How to enable hardware based encryption on Samsung 850 Pro












10















I have a new Samsung 850 pro which touts hardware-based encryption. According to that page I should just go in my bios and set a hard-drive password (no problem right). The only relevant thread I found on the issue also says something along those same lines. I have no such option in my BIOS (I have a Gigabyte board with a Z87 chipset, model number escaping me at this time). If I were to buy a new motherboard to get this to work, what feature(s) does the board need to support?










share|improve this question





























    10















    I have a new Samsung 850 pro which touts hardware-based encryption. According to that page I should just go in my bios and set a hard-drive password (no problem right). The only relevant thread I found on the issue also says something along those same lines. I have no such option in my BIOS (I have a Gigabyte board with a Z87 chipset, model number escaping me at this time). If I were to buy a new motherboard to get this to work, what feature(s) does the board need to support?










    share|improve this question



























      10












      10








      10


      1






      I have a new Samsung 850 pro which touts hardware-based encryption. According to that page I should just go in my bios and set a hard-drive password (no problem right). The only relevant thread I found on the issue also says something along those same lines. I have no such option in my BIOS (I have a Gigabyte board with a Z87 chipset, model number escaping me at this time). If I were to buy a new motherboard to get this to work, what feature(s) does the board need to support?










      share|improve this question
















      I have a new Samsung 850 pro which touts hardware-based encryption. According to that page I should just go in my bios and set a hard-drive password (no problem right). The only relevant thread I found on the issue also says something along those same lines. I have no such option in my BIOS (I have a Gigabyte board with a Z87 chipset, model number escaping me at this time). If I were to buy a new motherboard to get this to work, what feature(s) does the board need to support?







      ssd bios opal self-encrypting-drive opal-ssc






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Jan 15 at 14:49









      ͏͏͏

      2,67211214




      2,67211214










      asked Oct 29 '14 at 19:35









      ErlVoltonErlVolton

      268138




      268138






















          5 Answers
          5






          active

          oldest

          votes


















          6














          Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).



          TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.



          Edit:

          As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.



          Edit 2:

          There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.






          share|improve this answer


























          • Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?

            – ErlVolton
            Oct 29 '14 at 19:49











          • See edit, not good news for you.

            – Chris S
            Oct 29 '14 at 19:54



















          8














          As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.






          share|improve this answer































            2














            TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.



            The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.



            I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.






            share|improve this answer
























            • Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?

              – ZAB
              Jun 14 '15 at 18:25



















            1














            It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.



            Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.



            If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.



            My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.






            share|improve this answer































              0















              • Storage type must be ACHI.

              • The computer must always boot natively from UEFI.

              • The computer must have the Compatibility Support Module (CSM) disabled in UEFI.

              • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).


              • TPM chip is optional.


              • Secure boot is optional.

              • GPT and MBR are both supported.

              • If there is RST software/drivers, it has to be at least version 13.2.4.1000.


              This can be done with 2 disks or one.



              From a Windows install that meets the above criteria:




              • Set state to ready to enable via Samsung Magician.

              • Make a secure erase USB (for DOS).

              • Reboot PC, change boot mode to BIOS boot (for the secure erase USB)

              • Boot into secure erase, erase

              • Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)

              • Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.






              share|improve this answer

























                Your Answer








                StackExchange.ready(function() {
                var channelOptions = {
                tags: "".split(" "),
                id: "3"
                };
                initTagRenderer("".split(" "), "".split(" "), channelOptions);

                StackExchange.using("externalEditor", function() {
                // Have to fire editor after snippets, if snippets enabled
                if (StackExchange.settings.snippets.snippetsEnabled) {
                StackExchange.using("snippets", function() {
                createEditor();
                });
                }
                else {
                createEditor();
                }
                });

                function createEditor() {
                StackExchange.prepareEditor({
                heartbeatType: 'answer',
                autoActivateHeartbeat: false,
                convertImagesToLinks: true,
                noModals: true,
                showLowRepImageUploadWarning: true,
                reputationToPostImages: 10,
                bindNavPrevention: true,
                postfix: "",
                imageUploader: {
                brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
                contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
                allowUrls: true
                },
                onDemand: true,
                discardSelector: ".discard-answer"
                ,immediatelyShowMarkdownHelp:true
                });


