Disk Encryption

[Mike02906]

My T510 should arrive Wednesday, for use in my new consulting business.

I would like to have a reasonable level of data security. The Thinkpad will have business information on it, not national security secrets -- and not even trade secrets. Still, I don't want the disk readable if the machine is stolen. Previous Thinkpads I've used had disk encryption available, but I never used it, because my employer had their own encryption scheme. Assuming the T510 still has that, I am looking for tips on using it.

• Will it slow the machine down appreciably?
• Is it still controlled through BIOS settings?
• There was a client security program I never installed -- should I look at that?
• What else should I know to make the machine reasonably secure?

Thanks!

[mgo]

My T510 should arrive Wednesday, for use in my new consulting business.

I would like to have a reasonable level of data security. The Thinkpad will have business information on it, not national security secrets -- and not even trade secrets. Still, I don't want the disk readable if the machine is stolen. Previous Thinkpads I've used had disk encryption available, but I never used it, because my employer had their own encryption scheme. Assuming the T510 still has that, I am looking for tips on using it.

• Will it slow the machine down appreciably?
• Is it still controlled through BIOS settings?
• There was a client security program I never installed -- should I look at that?
• What else should I know to make the machine reasonably secure?

Thanks!

I like to keep things simple, so the hard drive password set in BIOS works very well. (not necessary to use any other passwords there, such as supervisor, etc. just the hard drive password will do) If you need to encrypt a USB drive used for backups, etc. for the machine, then a 3rd party program or Windows 7s native BitLocker is good, but that only comes on higher end versions of the operating system.

One can also use the hard drive password on the drive in UltraBay if you use that second drive also.

[dr_st]

Do note that the BIOS hard disk password does not encrypt the drive. It merely locks access to it. The data itself is not encrypted (which is why also there is no slowdown at all). A determined cracker with access to physical disk failure recovery tools can probably get the data (say, by removing the platters from the original casing and installing them in a different one, or by messing with the embedded controller somehow).

With that said, it is still enough to deter 99.99% of the laptop thieves, because the typical thief does not care about your data, and just wants to make some money on selling the machine.

If you do want additional security, there are solutions available both in software (e.g. PGP Whole Disk Encryption) and hardware (laptop drives with encryption support in the firmware).

[Wiz]

I would suggest setting the harddisk password from BIOS. As already explained in this thread it will not encrypt the data, but still some sort of protection. If you need that the data is encrypted i would suggest getting a FDE HDD since it's pretty cheap. Using a FDE the data will always be encrypted and everything is done in hardware so no encryption software is required. Even if it's always encrypted the data is not really protected until you set the harddisk password in BIOS though. It won't slow down the HDD.
Another option is to use software to encrypt the data, but it will slow down the HDD a bit even if it shouldn't be that much and most likely you won't notice much difference. I would recommend full disk encryption and not just a encrypted container where the rest of the HDD is unprotected if you need to protect your data.

[Superego]

You will see a performance hit with full disk encryption. Not sure about the stats but I've heard claims of it almost doubling I/O times (better hardware & encryption algorithms will lessen that). Personally I think full disk encryption is overkill unless you're working in an environment where it's necessary (DoD, FBI, etc.).

I'll second everyon'e suggestion about setting the hard drive password. It doesn't offer encryption but it deters 99% of people. The other password to consider is the supervisor pw. It's a little off-topic since it really doesn't have to do disk encryption, but if you want to lock down your BIOS that's the one to use. Note that once it's set it set....do some research if you're unfamiliar with it.

Regarding encryption, my vote is for Truecrypt. It's free, fast, and secure. Performance and security-wise it's about the same as BitLocker. The big appeal (at least to me) is the fact that's it's open-source and has been vetted in the public forum as opposed to some proprietary app like Bitlocker. I use it to make a 3 GB encrypted container I just mount when I need it, but you can encrypt an entire partition, drive, or USB stick.

[Wiz]

You will see a performance hit with full disk encryption. Not sure about the stats but I've heard claims of it almost doubling I/O times (better hardware & encryption algorithms will lessen that). Personally I think full disk encryption is overkill unless you're working in an environment where it's necessary (DoD, FBI, etc.).

That's why i would suggest a FDE HD in case of full disk encryption since then you don't need any encryption software, performance hit will not be a problem and everything is encrypted in hardware.

