Thinkpads Forum

On a T60P with Vista 64.

Anyone have experience or inside knowledge about which is better for HD encryption, the Lenovo/IBM Client Security or the Vista BitLocker?

What about the fingerprint reader. Can that be used with BitLocker or does it need Client Security?

i don't think CSS does disk encryption unless i just missed that. The usual comparison is usually between BDE (Bulk Disk Encryption) Drives or BitLocker. If you have the support then people say BitLocker works as it should. The TPM does it's job and it's always in the machine, so it almost foolproof.

It would be sweet if you could use your fingerprint as the key instead of a cryptographic key that you gotta backup. Maybe they are working on that.

jg-
If you ordered your Thinkpad with the TPM chip and the fingerprint reader, my understanding is that this blocks drive access at the hardware level and even if someone physically has access to your hard drive, they cannot access it by a brute force (dictionary) attack.
But Bitlocker apparently CAN be defeated if someone actually has your drive, they can attack the password store and crack the password.

There was a bit of a fuss last month when it was disclosed that MS has been distributing a forensic package (from a third party vendor, formerly free now sold) to law enforcement agencies which is capable of cracking many encryptions, including Bitlocker.

"Using an external USB drive, the authors were able to identify and extract the key and mount a BitLocker-encrypted volume in about 25 minutes."
http://arstechnica.com/news.ars/post/20 ... -hack.html

From what I can see, if you have both--use both. They work in different ways and the combination should add security.

I am a bit confused now. I thought CSS did a full HD encryption. If so, is the key stored in the TPM chip? I am at the Techno Security conference and I asked a vendor who claimed to be able to crack ALL passwords if they could get into the TPM and they said no.

I'm not sure, jg. I'm first digging into what the chip will or won't do, but so far I'm hearing that it is more secure than Bitlocker.

http://www.scmagazineus.com/Hard-encryp ... le/107192/

The answer seems to be both yes and no, depending on who you ask and how they qualify using the tpm chip.

i thought BitLocker used the TPM to do it's job. Not just some software encryption? Unless it has both in some form where if you are using Ultimate and your machines doesn't have a TPM it just does it using software but with the TPM it just interfaces with it to get the job done?

AFAIK Bitlocker does not use the TPM but uses software encryption and keeps the keys on the new partition it creates, making them susceptible to brute force attacks.

I've been trying to get a few hours to sit down and come up to speed on all this, but SOMEthing always gets in the way.

Here's how it works. Bitlocker is a hardware-backed encryption feature that protects an entire hard drive from being hacked. It integrates with a TPM 1.2 chip and leverages an 128-bit or 256-bit AES encryption algorithm. (You can optionally use Bitlocker on non-TPM systems as well, but in such a case you must supply a USB memory key or an alphanumeric password in order to access the system.) Bitlocker interacts with TPM-enabled systems and is thus secure even during the boot-up process when used in conjunction with TPM. (On non-TPM systems, Bitlocker cannot guarantee boot file integrity.)

http://www.winsupersite.com/showcase/wi ... locker.asp

So that's weird you say it stores it on the same partition. As far as i remember the above is correct. If you don't have a TPM you store you key on a USB drive or something. Did that get changed recently or did i miss something?

I know someone who disabled TP Disk encryption and it takes them LOADS of time to just bootup.

A lot of inconsistent information here. The quote in the second message above is from a 2006 article. So I am still not clear. Again the original question was about the comparison between CSS and BitLocker. Does CSS also encrypt the HD with the key in the TPM?

Another question comes up about the reported situation where the US Government found that Lenovo had designed a back door into Thinkpads such that when the blue Thinkpad (ThinkVantage) button is pushed, communication is established with a server in China and data is uploaded. This was treated as espionage and the Government reportedly no longer used Lenovo.

It all of this is true, then I presume that the encryption from Lenovo, CSS would also be unsafe and that the encrypted data would be available to the Chinese Government.

Any information on this?

Wow that's paranoid jgrobertson. I didn't think they actually found any evidence of espionage such as this. If you want to keep your information secure just use TrueCrypt or an encrypted file system on Linux.

I'm learning more every time I get a chance to wade through more hits on Bitlocker. Apparently, IF your system has a TPM v.1.2 then Bitlocker will work with it--if you set it up to do so. And if you do, then Bitlocker is supposedly invulnerable. (If you don't, you need an external USB stick or something else to use as a "key" to access the machine.)

On the other hand, Windows system updates CANNOT be installed routinely, you must disable/decrypt the system before installing them. That sounds like a great way to "oopsie" and trash the system for most users, I'd want to stick a post-it nore on my screen reminding me to disable updates and disable MS's clever way of contiunually RE-enabling them with each new SP.<G>


jg, you can' t be too paranoid in this day and age but rumours and 'reports' that don't cite a primary source and don't cite anything you can look and and confirm or refute, are just internet fearmongering. Terrorism under another name.


Lenovo's Client Security Solution? More research to do! But after seeing how easily mainstream drivers, AV software, updates and the like can hose a Vista system, I'm frankly AFRAID of anything that might make recovery harder. [censored] if you do, [censored] if you don't. SNAFU.

jgrobertson wrote:I am a bit confused now. I thought CSS did a full HD encryption. If so, is the key stored in the TPM chip? I am at the Techno Security conference and I asked a vendor who claimed to be able to crack ALL passwords if they could get into the TPM and they said no.

No CSS does NOT by itself do full disk encryption; but it's an optional feature that you can provide by using SafeGuard Easy (among other). But, using SafeGuard Easy you will get support to use the fingerprint scanner to login.

TPM chip has a generator that generates random numbers. SafeGuard Easy uses this mechanism to generate session keys and random keys. The TPM chip is also used to bind a hard disk to one specific TPM. If the hard disk is stolen, it can no longer be used in any other computer, even if the password is known.