Setting up SED (Self-Encrypting Drive) on Dual-Boot system: Windows 10 and Ubuntu 15

[pkiff]

So I've just acquired a W520, and managed to get a dual-boot system set up with Windows 10 and Ubuntu 15 installed on a 250GB Crucial MX200 SED (Self-Encrypting Drive) SSD. But I haven't enabled the SED hard drive encryption yet.

I started reading through various instructions, and I've gotten a bit confused. How do I enable the self-encrypting part of this drive without screwing everything up?

A couple points of note:
- UEFI bios is enabled - and ONLY UEFI (no legacy, no "both")
- I will be setting the SSD as the first boot item in BIOS startup order
- my W520 apparently does not have SecureBoot (this came as a surprise to me)?
- no system passwords are yet set (no power-on, no HDD) - but I do have Windows/Ubuntu passwords
- FastBoot is turned off
- the OSes were installed on a clean HDD with no pre-existing partitions
- the drive has never had encryption enabled or activated before
- I haven't yet enabled the TPM features in my W520

So, can I just enable the Thinkpad's BIOS security features, activate the power-on and HDD passwords, and then turn on the SED encryption? Or do I need to do something with Bitlocker? Or purchase a license for Lenovo's SecureDoc? Or some other software?

[hhhd1]

From what i read, when you set up in bios, the power-on for hdd password, this will be used for encryption on the drive.

For some SSDs, when you set that password, the SSD effectively becomes empty, because the password is not used for simple authentication, so you may need to make an image backup first just to be safe.

I am not 100% sure of that info, .. but I've seen people's complain that some SSD with hardware encryption became empty just after changing or setting that password.

[pkiff]

This week, I was trying to finish locking properly locking down my W520. But there is no option in the BIOS to set the HDD password. Under Security, I can set Master password and Power On Password, but the Hard Disk 1 Password option is simply not there

According to some reports, this may be because the drive has been initialized already using Microsoft's "eDrive" technology:
hard disk1 password option unvisible on several X240 an cannot be set [forums.lenovo.com]
and
Bitlocker eDrive on new X1 Carbon [forums.lenovo.com]

But it's all still a bit confusing to me. I'm not using Bitlocker, nor did I intentionally do anything during my Win10 install to enable it, and the disk was a clean disk when I started. Now, though, it is a dual boot Win10/Ubuntu 15 disk, using GPT and UEFI Only for boot, and I'm worried that too much fiddling with my BIOS might somehow leave me in an unrecoverable state.

I have a feeling that the HDD Password in BIOS (aka an ATA Password?) may require a Legacy Boot system. Or maybe it is true that I somehow got some Microsoft eDrive stuff onto the disk by accident. One issue might also be that W520 does not support SecureBoot, which is what would have been required to use Bitlocker in Win 10, I think, and maybe that has some affect. Or maybe it is that my SED SSD (a 256MB Crucial MX200) is actually a crappy implementation of SED which doesn't properly support ATA Passwords.

Does anyone here have an SED working on a W520 system? And if so, can you tell me what your BIOS settings are for UEFI, and whether you are using MBR or UEFI?

Rather than going back to MBR, I'm tempted to bite the bullet and purchase a license for Lenovo/WinMagic SecureDoc and then set up the HDD password that way, but again, I'm worried about how it might mess up my dual boot. Does anyone here use SecureDoc on a W520?

Phil.

[RealBlackStuff]

According to the W520 BIOS simulator, the Hard Disk 1 Password sits (in Security) immediately under the Power On Password.

[pkiff]

According to the W520 BIOS simulator, the Hard Disk 1 Password sits (in Security) immediately under the Power On Password.

Yeah, I checked that simulator as well, and I see where it should be, but it's simply not there. That's why I was wondering about eDrive stuff in the links above: apparently when a drive has been "initialized"? with eDrive then it won't show as available for HDD password in some Thinkpad bioses.

[pkiff]

It seems my problem was indeed caused by eDrive. I have an identical Crucial MX200 SSD with SED that I'm now installing with Win 10 and Ubuntu, and this time, I enabled the BIOS-level "Hard Disk1" password before starting the Windows 10 install. Obviously, that also means that this option appeared in the BIOS right where it should when the drive was blank, before doing any partitioning.

I am not sure where or how to check if an SED has been "initialized" for eDrive, aside from looking to see if the HDD password option is available in the BIOS, but for anyone reading this thread in the future, I'd recommend simply making sure you decide what method of HDD password you are going to use before you start installing Win 10. If you want to use the BIOS-level ATA Password, then you should Enable it and set it before you do anything else with your drive. If you want to use Bitlocker or SecureDoc/Winmagic or something similar, then you can probably leave it in its default state when you start installation.

Using an ATA Password does not require any other special settings in BIOS (i.e. you can use UEFI/Legacy Boot or AHCI/Compatibility SATA or any combination of those) and still use the ATA password option.

[crashnburn]

Always something interesting to learn on TP forums