Thinkpads Forum

Hi,

I am planning to get some kind of full disk encryption for my t60 and windows xp. Has anyone tried safeguard easy, or any other software? What are your experiences with full disk encryption in general?

For years I used Thinkpads with SafeBoot and it's still a good product. However, all full-disk encryption products have tended to become designed to suit corporates rather than individual users. Twice I have had the heart-stopping experience of the "layer key error" but my data survived both times and access was restored after some hours.

More recently, since I purchased my X60s, I have adopted a more convenient (but I think no less effective) approach to data security.

I use CSS7 (with its occasional irritating bugs), store all my work in a 10GB securedrive with swap files set to be wiped each logoff, keep my power-up and hard disk passwords applied. While the power-up password can be relatively easily overcome if the supervisor password is not set - I've removed mine myself after a BIOS upgrade adverse event - the hard disk password is not bypassable by anyone below serious security player (e.g. NSA) level.

In summary, I no longer feel that full-disk encryption products are worth it.

I tried safeguard easy and seems to work just fine since i had no problems at all. Safeguard easy can also use the security chip (if you got one), but since i use a full disk encryption software i couldn't really see why i should use the security chip anymore.

Currently i use Securstar Drivecrypt Pluspack that is another full disk encryption software. I did some research on different full disk encryption software and also read about other peoples recomandations. I found that a lot of people recommended drivecrypt pluspack so the company i work for ended up with dcpp. It also support single sign-on. I been using dcpp for a long time now and had no problems so i could also recommond dcpp.
I also think that full disk encryption is the way to go if you want to make sure everything is encryption and don't want more logins. It does the encryption/decryption in the background and you won't notice any difference except the performance. I don't really see a difference regarding the performance, but since everything have to be encrypted/decrypted i guess it's a bit faster without.

I agree that the hardisk password is pretty good and seems very safe, but still the data is stored without encryption on the disk without some sort of disk encryption software. So for those with advanced equipment you can recover the data without even have to bother about the harddisk password by removing the plates from the disk. Also there is some info to be found on the internet how to bypass the harddisk password. Since i have not tried to do that i cannot tell if it's working or not, but to make sure the data is protected i believe encryption is the way to go. If working for a company they might require disk encryption as well like the company i work for and then the hardisk password is not an option anyway.

hi everyone,

I am not quite sure which kind of software I'll end up using, but thanks for the recommendations. Securstar Drivecrypt Pluspack sounds interesting, I'll have to check that out.

As for HD passwords, these are easily bypassed: a potential thief could just get the same drive and swap the logic board (some data recovery companies offer this service, for reasonable prices < 2000€).

Even with a secure container drive, a lot of information is still kept on the windows partition (e.g. temporary files, registry files, password files), which can contain a lot of sensitive data. I definitely need full disk encryption, so that a potential theft does not cause a major headache for me

The only thing that bugs me is that - AFAIK - most companies don't distribute the source code for their full disk encryption software. Without the possibility to validate the source code or to compile it myself, no mutual trust can be established between the customer and the company, which I think is intrinsic for any kind of software that aims to protects files from a third party.

flo

quickie wrote:The only thing that bugs me is that - AFAIK - most companies don't distribute the source code for their full disk encryption software. Without the possibility to validate the source code or to compile it myself, no mutual trust can be established between the customer and the company, which I think is intrinsic for any kind of software that aims to protects files from a third party.

I don't see that as a problem at all. A company like securstar deliver software for protection and don't think they would risk their reputation by doing something stupid like creating a backdoor or something like that. That would not gain anybody and they claim there is no backdoor and if you forget the passord they cannot help. Of course i just have to trust them, but i feel more comfortable when the people that might try to get around the security is not able to see the source code. That is another reason why the company i work for use dcpp since they got a good reputation and seems like most people trust them.
Are you afraid of some sort of hidden backdoor around the encryption?

Quickie wrote:

As for HD passwords, these are easily bypassed: a potential thief could just get the same drive and swap the logic board (some data recovery companies offer this service, for reasonable prices < 2000€).

This doesn't match my understanding of IBM's technology. Many years ago when HD passwords were new and exclusive to IBM Thinkpads, in my role as a major corporate CIO I sought assurance from IBM about the robustness of the arrangement. I found out that it was actually supported from their lab in Japan, that it involved a degree of scrambling of the data recorded on the platters and that the key was not easily extracted from the drive electronics.

I have seen lots of casual claims that the IBM HD password can be bypassed, but most of them sound to me like wannabe hacker statements. I have not heard of a publicly proven case - depite the news story this would make. Of course, some here may immediately prove me wrong on this

Interestingly, IBM are quite candid about their hardware - their CSS design is protection against theft of private keys by external parties, not protection against some one who has unlimited physical possession of the hardware. The main avenues of attack would probably involve time and energy analysis of the embedded security chip containing the keys - something only serious government money can reliably ensure. Hence my comment about NSA. It is always interesting to read the fine print that manufacturers of full-disk encryption software publish in this regard as well.

Personally, I remain confident that IBM's HD password is one of the most convenient and cost-effective security protections available to us ordinary business consumers.

Remove the logic board of the HDD? That is pretty difficult considering that you have an extremely small chance of getting the HDD to work again once you put it back together since the logic board is inside the case of the HDD. In either case, a HDD password is one of the lesser-known (hence not-as open and vulnerable) data protections out there. As far as I know, the ATA protocal does support it currently yet I have yet to hear of a successful extraction of data from a password-protected HDD. Although I am pretty sure that the NSA, CIA, and FBI foresnsics teams could crack it...eventually.

quickie wrote:As for HD passwords, these are easily bypassed: a potential thief could just get the same drive and swap the logic board (some data recovery companies offer this service, for reasonable prices < 2000€).

Nonsense.

While changing a HD's logic board may help in cases of a drive failure, it will have no effect on a PW locked HD, the logic board and platters are "mated".

However, there are companies that can "sniff" a HD's PW and unlock it.

Regards,

James

... the logic board and platters are "mated".

You are right. Modern harddrives store the password (even the firmware) on the hard disk and not in the controllers ROM or some other chip. Changing the logic board would not change a thing. You would end up with the same locked drive (albeit a new logic board ) Some years ago I read an article that on some ATA3 harddrives (which store the password on the logic board) it has been done by swapping the logic board.

I have seen lots of casual claims that the IBM HD password can be bypassed, but most of them sound to me like wannabe hacker statements. I have not heard of a publicly proven case - depite the news story this would make. Of course, some here may immediately prove me wrong on this

This is old news. Just call a data recovery company like ontrack and ask them Standard ATA HDD passwords do not apply any encryption on the data itself.

To quote the german computer magazine c't:

Thus the sobering upshot to the topic of ATA Security is: As data retrieval companies have found a way around it, the mechanism must be considered too unsafe for truly sensitive data. As only data retrieval companies have found a way around it the mechanism can be (ab)used to wreak considerable havoc.

http://www.heise.de/ct/english/05/08/172/(english text)

So, back to the original topic: Which full disk encryption software would you recommend?

flo.

Lenovo has teamed up with Utimaco. Rescue and Recovery supports Utimaco. Lenovo resells Safeguard Easy...

Recommend you use Safeguard Easy