06-19-2009 12:16 PM
3.6.1 Security Erase procedure
Using the Security Erase commands, the drive may be cryptographically erased according to the following procedure:
1.Consumer boots up the computer normally according to the Consumer Usage section above.
2.Consumer invokes software or BIOS option for Erase.
3.The software or BIOS queries the user for either the User or Master password.
4.The software or BIOS issues the Security Erase Prepare (F3) command.
5.The software or BIOS issues the Security Erase Unit (F4) command.
Select the Enhanced erase for cryptographic erase that completes in less than one second.
3.6.2 Drive State after security erase
Upon completion of the erase sequence, all data is cryptographically erased and the drive has been returned
to the manufactured state as follows:
•The old encryption key is deleted.
•A new random encryption key has been created on the drive.
•Encryption function is active and functioning.
The new key is used to encrypt all user data on write and decrypt on read.
•The user interface to the drive is active and all read and write commands are allowed.
•The ATA User password is reset to null (no value).
•The ATA Master password is not modified
The ATA Master password is the same value as it was before the erase.
•The ATA Security is set to the Unlocked state.
No password is required to access the drive.
The drive may now be disposed of safely, or the drive may be returned to service for another consumer following
the initialization procedure defined above.
06-19-2009 07:06 PM
Yup - that'd be great IF the system is set with a drive password in BIOS. None of these are.
This will not clear an FDE drive with encryption enabled/active.
The 'real' answer for non-FDE drives where software encryption had been applied appears to be one or more passes with a utility like Active Killdisk to wipe each partition and then the entire drive.
The only apparent answer for encryption-active FDE drives appears to be money - physically destroy the old drive and start out brand new and don't dare lose control of the drive, passwords, keys, etc....
06-20-2009 08:16 AM
It appears to me that you and AlanM are talking past each other.
You seem to think that you need the BIOS to handle the password (accepting it from the user, passing it on to the hard drive). You also observe that your notebook's BIOS doesn't seem to be doing that.
The text that AlanM quoted in message 21 seems to always say "the software or BIOS" so it looks as if security software, not just the BIOS, can do that job. Of course that means you cannot boot from that encrypted drive, but it could be a second drive, or you could boot from an optical drive or a USB flash memory stick, or an external drive.
Have I misunderstood you or AlanM?
06-21-2009 08:32 AM
Is there a utility program (or heck, even a set of jumper pads on the drive?) that will send a 'reset' an FDE drive - removing it's password, key, etc., disabling the encryption (NOT unencrypting what is/was there) thus leaving an essentially balnk, default drive of 'mush' that can be reformatted, or re-encrypted for new data, etc.??
Note: There IS such a utility for the Maxtor Black Armor drives, I've used it, for that product. It does not recognize a Seagate FDE.
The apparently complex version:
Desired User Experience: I want to re-use (or wipe and dispose of) an encrypted FDE drive. I want to wipe out anything/everything on an encrypted FDE drive, regardless of content, etc. - it's useless/meaningless.
The following conditions exist:
- No access to the data within or its password (no password was set in BIOS, it may have been set with TPM, Wave or any other combination of FDE/Opal-supporting software tools)
- No access to or use of the software that set FDE on the drive (another condition that can exist, an FDE drive in one system often cannot be read, no matter what, in another - as Primary, Secondary, USB...)
- Or, I don't know or care about any of that... I just want to make sure the drive has NO password (and of course no access to the data) so I can do-over or do a secure wipe.
06-22-2009 07:05 AM
I just talked to one of our experts and he told me that there are two different versions of FDE notebook drives, and the later/newer/younger version can be erased via the BIOS, but the older version cannot.
Fortunately, the newest version of SeaTools for DOS can perform a secure-encryption erase, that will erase the encryption key that is stored on the FDE drive, thus restoring it to the state you're asking for.
So download SeaTools for DOS and give that a try. Hope it works!