With regards to using a container or using full disk encryption the bad thing about container is that you need to know that you leave no stuff in any temp folder, deleted files can be retrieved very easy unless the sectors is overwritten, you have to make sure you store what you want to encrypt in the container. Also make you don't use your windows passord to open the container so two login would be required. Full disk encryption is transparent and won't notice a difference except a minor performance hit, but it's not as bad as some might think. Let's say you open a word document from the container and then save the file again a temp file might have been created in your temp folder. It can be retrieved again and some programs might leave the temp file there for good....until you manually cleanup the temp folder.

Of course you might say that it's a bit too paranoid, but then again i assume that people who need/want encryption want to secure the data pretty good as well. If it's encrypted, but easy to get around the encryption then the encryption is kind of useless anyway. I believe the harddisk password should be good enough for most people, but if not i would think they need to be 100% sure that the data is encrypted and protected well or they could just use the HD password. Then i think full disk encryption is the way to go, but of course that's my opinion and some might find a container to be good enough.

[Mike02906]

Thanks to everyone for the informative posts! I'll set a hard disk password, and consider that enough for what I'm doing.

[eecon]

Mike02906 .... there is a lot of confusion in this thread about Seagate's Full Disk Encycrption and Hitachi's equivalent Bulk Disk Encyrption drives.

Bottomline: FDE and BDE drives automatically and semalessly use hardware based encryption without any addtional software or action on the part of the user. I have 4 of each brand and they benchmark the same as their twin non-FDE/BDE versions that only cost $15 To $20 less. You intall an FDE/BDE drive identically to a non-FDE/BDE drive. An FDE or BDE drive will take a governmental agency about a year to partially decipher your AES 256 encrypted data on the disassembled device. Also, be sure to set a strong HDD passwork in Bios .... otherwise the front door to your data is wide open (in both FDE/BDE and non-FDE/BDE drives).

And that's all I have to say about that.

[Wiz]

Mike02906 .... there is a lot of confusion in this thread about Seagate's Full Disk Encycrption and Hitachi's equivalent Bulk Disk Encyrption drives.

Bottomline: FDE and BDE drives automatically and semalessly use hardware based encryption without any addtional software or action on the part of the user. I have 4 of each brand and they benchmark the same as their twin non-FDE/BDE versions that only cost $15 To $20 less. You intall an FDE/BDE drive identically to a non-FDE/BDE drive. An FDE or BDE drive will take a governmental agency about a year to partially decipher your AES 256 encrypted data on the disassembled device. Also, be sure to set a strong HDD passwork in Bios .... otherwise the front door to your data is wide open (in both FDE/BDE and non-FDE/BDE drives).

Isn't this basically the same as already said about FDE in this thread? I didn't really see that confusing part.

[eecon]

Isn't this basically the same as already said about FDE in this thread? I didn't really see that confusing part.

I was referring to Superego's inaccurate post ..... specifically, the first sentence.

I should have better clarified my statement .... sorry.

[Wiz]

I should have better clarified my statement .... sorry.

No problem i was just wondering if i said something wrong with regard to the FDE:)

[loyukfai]

I did a quick search on 7K500 but didn't seem to find any BDE-enabled models available online, anyone...?

Cheers.

[ThinkRob]

Eh.

Personally I'm fine with software FDE. LUKS has a pretty light performance impact, and I trust an open, well-review implementation a lot more than a closed "hardware" implementation -- especially considering that there have been a number of "encrypted" drives that shipped with laughably-bad implementations.

[hts]

Are there any BDE/FDE solid state drive at this time? Has anyone had any experience using bitlocker on solid state drives? If so were there any problems?

[ThinkRob]

Are there any BDE/FDE solid state drive at this time? Has anyone had any experience using bitlocker on solid state drives? If so were there any problems?

Can't say about BitLocker, but I've used LUKS on all my laptops, several of which have SSDs, with no problems whatsoever. The underlying storage tech. really doesn't make much of a difference.

[Wiz]

Are there any BDE/FDE solid state drive at this time?

Lenovo got a 256gb SSD with FDE. Part no: 43N3417
Never tried it and don't know anything about this SSD either.

[hts]

In April 28, Tom's hardware put together an article comparing the performance of bitlocker and true encrypt using an Intel i5 CPU.

http://www.tomshardware.com/reviews/bit ... ,2587.html

In the comments several note that use of software encryption SSD's is problematic due to the stated inability of the encryption software to pass through TRIM commands. As a result performance is stated to rapidly decline on SSD's using software encryption.

After reading the article, a hardware encrypted drive seems a lot simpler.