In a previous post I have looked at what hard disk password protection would do for me and what its limitations are. One issue is that it’s no longer straight forward to just use a password protected drive in a USB to SATA converter as a lower level ATA command is required to unlock the drive. On Linux, the drive can be unlocked with ‘hdparm‘ but there are a couple of pitfalls that took me quite some time to figure out.
The Right USB to SATA Converter
The first pitfall is that the USB to SATA converter must support the relatively new UAS protocol. If you want to buy an adapter, have a look if the protocol is supported. In a follow up post I will describe how to check for support of an adapter you already have and how I fixed some trouble I had with unlocking a drive when the adapter was connected via USB3.
Lenovo BIOS Password Hashing
The next pitfall is that the BIOS of many notebook/PC manufacturers doesn’t send the password ‘as-is’ to the drive but modifies it in some way. As a result, hdparm will fail if used with the password as it was typed in.
For background info what Dell is doing, have a look here. Not sure if this will help you. For Lenovo, Jethro Beekman figured things out a couple of years ago and wrote a short script to generate the byte sequence Lenovo sends to the drive. George Georgovassilis picked this up and put together a simple procedure in a post on his blog. So I gave this a try but unfortunately, bash has changed somewhat over time and gave me a bit of trouble with a NULL-byte that is contained in the byte sequence for my plain text password. So I modified the procedure slightly so that Jethro’s script output is piped into a binary to hex converter to create a text string that is also accepted by hdparm. This way, the password hash can contain NULL bytes without bash tripping over them. So without further ado, here is my updated procedure that basically does the following:
- It uses hdparm to ask the drive for it’s identity information. Together with the user’s password this information is used to generate a different hash string for each drive, even if the same password is used every time.
- It then calls Jethro’s Lenovo password utility (pw.rb) and gives it the drive information. The password utility will then ask the user for the password and outputs the resulting binary hash stream.
- As my Bash configuration interpretsĀ NULL bytes as string delimiters and not as valid characters, my adaptation of the script pipes the result straight into xxd which generates a plain text hex string (0-9, A-F chars). This gets around the Bash NULL byte problem.
- And finally, hdparm is called again with the generated hex string to unlock the drive.
# One time tool installation sudo apt install ruby git clone https://github.com/jethrogb/lenovo-password.git cd lenovo-password # Use of the tool # Note: replace 'sdb' with your disk drive device name # in BOTH hdparm calls! sudo hdparm --Istdout /dev/sdb > drive-info.bin PP="$(ruby pw.rb drive-info.bin | xxd -p -c 10000)" echo $PP sudo hdparm --security-unlock hex:$PP /dev/sdb sudo partprobe
And here is how the ‘Security’ part of hdparam looks like before and after the drive is unlocked.
######## LOCKED OUTPUT hdparm -I /dev/sdb
Security:
Master password revision code = 16385
supported
enabled
locked
not frozen
not expired: security count
supported: enhanced erase
######### UN-LOCKED OUTPUT hdparm -I /dev/sdb
Security:
Master password revision code = 16385
supported
enabled
not locked
not frozen
not expired: security count
supported: enhanced erase
How To Force The OS To Reload Partition Information
And the last piece of the puzzle: After unlocking, my system didn’t detect the partitions on the drive at first. Even the disks utility came up empty. The solution for this is to run partprobe, so the kernel updates its partition table. Alternatively, runningĀ gparted does the job as well. After that, the partitions can be mounted with gparted, the disks utility or, in Ubuntu 20.04, the Nautilus file explorer picks up the change automatically as well.
Doing Things Quickly The Second Time Around
It’s a bit of a long story here but if you need to unlock a limited number of drives every now and then you can note the output of echo $PP for each drive and then just run the hdparam –security-unlock command and then update the partition table with partprobe instead of going through the whole process each time.