disable "$(python -c 'print "WDC"*10+"W"')" /dev/sde
security_password: "WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW"

/dev/sde:
 Issuing SECURITY_DISABLE command, password="WDCWDCWDCWDCWDCWDCWDCWDCWDCWDCW", user=master

Note: the command above will only work if the master password matches and the "maximum security" mode has not previously been set with the --security-mode m option.

Summary

It's worth knowing about the security features in the SATA spec, however for most use cases encryption is a better solution. If the warnings in the man page of hdparm are not enough to scare you off, it's worth considering that data is still stored in clear text; even if the drive firmware makes it slightly harder to access.