Hello there. This time, I’ll be demonstrating how to unlock an encrypted drive with Parted Magic’s PSID Unlocker, a tool I wrote back in 2019.
The Video
PSID Unlocker GUI – The Writeup
What is a PSID key?
PSID stands for Physical Security Identifier. The idea is that, as the key is printed on the case of the drive, you need to have physical access to the drive to unlock it, improving security.
Why unlock a disk?
Generally, you would want to unlock a disk using the PSID when you are unable to secure erase it. PSID-locked drives cannot be secure erased with the ATA/NVME Secure Erase command.
How do I know if my drive is locked?
The most telltale sign is when you open the Secure Erase GUI, and the disk doesn’t show up as a device available for wiping. It doesn’t show up at all, not even as a “frozen” drive.
How do I unlock my drive?
Simply open the “Erase Disk” menu, and select “PSID Unlocker”. It may take a minute to open and gather device information depending on the speed of your system. Your drive should show up in the list here. Note: The key is case-sensitive – make sure your caps lock is off. The PSID is physically located on the drive, so you may need to copy it down before entering.
Once you’ve got the PSID key, enter it in the field next to your drive and hit Unlock. If successful, it should turn green. If you entered the wrong PSID, or try to unlock a drive that isn’t locked, the field will turn red.
IMPORTANT NOTE: Running this command on certain older drives with buggy firmware may erase ALL DATA on the drive. This is fine if you’re wiping the drive anyway, but you have been warned.
How do I verify that my drive is now unlocked?
If you open the Secure Erase GUI again, it should now show up in the list, and can be erased successfully.
PSID Unlocker GUI – Summary
The PSID GUI turns a unlocking drives, a complicated task involving the command line, into something that can be done easily in a few minutes. After that, you can get on with what you were doing and secure erase the drive without further delay. You can purchase Parted Magic to access this tool on their website (affiliate link - I earn commission for purchases made through this link).
I hope this has been a useful tutorial, and stay tuned for more posts coming soon.
Thanks for your great explanation, but could you also tell us how long the unlock lasts? Is it only meant to last as long as the ssd is powered and then auto resettet to locked state? And if not, how to lock the device again?
This permanently unlocks the drive.
Relocking it again can be done as per the instructions at: https://github.com/Drive-Trust-Alliance/sedutil/wiki
Hope this helps,
Hamish
Thank you too for all the work you’ve put into this. I have been refurbishing many laptops to donate to schoolchildren, and a Lenovo T480 I am working on at the moment is the first example of a machine with a disk that has required unlocking. The unlocker worked, but unfortunately the subsequent NVMe Secure Erase failed, so I had to use the dd option instead.
You’re welcome, its always nice to get some feedback. Could I possibly have a quote from that for a testimonial please?
I wonder why the secure erase failed. What error did you get? I’ve had a few isolated reports of this and haven’t been able to find any cause, apart from possibly damaged drives.
I have encountered the same issue on a T470, see log from wipe attempt after sucessfully unlocking the PSID. Even tried a cold boot before launching the NVMe wipe again, same results.
