# How do I lock a hard drive with hdparm?

## DingbatCA

I am kinda stumped on this one.  I can enable a drive password with hdparm:

```
hdparm --user-master u --security-set-pass foo /dev/sdc

security_password="foo"

/dev/sdc:

 Issuing SECURITY_SET_PASS command, password="foo", user=user, mode=high

hdparm -I /dev/sdc

/dev/sdc:

ATA device, with non-removable media

...

Security: 

   Master password revision code = 65534

      supported

      enabled

   not   locked

   not   frozen

   not   expired: security count

      supported: enhanced erase

   Security level high

...

```

But I cant seem to figure out the lock command:

```
hdparm --security-help

ATA Security Commands:

 Most of these are VERY DANGEROUS and can destroy all of your data!

 Due to bugs in older Linux kernels, use of these commands may even

 trigger kernel segfaults or worse.  EXPERIMENT AT YOUR OWN RISK!

 --security-freeze           Freeze security settings until reset.

 --security-set-pass PASSWD  Lock drive, using password PASSWD:

                                  Use 'NULL' to set empty password.

                                  Drive gets locked if user-passwd is selected.

 --security-unlock   PASSWD  Unlock drive.

 --security-disable  PASSWD  Disable drive locking.

 --security-erase    PASSWD  Erase a (locked) drive.

 --security-erase-enhanced PASSWD   Enhanced-erase a (locked) drive.

 The above four commands may optionally be preceded by these options:

 --security-mode  LEVEL      Use LEVEL to select security level:

                                  h   high security (default).

                                  m   maximum security.

 --user-master    WHICH      Use WHICH to choose password type:

                                  u   user-password (default).

                                  m   master-password

```

The unlocking is easy:

```
hdparm --user-master u --security-unlock foo /dev/sdc

```

But where is the lock command?

```
 hdparm --user-master u --security-lock foo /dev/sdc

```

Any ideas?

----------

## guitou

Hello.

 *Quote:*   

>   --security-set-pass PASSWD  Lock drive, using password PASSWD: ...

 

Is that what you were looking for? :p

++

Gi)

----------

## DingbatCA

Enable security:

```
root@fuzzy ~# hdparm -I /dev/sdd

...

Security: 

   Master password revision code = 65534

      supported

   not   enabled

   not   locked

   not   frozen

...

root@fuzzy ~# hdparm --user-master u --security-set-pass password /dev/sdd

security_password="password"

/dev/sdd:

 Issuing SECURITY_SET_PASS command, password="password", user=user, mode=high

root@fuzzy ~# hdparm -I /dev/sdd

Security: 

   Master password revision code = 65534

      supported

      enabled

   not   locked

   not   frozen
```

Attempt to lock drive:

```
root@fuzzy ~# hdparm --security-set-pass password /dev/sdd

security_password="password"

/dev/sdd:

 Issuing SECURITY_SET_PASS command, password="password", user=user, mode=high

root@fuzzy ~# hdparm -I /dev/sdd

...

Security: 

   Master password revision code = 65534

      supported

      enabled

   not   locked

   not   frozen

...
```

Still "not	locked".  

Trying a soft reset:

```
root@fuzzy ~# echo 1 > /sys/block/sdd/device/delete 

root@fuzzy ~# dmesg -T | tail

...

[Thu Jun 29 07:37:01 2017] sd 33:0:1:0: [sdd] Synchronizing SCSI cache

[Thu Jun 29 07:37:01 2017] scsi target33:0:1: mptsas: ioc0: delete device: fw_channel 0, fw_id 36, phy 1, sas_addr 0xdd5d3842bda58f83

root@fuzzy ~# echo "- - -" > /sys/class/scsi_host/host33/scan 

root@fuzzy ~# dmesg -T | tail

...

[Thu Jun 29 07:38:03 2017] scsi 33:0:1:0: Direct-Access     ATA      WDC WD20EADS-11R 0A80 PQ: 0 ANSI: 5

[Thu Jun 29 07:38:03 2017] sd 33:0:1:0: Attached scsi generic sg4 type 0

[Thu Jun 29 07:38:03 2017] sd 33:0:1:0: [sdd] 3907029168 512-byte logical blocks: (2.00 TB/1.82 TiB)

[Thu Jun 29 07:38:03 2017] sd 33:0:1:0: [sdd] Write Protect is off

[Thu Jun 29 07:38:03 2017] sd 33:0:1:0: [sdd] Mode Sense: 73 00 00 08

[Thu Jun 29 07:38:03 2017] sd 33:0:1:0: [sdd] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA

[Thu Jun 29 07:38:03 2017] sd 33:0:1:0: [sdd] Attached SCSI disk

root@fuzzy ~# hdparm -I /dev/sdd

...

Security: 

   Master password revision code = 65534

      supported

      enabled

   not   locked

   not   frozen

...

```

Cant seem to find the command(s) to issue a hard reset via command line.  `hdparm -w /dev/sdd` exits with "HDIO_DRIVE_RESET failed: Invalid argument".  Back to the googles....

----------

## DingbatCA

Reboot works.  There has to be a more graceful way?!

```
root@fuzzy ~# uptime

 08:58:07 up 2 min,  1 user,  load average: 0.05, 0.04, 0.01

root@fuzzy ~# hdparm -I /dev/sdd

...

Security: 

   Master password revision code = 65534

      supported

      enabled

      locked

   not   frozen

...
```

----------

