Manage password protection of Western Digital external drives supported by the proprietary WD Security software. All operations are compatible with the proprietary WD Security software, allowing interoperability between Windows, Mac and Linux.
Western Digital sells a range of external drives that support 256-bit AES hardware encryption. The proprietary WD Security software can be used to manage the password protection of these drives on Windows or MacOS. The following drives are listed as supported:
Direct Attached Storage (DAS) Drives: My Book, My Book for Mac, My Book Duo, WD Drive Plus, My Passport works with USB-C, My Passport, My Passport for Mac, My Passport Ultra, My Passport Ultra for Mac, My Passport Ultra (USB-C), My Passport Ultra for Mac (USB-C), My Passport Ultra Metal, WD Backup Drive Desktop
If a password is configured on any of these drives, then the drive cannot be accessed. Once unlocked, the drives will function normally.
Supports unlocking, changing or setting a password, erasing, and other functions on supported drives.
Additionally, automatic unlocking by udev can be configured.
Show the encryption status of a device (i.e. whether it is locked, unlocked, or unprotected).
sudo wd-security status /dev/sdX
where sdX should be replaced by the name of the device file for your device.
Unlock a password protected device and re-read the partition table:
sudo wd-security unlock --rescan /dev/sdX
where sdX should be replaced by the name of the device file for your device.
If the device is not currently protected by a password, then one may be set. In this case, a random 8-byte password salt will be generated, the number of hash iterations to perform will be set based on timing of the hash function, and a new Security Block will be written to the device.
If the device is currently protected with a password, then it may be changed, or removed.
sudo wd-security change-pw [--disable] /dev/sdX
where sdX should be replaced by the name of the device file for your device.
Securely erase a device by causing it to install a new Device Encryption Key (DEK).
Every device should be erased at least once, to replace the possibly insecure factory DEK.1
Caution
All information on device will become lost and completely unrecoverable.
sudo wd-security erase /dev/sdX
where sdX should be replaced by the name of the device file for your device.
See the manual for more detailed information about sub-commands and supported switches.
udev rules are provided in 00-wd-security.rules to support automatic unlocking on device attach. A Key File corresponding to each device that will be automatically unlocked must be prepared and placed into the /etc/keys directory.
See the manual for information about how to create a Key File to enable automatic unlocking.
The wd-security-devices.sh script can be used to list all attached
Western Digital drives along with the name of the Key File that should
be created to enable automatic unlocking.
The core plumbing is exposed as a library, making it possible to build a separate application and link against the library, and/or create a wrapper for an alternative programming language.
@DanLukes' excellent documentation2 of the protocol has been infinitely valuable. Without his painstaking reverse engineering work, this project would not have been possible.