Parted Magic 2021_11_17 (nvme version 1.9) NVMe Secure Erase Log
Started: Wed Jan 11 11:13:04 CST 2023
Finished: Wed Jan 11 11:13:07 CST 2023
System Information (dmidecode 3.3)
Manufacturer: LENOVO
Product Name: 20JNS1G50A
Version: ThinkPad T470 W10DG
Serial Number: XXXXXXXXXXXXX
SAMSUNG MZVLB256HAHQ-000L7 (/dev/nvme0n1) SERIAL NUMBER: XXXXXXXXX SIZE: 238.5G RESULTS: Erase Failed
Verification Level N/A
==================================================
SAMSUNG MZVLB256HAHQ-000L7 (/dev/nvme0n1)
==================================================
nvme version 1.9
NVME Identify Controller:
vid : 0x144d
ssvid : 0x144d
sn : XXXXXXXXXX
mn : SAMSUNG MZVLB256HAHQ-000L7
fr : 0L2QEXD7
rab : 2
ieee : 002538
cmic : 0
mdts : 9
cntlid : 0x4
ver : 0x10200
rtd3r : 0x186a0
rtd3e : 0x7a1200
oaes : 0
ctratt : 0
rrls : 0
crdt1 : 0
crdt2 : 0
crdt3 : 0
oacs : 0x17
acl : 7
aerl : 3
frmw : 0x16
lpa : 0x3
elpe : 63
npss : 4
avscc : 0x1
apsta : 0x1
wctemp : 354
cctemp : 355
mtfa : 0
hmpre : 0
hmmin : 0
tnvmcap : 256060514304
unvmcap : 0
rpmbs : 0
edstt : 35
dsto : 0
fwug : 0
kas : 0
hctma : 0
mntmt : 0
mxtmt : 0
sanicap : 0
hmminds : 0
hmmaxd : 0
nsetidmax : 0
anatt : 0
anacap : 0
anagrpmax : 0
nanagrpid : 0
sqes : 0x66
cqes : 0x44
maxcmd : 0
nn : 1
oncs : 0x1f
fuses : 0
fna : 0x4
vwc : 0x1
awun : 1023
awupf : 0
nvscc : 1
nwpc : 0
acwu : 0
sgls : 0
mnan : 0
subnqn :
ioccsz : 0
iorcsz : 0
icdoff : 0
ctrattr : 0
msdbd : 0
ps 0 : mp:7.02W operational enlat:0 exlat:0 rrt:0 rrl:0
rwt:0 rwl:0 idle_power:- active_power:-
ps 1 : mp:6.30W operational enlat:0 exlat:0 rrt:1 rrl:1
rwt:1 rwl:1 idle_power:- active_power:-
ps 2 : mp:3.50W operational enlat:0 exlat:0 rrt:2 rrl:2
rwt:2 rwl:2 idle_power:- active_power:-
ps 3 : mp:0.0760W non-operational enlat:210 exlat:1200 rrt:3 rrl:3
rwt:3 rwl:3 idle_power:- active_power:-
ps 4 : mp:0.0050W non-operational enlat:2000 exlat:8000 rrt:4 rrl:4
rwt:4 rwl:4 idle_power:- active_power:-
Smart Log for NVME device:nvme0n1 namespace-id:ffffffff
critical_warning : 0
temperature : 26 C
available_spare : 100%
available_spare_threshold : 10%
percentage_used : 5%
data_units_read : 54,347,853
data_units_written : 32,584,787
host_read_commands : 1,428,981,206
host_write_commands : 944,961,383
controller_busy_time : 3,151
power_cycles : 1,343
power_on_hours : 8,246
unsafe_shutdowns : 157
media_errors : 0
num_err_log_entries : 2,069
Warning Temperature Time : 0
Critical Composite Temperature Time : 0
Temperature Sensor 1 : 26 C
Temperature Sensor 2 : 26 C
Thermal Management T1 Trans Count : 0
Thermal Management T2 Trans Count : 0
Thermal Management T1 Total Time : 0
Thermal Management T2 Total Time : 0
Unfortunately, I’m not able to help much with this issue, but perhaps you could ask on the Pared Magic forums?
Hope this helps,
Hamish
Certainly. The laptop now has CloudReady on it in preparation to pass on, so the drive appears to be OK. I looked at the erase log and couldn’t find any clues.
SAMSUNG MZVLB256HAHQ-000L7 (/dev/nvme0n1) SERIAL NUMBER: xxx SIZE: 238.5G RESULTS: Erase Failed
Well, glad it seems okay.
Thanks, I’ll look it up and see if that model is known to have issues – some just don’t secure erase properly due to firmware issues I think.
Do you enter any dashes listed for the SSD’s PSID?
Hi Trevor,
Please don’t insert the dashes – they are not needed and may cause the unlock to fail.
Hamish
how can I PSID unlock a drive if every time I boot, the BIOS asks for password. not entering the password 3 times lets the PC boot, but the nvme or msata drive ends up being disabled, and PSID unlock doesn’t work.
please assist.
Hi there,
I can’t help much with this unfortunately, but perhaps the Parted Magic forums might help?
Hamish