                }
                });














                draft saved

                draft discarded


















                StackExchange.ready(
                function () {
                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f833457%2fhow-to-enable-hardware-based-encryption-on-samsung-850-pro%23new-answer', 'question_page');
                }
                );

                Post as a guest















                Required, but never shown

























                5 Answers
                5






                active

                oldest

                votes








                5 Answers
                5






                active

                oldest

                votes









                active

                oldest

                votes






                active

                oldest

                votes









                6














                Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).



                TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.



                Edit:

                As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.



                Edit 2:

                There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.






                share|improve this answer


























                • Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?

                  – ErlVolton
                  Oct 29 '14 at 19:49











                • See edit, not good news for you.

                  – Chris S
                  Oct 29 '14 at 19:54
















                6














                Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).



                TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.



                Edit:

                As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.



                Edit 2:

                There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.






                share|improve this answer


























                • Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?

                  – ErlVolton
                  Oct 29 '14 at 19:49











                • See edit, not good news for you.

                  – Chris S
                  Oct 29 '14 at 19:54














                6












                6








                6







                Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).



                TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.



                Edit:

                As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.



                Edit 2:

                There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.






                share|improve this answer















                Depends on what you mean by "get this to work". That drive support OPAL 2.0, which allows various software managed encryption schemes to use hardware accelerated encryption. It also allows for pre-boot authentication (PBA) for encryption, such as BIOS/EFI schemes. If you want to use PBA (ie a password/pin at the BIOS/EFI) then you'll have to switch to a motherboard that supports it (I couldn't say which as I don't use PBA, I use BitLocker, which I highly recommend in Windows environments).



                TL;DR If you're running Windows, use BitLocker, it will automatically use the hardware acceleration.



                Edit:

                As of April 2014, OPAL is not supported by Linux. There was someone working on "msed", but it wasn't finished or production worthy. I don't know the current status or future of OPAL support in Linux.



                Edit 2:

                There are also various UEFI products that can manage OPAL compatible drives allowing for a variety of PBAs if your BIOS/EFI doesn't support it directly. The only one I've vaguely familiar with allows companies to setup an authentication servers for PBA over the Internet. It might work with local credentials as well, I'm not sure. It's also very expensive. Food for thought if nothing else.







                share|improve this answer














                share|improve this answer



                share|improve this answer








                edited Oct 29 '14 at 20:10

























                answered Oct 29 '14 at 19:47









                Chris SChris S

                5,8891521




                5,8891521













                • Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?

                  – ErlVolton
                  Oct 29 '14 at 19:49











                • See edit, not good news for you.

                  – Chris S
                  Oct 29 '14 at 19:54



















                • Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?

                  – ErlVolton
                  Oct 29 '14 at 19:49











                • See edit, not good news for you.

                  – Chris S
                  Oct 29 '14 at 19:54

















                Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?

                – ErlVolton
                Oct 29 '14 at 19:49





                Excellent. I am not using Windows, it's ubuntu 14 with LVM encryption enabled via the installer option. Sooo maybe that's taking advantage of the hardware acceleration already and the answer is do nothing and profit?

                – ErlVolton
                Oct 29 '14 at 19:49













                See edit, not good news for you.

                – Chris S
                Oct 29 '14 at 19:54





                See edit, not good news for you.

                – Chris S
                Oct 29 '14 at 19:54













                8














                As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.






                share|improve this answer




























                  8














                  As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.






                  share|improve this answer


























                    8












                    8








                    8







                    As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.






                    share|improve this answer













                    As the "someone" working on "msed", it now has the ability enable the OPAL locking, write a PBA to an OPAL 2.0 drive and chain-load the real OS after unlocking the drive on bios based motherboards. No special motherboard support is needed. Yes, it is still early in it's development cycle and it currently does not support sleep to ram as that requires OS hooks.







                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jan 29 '15 at 6:01









                    Michael RomeoMichael Romeo

                    8111




                    8111























                        2














                        TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.



