HPA in laptops as an alternative choice to a recovery disc

Vendors of laptops may give a recovery disc or may not. Makers who don’t give the CD to their users generally put the original Windows OS installation to the special partition along with a tool which is capable of deploying this OS installation back to the drive.

Such a partition containing the OS is placed in the end of the drive and hidden from the Windows by the means of HPA (Host Protected Area, described nicely e.g. at www.disk-space-guide.com).

The recovery process for a laptop with Host Protected Area can be the following:

  • you press certain keys during startup sequence
  • BIOS discards HPA limitations
  • Windows is loaded off the appeared recovery partition
  • a special tool starts from this partition. This tool formats the drive and copies the factory Windows installation to the disk.

When the recovery is complete, HPA is set back. After this process is complete the laptop is as good as new from the store, software-wise.

Is it possible to boot off the software RAID 1?

Rumor is it is impossible to boot an operating system from the software RAID array.

This is not exactly true. All the widespread boot loaders, namely ones from Windows NT/2000 and so on, Linux LILO, and GRUB, would successfully use a RAID 1.

It should be noted that further steps should be undertaken for bootable mirror. Since the mirroring does not cover the Master Boot Record, you need to copy the MBR sector manually to the shadow drive in the mirror. Otherwise when the boot drive crashes, you are left with an unbootable system.

Surely there will be no loss of data – all you need is to just mount the drive into a known good system and read it, but you get no automatic recovery if the hard disk dies, requiring a reboot.

Data Recovery on Full Encryption Hard Drives

The new Western Digital drives like WDBAAF0020HBK My Book Essential 2TB External USB feature a built-in hardware-based AES encryption. These drives are sometimes called “Self Encrypting Drive”, or SED.

Surprisingly, the content written to the WD MyBook is scrambled even when the password is not set. Once the USB to SATA bridge stops working, the cipher keys are lost and data cannot be recovered despite the fact the storage by itself is working fine. Considering that in practice a failure of the encryption chip looks higher probability than the disk actually getting into wrong hands, the always-on protection looks like not a very good idea.

How came designers choose to implement the encryption in such a way?

The rationale behind this choice is a speed of changing or resetting a password. If one has a policy of “no password = no encryption”, when the password is set or changed, the entire hard drive needs to be encrypted again, taking several hours. And this even before we start looking into complex issues like something along the lines of several overlapping power failures. The same consideration also applies to password removal.

So designers choose the faster option. The master encryption key is generated once during the production and flashed into controller’s EEPROM. All the data on the disk is encrypted using this master key, all the time, regardless if the user password is set. When user requests a password to be set, the master key is encrypted using a password.

The data on the drive being already encrypted, you cannot read data not having the master key, and the master key is not available unless you have the valid password.
In this setup if the encryption module goes bad, the content of the disk is lost forever.

As a side effect, this approach eliminates the need for secure erase.