Linux下给硬盘设置密码

最新推荐文章于 2024-04-23 18:49:33 发布

原创最新推荐文章于 2024-04-23 18:49:33 发布 · 1.7k 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#linux #disk #security #command #locking #system

本文通过实验展示如何使用hdparm命令锁定和解锁硬盘。包括设置密码锁定硬盘、验证硬盘被锁定的状态、以及使用正确的密码解锁硬盘的过程。

Instead of finding someone or something to shoot at I tried to test the locking mechanism.

I have experiemented with 3 hard disks, locked them and then unlocked them about a dozen times.

Haven't found a solution yet but can report the behaviour of it.

(1) To show both hard disks available

First as an example I started with two disks, sda for working and sdb is to be locked. I first became the root user (as Windows Admin) and showed the existence of the two disks by a Linux command "fdisk -l". I have colored the Linux commands in blue inside the boxes. The uncolored text are resposes by the Linux kernel, to assist reading

Code:

saikee@linux:~> su
Password:
linux:/home/saikee # fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xbe153241

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1       12158    97659103+  17  Hidden HPFS/NTFS
/dev/sda2   *       12159       24316    97659135    7  HPFS/NTFS
/dev/sda3           24317       36598    98655165    5  Extended
/dev/sda4           36599       60801   194410597+  83  Linux
/dev/sda5           24317       24438      979933+  82  Linux swap / Solaris
/dev/sda6           24439       25654     9767488+  83  Linux
/dev/sda7           25655       26870     9767488+  83  Linux
/dev/sda8           26871       28086     9767488+  83  Linux
/dev/sda9           28087       29302     9767488+  83  Linux
/dev/sda10          29303       30518     9767488+  83  Linux
/dev/sda11          30519       31734     9767488+  83  Linux
/dev/sda12          31735       32950     9767488+  83  Linux
/dev/sda13          32951       34166     9767488+  83  Linux
/dev/sda14          34167       35382     9767488+  83  Linux
/dev/sda15          35383       36598     9767488+  83  Linux

Disk /dev/sdb: 61.4 GB, 61492838400 bytes
255 heads, 63 sectors/track, 7476 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xba91ba91

   Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1        7476    60050938+   c  W95 FAT32 (LBA)

Secondly I confirmed the sdb status by the command hdparm with the -I option. hdparm is the only command to lock and unlock the disk.

Code:

linux:/home/saikee # hdparm -I /dev/sdb
Security:
        Master password revision code = 65297
                supported 
        not     enabled
        not     locked
        not     frozen
        not     expired: security count
        not     supported: enhanced erase
        36min for SECURITY ERASE UNIT.

Checksum: correct

(note: the display of "hdparm -I" has been truncated except showing the last relevant section)
At this stage the disk is not locked.

(2) To show how one disk is locked

I then locked the disk device sdb twice, first as the master (m) using a password "somebody" and then as the user (u) by password "anybody".

Code:

linux:/home/saikee # hdparm --user-master m --security-mode h --security-set-pass somebody /dev/sdb
security_password="somebody"

/dev/sdb:
 Issuing SECURITY_SET_PASS command, password="somebody", user=master, mode=high
linux:/home/saikee # hdparm --user-master u --security-mode h --security-set-pass anybody /dev/sdb
security_password="anybody"

/dev/sdb:
 Issuing SECURITY_SET_PASS command, password="anybody", user=user, mode=high
linux:/home/saikee # reboot

The above commands were accepted by Linux and so the disk has a record of both master and user passwords. The locking by the master does not lock the disk at all. The disk can only be locked if a password is set when the "user" switch is used. I then rebooted the PC.

(3) To show the results after a disk has been locked

After reboot the PC took longer to boot because an operating system found it hard to understand what is going on with a hard disk that cannot be read. I found a Linux kernel, Ubuntu 8.04, hanged but others just spent time displaying the error trying to read the disk.

The following 3 items of information confirmed the disk is indeed locked

(1) If an attempt is made to boot the locked disk the BIos would report

Code:

DISK BOOT FAILURE, INSERT SYSTEM DISK AND PRESS RETURN

(2) If the disk is booted by Grub, which is a Linux boot loader capable of booting any installed PC system, it reported

Code:

Error 22 Disk read error

If the disk does not exist the normal error in Grub is "Error 21 : Selected disk does not exist". Here the disk was not displayed I knew it was there and could ask Grub to show its geometry by command "geometry (hd0)", hence the error reported.

(3) In an operational operating system the disk is simply not reported.

I now booted a Linux (Open Suse) in sda disk (which has XP, Vista and 10 Linux distros) and the response of command "fdisk -l" confirmed the disk sdb wasn't there.