                        The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.



                        I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.






                        share|improve this answer
























                        • Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?

                          – ZAB
                          Jun 14 '15 at 18:25
















                        2














                        TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.



                        The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.



                        I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.






                        share|improve this answer
























                        • Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?

                          – ZAB
                          Jun 14 '15 at 18:25














                        2












                        2








                        2







                        TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.



                        The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.



                        I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.






                        share|improve this answer













                        TexasDex is correct. Your motherboard BIOS must support an ATA Password option (this is distinct and in addition to the BIOS password). Now the interesting bit . . . no one mentions this feature. Not in mobo reviews, comparisons, and certainly not in the advertisements and listings of the mobo manufacturers. Why not? Millions upon millions of Samsung EVO and Intel SSDs are ready to have ultrafast and ultrasecure hardware encryption enabled, all they need is a BIOS with ATA Password support.



                        The only answer I could find is that Mobo makers are afraid a few noobs will forget their passwords, and since this encryption is so reliable, no one AT ALL will be able to help.



                        I had an ASRock Extreme6 mobo, and thinking it was the latest and greatest, of course it would have this feature. Not. However, I wrote to ASRock in Taiwan and in a week they emailed me the 1.70B version of their BIOS with an ATA Password option. However, it's still not available on their website, you have to ASK for it (?!). This may be the case with your mobo makers as well.







                        share|improve this answer












                        share|improve this answer



                        share|improve this answer










                        answered Jan 8 '15 at 6:50









                        Al WinstonAl Winston

                        314




                        314













                        • Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?

                          – ZAB
                          Jun 14 '15 at 18:25



















                        • Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?

                          – ZAB
                          Jun 14 '15 at 18:25

















                        Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?

                        – ZAB
                        Jun 14 '15 at 18:25





                        Does this BIOS support suspend to RAM sleep mode? Does it unlock the drive while resuming from sleep?

                        – ZAB
                        Jun 14 '15 at 18:25











                        1














                        It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.



                        Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.



                        If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.



                        My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.






                        share|improve this answer




























                          1














                          It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.



                          Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.



                          If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.



                          My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.






                          share|improve this answer


























                            1












                            1








                            1







                            It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.



                            Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.



                            If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.



                            My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.






                            share|improve this answer













                            It's possible to use the hdparm command in Linux to enable ATA Security Extensions, which will set the AT password on the drive, thereby encrypting it.



                            Unfortunately, if your BIOS doesn't support hard disk passwords then there's no way to boot after you do that, since you can't use the hdparm unlock command until after you're done booting, and you can't unlock and boot off the drive until after you unlock it. Kind of a chicken/egg problem. That's why they sometimes put disk password support in the BIOS, so it can run without needing an OS.



                            If you have the /boot or / partition on a separate device you might be able to set up a script that uses the hdparm command somewhere in the init process. This isn't easy, and kind of defeats the purpose of having the SSD for fast booting and such.



                            My only other idea would be to have a thumb drive with a super-minimal distro of Linux that does nothing but prompt for the password, run the hdparm ata unlock command, and reboot, allowing the OS to load from your unlocked drive (I believe soft reboots generally don't re-lock drives). This is not ideal, but it's the best available solution if your motherboard doesn't support ATA passwords.







                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Dec 17 '14 at 5:30









                            TexasDexTexasDex

                            961




                            961























                                0















                                • Storage type must be ACHI.

                                • The computer must always boot natively from UEFI.

                                • The computer must have the Compatibility Support Module (CSM) disabled in UEFI.

                                • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).


                                • TPM chip is optional.


                                • Secure boot is optional.

                                • GPT and MBR are both supported.

                                • If there is RST software/drivers, it has to be at least version 13.2.4.1000.


                                This can be done with 2 disks or one.



                                From a Windows install that meets the above criteria:




                                • Set state to ready to enable via Samsung Magician.

                                • Make a secure erase USB (for DOS).

                                • Reboot PC, change boot mode to BIOS boot (for the secure erase USB)

                                • Boot into secure erase, erase

                                • Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)

                                • Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.






