Unlock hard drive vs full-disk encryption

There are (typically) three types on on-boot authentication:

• BIOS boot password
• Drive locking mechanisms (e.g. HP DriveLock)
• Full disk encryption (e.g. TrueCrypt / OpenPGP)

The BIOS boot password is simply a logical check inside the BIOS chip, which can be bypassed by flashing the BIOS manually or replacing the chip. It's a soft protection mechanism.

Full disk encryption is a proper security mechanism that involves actively encrypting the entire disk, and using a password or other authentication materials to decrypt the disk data on boot. This is typically performed via 3rd party software, but may also be integrated into the disk hardware.

Drive locking mechanisms are (usually) a proprietary feature of certain laptops, e.g. HP DriveLock. These involve encrypting the low sectors of the hard disk, i.e. the sectors that contain things like telemetry and bad sector mapping. When these are scrambled, a traditional drive controller cannot access the disk. This doesn't encrypt the data of the disk. It is possible to do a full hardware-level image of the sectors from a known set of telemetry and manually carve the file systems out, but it's a significant barrier against all but the best equipped attackers.

In the past, it was a logical control on the physical drive. Even swapping out the drive electronics couldn't circumvent the password, so it took advanced tools, or hacked hardware to bypass the password.

Some 5 years ago or so, they began to do AES encryption on the disk itself, shipping the disk encrypted and encrypting the key with your password when you set it using the ATA Security Extensions.

Hitachi has a good FAQ about this:

Bulk Data Encryption – FAQ

Other manufacturers also provide similar features, on HDDs and SSDs

http://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption

That said, a couple things to be aware of:

• Not all disks do this.
• This is black-box encryption

It's black-box because although they claim to use AES128, there's no reasonable way to verify it. And although they claim to do it properly, there's no way to inspect their implementation.

A few years ago I sent them a simple question... if all the drives ship from the factory with encryption turned on, then how do they seed their random key?

I never got an answer and I never heard anyone provide a reasonable explanation. For all we know, all the keys on all the drives are identical. Unless you have a method to bypass the drive electronics to read the raw, encrypted platters, you will never know. Even if you execute a ATA SE "secure erase" function to delete the key, you don't know how the new key is being generated.

Because of this, I don't rely on this technology to secure systems.

The password to unlock the hard drive may be full disk encryption at work. The password you enter to unlock the hard drive is the password used to encrypt the key, which is in turned used to encrypt the contents of the drive. So, if you were to pull your drive out of the machine it's in and hook it up to another computer, you would likely find only an encrypted volume.