Code:

linux:/home/saikee # fdisk -l

Disk /dev/sda: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0xbe153241

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1               1       12158    97659103+  17  Hidden HPFS/NTFS
/dev/sda2   *       12159       24316    97659135    7  HPFS/NTFS
/dev/sda3           24317       36598    98655165    5  Extended
/dev/sda4           36599       60801   194410597+  83  Linux
/dev/sda5           24317       24438      979933+  82  Linux swap / Solaris
/dev/sda6           24439       25654     9767488+  83  Linux
/dev/sda7           25655       26870     9767488+  83  Linux
/dev/sda8           26871       28086     9767488+  83  Linux
/dev/sda9           28087       29302     9767488+  83  Linux
/dev/sda10          29303       30518     9767488+  83  Linux
/dev/sda11          30519       31734     9767488+  83  Linux
/dev/sda12          31735       32950     9767488+  83  Linux
/dev/sda13          32951       34166     9767488+  83  Linux
/dev/sda14          34167       35382     9767488+  83  Linux
/dev/sda15          35383       36598     9767488+  83  Linux
linux:/home/saikee # hdparm -I /dev/sdb
Security:
        Master password revision code = 65297
                supported
                enabled
                locked
        not     frozen
        not     expired: security count
        not     supported: enhanced erase
        Security level high
        36min for SECURITY ERASE UNIT.

Checksum: correct

It is noteworthy to point out although the device sdb was not reported yet the Linux kernel knew it was there and the command hdparm could find the relevant disk information and reported that it was indeed locked as shown by the last section of the display above.

The locked disk is not available at the software level but there seems to be a limited access from the hardware level. It did not respond to the dd command with which I could possibly copy its MBR or any sector out to have a look. To the operating system itself the disk simply does not exist.

Since a raw disk, directly off a new purchase, would still respond to command "fdisk -l" the evidence would suggest the locking mechanism could possibly be part of the controller physically attached to the hard disk by a function inhibitating the disk to be read sensibly, judging from the amount of errors a Linux kernel reports when detecting the locked disk.

(4) To show how a hard is unlocked (requiring the knowledge of the password)

To unlock it I just use the hdparm command again with the "--security--disable" switch and the master-password "somebody"

Code:

linux:/home/saikee # hdparm --user-master m --security-disable somebody /dev/sdb
security_password="somebody"

/dev/sdb:
 Issuing SECURITY_DISABLE command, password="somebody", user=master

The Linux then immediately reporting the disk was no longer locked if the "hdparm -I /dev/sdb" was issued

Code:

linux:/home/saikee # hdparm -I /dev/sdb
Security:
        Master password revision code = 65297
                supported
        not     enabled
        not     locked
        not     frozen
        not     expired: security count
        not     supported: enhanced erase
        36min for SECURITY ERASE UNIT.

Checksum: correct

Naturally it was showned up in "fdisk -l". (output not showed due to limitation of the post length)

The disk at this stage is not yet available from the Bios but will be operational after a reboot.

I have tried all the security switches of the hdparm command but did not find a way to overcome a locked hard disk unless I have a prior knowledge of either the user or master password.

However as I could unlocked the disk with an operating system this means I could possibly ask the same operating system to display the reserved password location of the hard disk and obtain the knowledge of the previous password, say just for the purpose of unlocking it. Unfortunately I am not experienced enough to do this yet and as a security measure there is almost nothing written on the subject.

For completeness I also post the help section relating to the --security switch of the hdparm command from Linux kernel. All the locking and unlocking activities involve the use of just one command hdparm and nothing else.

Code:

linux:/home/saikee # hdparm --security-help

ATA Security Commands:
 Most of these are VERY DANGEROUS and can KILL your drive!
 Due to bugs in most Linux kernels, use of these commands may even
 trigger kernel segfaults or worse.  EXPERIMENT AT YOUR OWN RISK!

 --security-freeze           Freeze security settings until reset.

 --security-set-pass PASSWD  Lock drive, using password PASSWD:
                                  Use 'NULL' to set empty password.
                                  Drive gets locked if user-passwd is selected.
 --security-unlock   PASSWD  Unlock drive.
 --security-disable  PASSWD  Disable drive locking.
 --security-erase    PASSWD  Erase a (locked) drive.
 --security-erase-enhanced PASSWD   Enhanced-erase a (locked) drive.

 The above four commands may optionally be preceeded by these options:
 --security-mode  LEVEL      Use LEVEL to select security level:
                                  h   high security (default).
                                  m   maximum security.
 --user-master    WHICH      Use WHICH to choose password type:
                                  u   user-password.
                                  m   master-password (default).
linux:/home/saikee #

Explanation of the commands

The locking command

linux:/home/saikee # hdparm --user-master u --security-mode h --security-set-pass anybody /dev/sdb

The --user-master switch is to select u for user amd m for master. The disk can only be locked if "u" is selected for this switch. Type "m" doesn't lock the disk at all, it only set up a password inside the hard disk.
The --security-mode switch is to select h for high amd m for maximum. If m is selected the disk can only be re-used after being completely erased.
The --security-set-pass with the password followed is to lock the disk making it unavailable for use.
The password used is type "u" anybody while the device to be locked is /dev/sdb

The unlocking command

linux:/home/saikee # hdparm --user-master m --security-disable somebody /dev/sdb

Only the --security-disable with the appropriate password can unlock the disk. I purposely use a different password, previously established as the master password, to unlock the disk. The --security-unlock switch seems only to inhibit the disk from being locked in the first place. The feature disappears if the PC is booted.