Cryptography and Encryption Blog

ATA Lock (or drive lock) is a BIOS based security solution for implementing FDE security with FDE hard drives. Once set, it prompt the user to enter a password every time the computer is powered on to “unlock” the drive. If the correct password is not entered, the drive becomes disabled (“locked”) and the computer does not boot up. Some manufacturers, like HP, provide the capability of setting up two passwords for drive lock, a Master and a Slave. This is convenient for administrative purposes. The owner of slave password can only use the password to unlock the drive, whereas the master password allows changing of the passwords for both itself and that of the slave. Other manufacturers likeDell only allows one password.

In terms of strength of security, it is as strong as the security provided by AES 128-bit encryption. In the past drive lock has been vulnerable to backdoor password reset (i.e password is blanked out) via a hacking utility or to “forensic” access of drive via raw data extraction. This is true only for regular drives. With an FDE drive, however, these security holes are plugged up. Because the data resides on the FDE drive encrypted with a unique key, raw data extraction is useless. If the hacker is somehow able to reset the drive lock password, this attack is thwarted by the fact that the encryption key is encapsulated with the original drive lock password. If drive lock password were to changed by an attack, the encryption key in effect becomes inaccessible.

Software based pre-boot authentication is another option for implementing FDE security with FDE hard drives. There is two component to this solution, the pre-boot authentication part and the OS client. The pre-boot authentication is the part that comes up when the computer is first powered on and asks for the access password (just like the ATA lock). The OS client, on the other hand, is the part that installs on the OS and provides other key features, in addition to basic password protection to end-users. Some of these features includes the configuration of the pre-boot authentication itself, password synchronization with a directory service (AD, NDS, LDAP, etc), centralized administration of accounts, remote mananagement of passwords, multiple authorized accounts per computer,audit trail, backup services, etc.

In terms of strength of security, software based pre-boot authentication is as strong as the security provided by AES 128-bit encryption. In this respect, there is no difference between this and the ATA lock on FDE harddrive.