Enable SED on MX300

Kilobyte Kid

Enable SED on MX300

I got the 1TB sata3 MX300 installed as data drive (nonOS) and i'm looking to enable this feature to get my whole drive encrypted. Heard you need Crucial Storage Executive. Some points i need to make

 

-I need this to be on Hardware-Level

-Crucial Storage executive requires intstallation, i only run portable executable to avoid cluttering and conflicts

-Will this be done on the fly while OS is running, or do i need to format the drive

13 Replies
JEDEC Jedi

Re: Enable SED on MX300

Storage Exec isn't for  encryption.  You can use Windows Bitlocker for that.  See here: http://forum.crucial.com/t5/Crucial-SSDs/An-Overview-of-Hardware-Encryption/ta-p/181035

 

 

Storage Exec supports diagnostics, ram caching, firmware updates, over provisioning but not encryption.

_______________________________________
How do I know what memory to buy?
Shop for your region: US | UK | EU | France | Global
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
We want your feedback! Post in the Suggestion Box
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Kilobyte Kid

Re: Enable SED on MX300

Bitlocker does this on a software level as far as im concerned. I need this to be on a hardware BIOS level and also take advantage of the SED capabilities

Tags (1)
JEDEC Jedi

Re: Enable SED on MX300

As the article says, the drives are always hardware encrypted.  You just need something to manage the encryption key - which Bitlocker can do.

 

As for your BIOS, you normally can't apply an ATA password to a drive that has been put into eDrive mode.  Microsoft will put a drive into eDrive mode during Windows install.  You would have to factory reset the drive (via PSID Revert from Storage Exec) to switch back to ATA.

_______________________________________
How do I know what memory to buy?
Shop for your region: US | UK | EU | France | Global
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
We want your feedback! Post in the Suggestion Box
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
JEDEC Jedi

Re: Enable SED on MX300

 

If you are using Win10 Pro you should be able to use Bitlocker to take advantage of the MX300's hardware encryption like targetbsp suggested.   I don't believe it is possible to use hardware encryption with Bitlocker when using Win10 Home Edition, but I may be mistaken on this point.   You can verify if Bitlocker is using hardware encryption by using the following command in a terminal:

 

manage-bde   -status

The "encryption method" should say "hardware", otherwise Bitlocker is using software encryption.

 

If you don't want to upgrade to Win10 Pro, there are other ways to take advantage of the MX300's hardware encryption.   I believe there are some third party applications which can manage the encryption key, but I personally know nothing about them.   If you don't use software to manage the Authentication Key, then it might be possible to manually configure the computer's TPM to secure your SSD's encryption keys.   Some systems don't allow manual configuration of TPM settings.   

 

FYI, an SED such as the MX300 is technically always encrypting the data on the SSD as targetbsp mentions, however, the drive's data encryption keys are not secured by default.   To secure the SSD you need to  encrypt the SSD's data encryption key or enable a security lock on the SSD.   

 

The most common way to encrypt the SSD's internal data encryption key with Windows is by using software such as Bitlocker to manage the process.  On newer laptops the UEFI TPM setting will encrypt the Authentication Key which is used to encrypt the SED's hardware encryption key making it secure.  Be sure to make a copy of the Authentication Key (Recovery Key) and keep it safe so you can possibly access the enrypted data if the SSD is moved to another system in case your computer's hardware becomes unusable.

 

Another method is to use a BIOS or ATA Security lock which forces a password to be entered before the SSD can be accessed at any level.   Be careful using a BIOS password to lock the SSD as this method has a history of issues due to improperly implemented support in the BIOS itself.   The BIOS hard drive password method is really just using ATA Security on the SSD so it is better to first set the ATA Security Password directly on the SSD.   It may be possible to unlock it with the BIOS hard drive password depending on its implementation at least for a boot drive (not sure about a secondary drive, otherwise software would be needed to unlock the ATA Security in order to access the drive).  This also ensures the SSD can be unlocked when connected to another system, but it only requires your ATA Security password to unlock.   I believe this method is less secure than the TPM method.   As targetbsp mentions, if eDrive mode is already activated this method is not usable until eDrive is disabled.   

 

Here is a more in-depth look at encryption which I found while checking the link in targetbsp's earlier post.   While the whole document is educational, the most relevant sections for you are pages 7-8, and 10-12.

Kilobyte Kid

Re: Enable SED on MX300

This is a new topic i'm touching in, so me not being familiar with the concept and terminolgy i'm taking my time in going through your responses and the articles.

 

So the drives are always encrypting but they need their passwords to be encrypted as well so as to arm them, and have a drive that none can access.

ATA protection seems to be legacy, and i wouldnt want to mess with that. So it leaves for the bitlocker or tpm options.

 

-First off let me say that putting in a password each time i log in, looks to be nagging and troublesome. My laptop is equipped with a fingerprint scanner. Can i use that instead which feels much easier?

 

-How can i make sure if my laptop (HP 430 G3) is equipped with tpm module. I'd much rather have the encryption stored there, than on any bitlocker or other software party solution.

 

-In case i lose the encryption key that i store, does that mean the drive gets indefinitely unusable, until i revert the psid, and default it, but lose all dat on the process?

JEDEC Jedi

Re: Enable SED on MX300

I'm afraid I've never played with encryption so I don't know much about setting it up but the last statement is true, yes.  The only way you can access the drive again if you lose the authentication to it is to PSID revert it which will wipe the drive.

_______________________________________
How do I know what memory to buy?
Shop for your region: US | UK | EU | France | Global
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
We want your feedback! Post in the Suggestion Box
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?
Kilobyte Kid

Re: Enable SED on MX300


@HWTechwrote:

 

If you are using Win10 Pro you should be able to use Bitlocker to take advantage of the MX300's hardware encryption like targetbsp suggested.   I don't believe it is possible to use hardware encryption with Bitlocker when using Win10 Home Edition, but I may be mistaken on this point.   You can verify if Bitlocker is using hardware encryption by using the following command in a terminal:

 

manage-bde   -status

The "encryption method" should say "hardware", otherwise Bitlocker is using software encryption.


It says AES-128 not hardware and it feels so slow

 

Moreover since i only encrypted the D; Drive i cannot turn autounlock on and when i boot into windows i have an error that it cannot find desktop location (since i have moved the library onto D). Taskbar icons deisappear as well even though the appdata folder is on and is unencrypted during boot

 

Lots of weird issues now that ive encrypted

Kilobyte Kid

Re: Enable SED on MX300

Guys id really need some help. So unless i got a tpm module to store the key, i cant get hardware level encryption? My encyprion as stated previosuly seems to be only software deep and this really bothers me.

 

 My model seemingly included tpm as shown here

 

https://www.cnet.com/products/hp-probook-430-g3-13-3-core-i7-6500u-8-gb-ram-256-gb-ssd-us/specs/

 

Embedded Security: Trusted Platform Module (TPM) Security Chip

So do i need to perform any extra steps

JEDEC Jedi

Re: Enable SED on MX300

If you can't get the help you need here - try contacting crucial support via the customer services link in my signature.

_______________________________________
How do I know what memory to buy?
Shop for your region: US | UK | EU | France | Global
I think my memory is bad. What do I do now?
FAQs and Top Forum Solutions
We want your feedback! Post in the Suggestion Box
Did a user help you? Say thanks by giving Kudos!
Still need help? Contact Customer Service
Want to be a Super User?