Thinkpads Forum

After a colleague lost a laptop, I've decided that this is a warning to get serious about disk encryption on my machine. I was looking at two potential solutions - TrueCrypt and hardware-based FDE.

From looking on the Lenovo website, it seems like some Thinkpads support FDE, as long as the HDD password is set. But on the page where the list the BIOS extensions, they don't list the X series:

http://www-307.ibm.com/pc/support/site. ... MIGR-69621

and

http://www-307.ibm.com/pc/support/site. ... MIGR-68369

Does this mean that if I buy a FDE drive, that my X61s won't support it, or that it won't be encrypted if I set a HDD password in my BIOS?

Thanks in advance!

CJR wrote:... or that it won't be encrypted if I set a HDD password in my BIOS?

Short answer: FDE will be active.

Longer answer: Data written to an FDE device is always encrypted -- there is no way to avoid it. The HDD password will control access to the drive, but the data on the drive will be encrypted regardless. What the X6x series will not support is the BIOS extensions which can be installed which let one change the FDE encryption key -- thus permitting the instant "erasure" of all the data on the FDE drive by changing one field in the BIOS.

Thanks, EOMtp. I think I understand it now. So it sounds like as long as I set a good enough HDD access password, my data's protected in case I lose my laptop, even if someone removes the drive from the machine. Sounds good and sounds like a "cleaner" solution than TrueCrypt, especially since I need a new, larger HDD anyway...

whats the performance hit?

Zero in today's drives (that may change in the future!), since the encryption/decryption process in FDE drives -- because it is performed using the drives' fast cache memories -- is not the bottleneck in the write/read bandwidth of either mechanical hard drives or solid state drives.

EOMtp wrote:Longer answer: Data written to an FDE device is always encrypted -- there is no way to avoid it. The HDD password will control access to the drive, but the data on the drive will be encrypted regardless. What the X6x series will not support is the BIOS extensions which can be installed which let one change the FDE encryption key -- thus permitting the instant "erasure" of all the data on the FDE drive by changing one field in the BIOS.

So, if I have an FDE drive in my X61s, and don't set a hard drive password - the drive is always encrypted - but what is the encryption key? How do I set it? At what point am I required to enter it?

dr_st wrote:So, if I have an FDE drive in my X61s, and don't set a hard drive password - the drive is always encrypted - but what is the encryption key? How do I set it? At what point am I required to enter it?

You cannot set the encryption key on an X6x; further, you never enter it directly -- it is "entered" only indirectly, by the drive's firmware, on your behalf, as follows:

(a) If there is no HDD password, then the drive's firmware automatically enters the encryption key whenever the drive is accessed (whether it is a factory default key or a key that has been set later, via BIOS extensions, by a user), and thus the data on the drive is always accessible. Note that if there is no HDD password, then there is no point in thinking that the drive is encrypted and consequently inaccessible, because decryption is automatic and always on.

(b) If there is an HDD password, then the drive's firmware permits access to the drive only if the HDD password has been entered correctly, and then the data encryption/decryption takes place using whatever encryption key was last set for the drive.

The only difference between, e.g., an X6x and an X200, with respect to FDE is that the X6x does not permit, but the X200 does permit, the installation of BIOS extensions which enable the user to set/change the encryption key ... and, consequently, cause the instantaneous "erasure" of all the data on the FDE drive.

The data security benefit of FDE drives, given that the HDD password is set, is the following:
"Brute force" reading of the bits from the "platters" of an FDE drive yields nothing useful since the platters of an FDE drive are always encrypted. On the other hand, the platters of non-FDE drives contain plaintext data, so these platters are open to "attack". Further, if one used a machine which permitted the setting of one's own encryption key for the FDE drive -- and one took care to set a cryptographically-strong key -- then only those capable of breaking 128-bit AES encryption would be able to "see" the plaintext data.

OK, so I think I'm getting the process...

Setting the BIOS HDD password will make the drive inaccessible unless the correct key is entered.

Since the data is encrypted and only the firmware knows the key, attempts to bypass the firmware lock will fail, because brute force reading can only see the ciphertext, and attempting to transplant the platters into a similar FDE drive will not work, cause the drives (hopefully) have different encryption keys in their firmware.

About the instantaneous "erasure" - I assume you mean that once the key is changed by the user, previous data is inaccessible, since the original key is only known to the firmware. Correct?

I know there are countless commercial products which will encrypt a hard drive, etc, but what do the locals here consider the best option for encrypting a hard drive transparently i.e. using the password with which you login into windoze itself (XP)?

dr_st wrote:About the instantaneous "erasure" - I assume you mean that once the key is changed by the user, previous data is inaccessible ... Correct?

Yes, correct.
[Note: Even the firmware does not know the prior encryption key once the key has been changed!]

An update:

I installed TrueCrypt 7.0a on my x61s, and it worked perfectly. I enter my password at boot, and at resume from hibernate, but everything seems to be working just fine.

I can't sense any performance impact, although the reviews I've read say that since it uses additional CPU cycles to encrypt and decrypt, there's a slight battery life penalty, but I don't see it yet.

I'm sure that when I upgrade I'll probably just buy a hardware FDE drive, but for now, this is a good solution, and puts my mind at ease if my laptop ever gets lost or stolen.