                                share|improve this answer






























                                  0















                                  • Storage type must be ACHI.

                                  • The computer must always boot natively from UEFI.

                                  • The computer must have the Compatibility Support Module (CSM) disabled in UEFI.

                                  • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).


                                  • TPM chip is optional.


                                  • Secure boot is optional.

                                  • GPT and MBR are both supported.

                                  • If there is RST software/drivers, it has to be at least version 13.2.4.1000.


                                  This can be done with 2 disks or one.



                                  From a Windows install that meets the above criteria:




                                  • Set state to ready to enable via Samsung Magician.

                                  • Make a secure erase USB (for DOS).

                                  • Reboot PC, change boot mode to BIOS boot (for the secure erase USB)

                                  • Boot into secure erase, erase

                                  • Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)

                                  • Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.






                                  share|improve this answer




























                                    0












                                    0








                                    0








                                    • Storage type must be ACHI.

                                    • The computer must always boot natively from UEFI.

                                    • The computer must have the Compatibility Support Module (CSM) disabled in UEFI.

                                    • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).


                                    • TPM chip is optional.


                                    • Secure boot is optional.

                                    • GPT and MBR are both supported.

                                    • If there is RST software/drivers, it has to be at least version 13.2.4.1000.


                                    This can be done with 2 disks or one.



                                    From a Windows install that meets the above criteria:




                                    • Set state to ready to enable via Samsung Magician.

                                    • Make a secure erase USB (for DOS).

                                    • Reboot PC, change boot mode to BIOS boot (for the secure erase USB)

                                    • Boot into secure erase, erase

                                    • Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)

                                    • Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.






                                    share|improve this answer
















                                    • Storage type must be ACHI.

                                    • The computer must always boot natively from UEFI.

                                    • The computer must have the Compatibility Support Module (CSM) disabled in UEFI.

                                    • The computer must be UEFI 2.3.1 based and have the EFI_STORAGE_SECURITY_COMMAND_PROTOCOL defined. (This protocol is used to allow programs running in the EFI boot services environment to send security protocol commands to the drive).


                                    • TPM chip is optional.


                                    • Secure boot is optional.

                                    • GPT and MBR are both supported.

                                    • If there is RST software/drivers, it has to be at least version 13.2.4.1000.


                                    This can be done with 2 disks or one.



                                    From a Windows install that meets the above criteria:




                                    • Set state to ready to enable via Samsung Magician.

                                    • Make a secure erase USB (for DOS).

                                    • Reboot PC, change boot mode to BIOS boot (for the secure erase USB)

                                    • Boot into secure erase, erase

                                    • Reboot PC, change BIOS boot settings to EFI again. (Do not let the PC start booting from the drive or you might start the process from the beginning.)

                                    • Boot back to Windows disk and check via Samsung magician or install Windows to your secure erased disk.







                                    share|improve this answer














                                    share|improve this answer



                                    share|improve this answer








                                    edited Nov 3 '16 at 11:02









                                    karel

                                    9,26293139




                                    9,26293139










                                    answered Nov 3 '16 at 10:52









                                    Shadowws ShadowwShadowws Shadoww

                                    1




                                    1






























                                        draft saved

                                        draft discarded




















































                                        Thanks for contributing an answer to Super User!


                                        • Please be sure to answer the question. Provide details and share your research!

                                        But avoid



                                        • Asking for help, clarification, or responding to other answers.

                                        • Making statements based on opinion; back them up with references or personal experience.


                                        To learn more, see our tips on writing great answers.




                                        draft saved


                                        draft discarded














                                        StackExchange.ready(
                                        function () {
                                        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f833457%2fhow-to-enable-hardware-based-encryption-on-samsung-850-pro%23new-answer', 'question_page');
                                        }
                                        );

                                        Post as a guest















                                        Required, but never shown





















































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown

































                                        Required, but never shown














                                        Required, but never shown












                                        Required, but never shown







                                        Required, but never shown







                                        Popular posts from this blog

                                        Сан-Квентин

                                        8-я гвардейская общевойсковая армия

                                        Алькесар