1

I'm building up a new machine with a Supermicro MB equipped with a TPM and a Seagate Constellation ES.3 SED drive (ST200NM0053). The MB has the AMI BIOS which does see the TPM.

I've installed Windows Server 2012 R2 Essentials. I'm now struggling to enable hard drive encryption using the SED feature of the hard drive.

My understanding (which is pretty weak) is the Windows BitLocker software can work with the TPM to support hard drive encryption but that Windows requires the hard drive to support OPAL 2, which the Seagate drive does not support.

I don't think I need to be concerned about this, because I'm under the impression that with this Seagate drive and a MB that supports TPM, I can enable the encryption regardless of what OS is running and manage the encryption, its related keys, backup, migration, etc. all through the BIOS. Furthermore, the OS won't even see that the drive is encrypted and needs no encryption capabilities or support at all.

But how do I enable encryption through the BIOS? I've gotten as far as enabling the TPM but I don't see anywhere where I can encrypt the drive or change the default password that the manufacturer installed on the drive.

What are my next steps and where might they be documented?

ᄂ ᄀ
  • 3,875
  • 1
  • 19
  • 18
mbmast
  • 301
  • 2
  • 4
  • 15
  • I am not aware of ANY requirements of the HDD to support Bitlocker, only of the TPM requirement, are you 100% sure there is a hardware requirement of the HDD in order to use Bitlocker? Bitlocker and the SED feature of the HDD are two entirely separate things. – Ramhound Apr 24 '15 at 16:32
  • This article: https://social.technet.microsoft.com/Forums/windows/en-US/a7e95fb2-d408-4e80-a791-1f775b0d164b/bitlocker-windows-8-and-self-encrypting-drives?forum=w8itprosecurity states that the hard drive will not perform encryption with BitLocker because the drive is not OPAL 2 compliant. I suppose that means the BitLocker will still encrypt the drive, but the encryption/decryption is being done by Windows (BitLocker) and not by the drive itself. My preference is to have the drives perform their own encryption. – mbmast Apr 24 '15 at 17:04
  • So you want to use the drives own encryption and Bitlocker, so encryption handled by the TPM and the encryption handled by the HDD? – Ramhound Apr 24 '15 at 17:05
  • I will be honest I think I understand what your asking but I cannot figure what your trying to accomplish. You don't have a HDD that supports NOT using Bitlocker if you want to use the TPM module. – Ramhound Apr 24 '15 at 17:09
  • @Ramhound I want to use the encryption built into the SED drives without using BitLocker. I don't want any dependencies on the OS to perform encryption. I know that in order to use the drive's encryption capabilities, the MB must have a TPM installed (and it does). I assume there must be some BIOS code that can enable encryption on the drive and manage the encryption keys (very similar to the ROM BIOS extensions used to create/destroy/maintain RAID volumes). – mbmast Apr 24 '15 at 17:16
  • Alright; You confused matters because you mentioned Bitlocker. What you want us very little to do with Bitlocker. You just want to enable the self-encrypting capabilities of your HDD. Is that correct? – Ramhound Apr 24 '15 at 17:20
  • This might help understand the SED [functionality](http://superuser.com/questions/732494/how-to-enable-samsung-evo-840-msata-ssd-self-encrypting-drive-with-intel-rst-rai?rq=1) – Ramhound Apr 24 '15 at 17:23
  • @Ramhound Yes, I just want to enable the self-encrypting capabilities of my HDD. The article you provided is interesting. I will try that and then yank the drive and attempt to access it from another system. – mbmast Apr 24 '15 at 17:47
  • The article is not correct. It states: 'Also, assuming that there is no clear "HD PASSWORD" type of setting in the UEFI BIOS, and BIOS level HD-passwording is not documented, you may want to try placing a general start-up password and extracting the disk and testing it on another computer or using an external USB-enclosure. It should not boot up nor register in windows if it has a password lock, ie. it appears to be dead.' I tried this and the disk was completely readable from the other computer. – mbmast Apr 24 '15 at 18:58

2 Answers2

0

these drives do work with bitlocker i know as i do use them bitlocker is a 2ed layer defence on these drives when drives are conected to pc with tpm. drives set aside a 100mg parttion and no u cant find it or remove it no software can find it. parttion is used store the encrition keys for drive, warrning microsoft uploades all bitlocker keys and they do use them. way around this is change the key

in all if microsoft want steel anything off the drives not readable even if they get around bitlocker they cant get around seagate encrition.

with microsoft makeing 10 back doors get in to every system these drives become a must have. i test microsoft software and find probems with it and then tell microsoft how fix it.

i stop doing this once i found microsoft was hacking my network once sed was added to my workstation lot change as data become useless to them note these drives looks at file data base files are treated very diffrent on these drives very heavly protecked from theft

u pc must have tpm on it these drives will not work with out tpm the encrition will not work

tpm dose not have be turn on in bitlocker just has be turn on in bios as harddrives tpm is part key makeing process

now diffrent models may be diffrent advise talk seagate on what drives need most these drives are sas drives few are sata throw seagate dose make them sas drives are much better drives

jay
  • 1
0

Things may have improved since this was originally posted. It seems that Windows 8 and above will recognize an Opal drive (with some restrictions. One of which seems to be a UEFI BIOS See: https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653989(v=vs.85) ) According to Microsoft https://docs.microsoft.com/en-us/windows/security/information-protection/encrypted-hard-drive the system will recognize a compatible drive automatically and set it up to be managed by bitlocker. It does not do software encryption in that case but allows the device to do its own encryption. The article says that the disk manager mmc plugin can be used to manage partitions and file systems on the device but it does not say anything about how the disk authorization keys are managed.

This is my question. How are the authorization keys managed by Windows? I want to bind an authorization key to a specific service account so that only that service account can access the encrypted partition. I have some leads, there may be 3rd party apps that add that functionality. My suspicion is that Bitlocker management means that the entire disk is treated as a single band with a single authentication key. This band can then be partitioned into volumes and managed by NTFS. That would mean that the only mandatory access control would be through NTFS. The hardware access control would be moot.

hkc
  • 11
  • 3
  • If you have a new question, please ask it by clicking the [Ask Question](https://superuser.com/questions/ask) button. Include a link to this question if it helps provide context. - [From Review](/review/late-answers/1079898) – Aulis Ronkainen Sep 16 '21 at 07:54