Thinkpads Forum

Hello,

I need as many encryption as possible in my t4110 2518 4ju.

I have bought Agility 3 and in my opinion it is a slow disk - I dont know, may be this specific item was defective, but I want to buy new ssd which will cover my needs -

performance

encryption - it is most important.

Should I use software encryption? Iwould like to encrypt data to be unreadable when I will forgot key.

Did anyone uses 120GB Corsair Force Series 3, 2.5" SSD, SATA III - 6Gb/s ?

Please tell me what should I buy, I have limited time to choose now (

thank you

Crucial M4 supports encryption and its one of the faster/fastest drive available currently

Samsung 830 also supports aes 256 and also rated faster/fastest drive available currently
http://www.samsung.com/us/business/oem- ... erview.pdf

rychuu wrote:... encryption - it is most important. ... Should I use software encryption?

Probably not! You may be interested in the following short thread on encryption options:
http://forum.thinkpads.com/viewtopic.ph ... de#p655039

Thank you for your replies,

Crucial M4 supports encryption and its one of the faster/fastest drive available currently

Nice! What does it mean 'supports encryption' ? What should I have additionaly of the Crucial m4 ssd and Lenovo t410? Will I need any specific software?

rychuu wrote:... Crucial M4 ... What does it mean 'supports encryption' ?

I have no idea what that means! It is NOT a self-encrypting drive, so it is meaningless to say that it "supports encryption". Here is the spec sheet:
http://www.crucial.com/pdf/Tech_specs-l ... online.pdf

It supports encryption in the way all drives ever manufactured support encryption, i.e., you can encrypt the data before you send the data to the drive to be written. The drive does not care what it is writing, so in that sense, it supports writing of previously-encrypted data ... but the drive is not encrypting itself the plaintext data.

thank you for yourr fast reply

could you tell me which software shoudl I use wiuth Crucial M4?

Did you try any of the suggestions I gave you on the other thread about speeding up the Agility 3? Try doing a secure erase using Parted Magic. It works wonders for fixing speed issues. Disable the pagefile if you have enough RAM. Disable AirBag. Even with the drive benchmarking lower than drives that are similar, do you really notice it being slow? With the numbers you posted, the machine should still be lightening quick.

If I was getting a non-Sandforce drive, the only one I would consider would be the Samsung 830. It doesn't have the sustained write performance of the Sandforce drives, but that doesn't really matter to most people.

Crucial m4 has been nothing but problems from the beginning. First there was the 5000 hour bug that caused nightmares for a lot of people. Once that was fixed, they still can't seem to get the firmware right. The latest firmware causes BSOD for a lot of users and downgrading back to the old 0309 firmware seems to be the only fix.

When it comes to software encryption, I think TrueCrypt is one of the best available.

When deciding on encryption methods, ask yourself a couple questions. How much is my data worth if I had to pin a dollar figure on it? Who are you trying to protect your data from? People at rival corporations or just family/friends? State or Federal police agencies or foreign nations? Different situations require different levels of security. How likely is the person you are worried about to be successful with something like a cold boot attack? If you physically leave the area where your laptop is powered on, perhaps Bitlocker would be a better choice. All the info is already out there, you just need to search.

(sorry I just noticed that you are in Poland, change the words State/Federal/dollar to your relevant equivalents)

jayton4 wrote:... TrueCrypt is one of the best available. ...

+1. [Importantly, it is open-source, "safe" from backdoors.]

@rychuu: If you really need encryption, as you stated, then forget software solutions and get a self-encrypting drive. All software solutions for full drive encryption are far inferior, in multiple ways, to hardware-based full drive encryption.

Get the Intel 520 or 330.
I own one for T510 and they have built in AES-128...

The Intel 520 was supposed to have AES-256 but it doesn't... AES-128 is still decent.


Using Truecrypt or other software method supposedly ruins the performance of your SSD by a lot

jayton4 wrote:Did you try any of the suggestions I gave you on the other thread about speeding up the Agility 3?

Yes, now I'm llooking good encryption possibiities.

Try doing a secure erase using Parted Magic. It works wonders for fixing speed issues. Disable the pagefile if you have enough RAM. Disable AirBag. Even with the drive benchmarking lower than drives that are similar, do you really notice it being slow? With the numbers you posted, the machine should still be lightening quick.

Yes, I know, Currently I am using three yaer old, overloaded system (w7 pro x64). I have thought that after installation new sys on ssd speed increases a lot. But in my earlier case speed increase a bit only. Numbers wasnt nice also.

If I was getting a non-Sandforce drive, the only one I would consider would be the Samsung 830. It doesn't have the sustained write performance of the Sandforce drives, but that doesn't really matter to most people.

But Agility 3 is Sandforce drive? I have hear that yes.
As I understand from your message here Sandforce technology should ensure more stability and keeps data longer?

When it comes to software encryption, I think TrueCrypt is one of the best available.

Thank you. Should I install it before Windows? How? Maybe immediately after fresh windows installation? Did this SW encrypt /windows and /users catalogs?

How much is my data worth if I had to pin a dollar figure on it?

a lot of

Who are you trying to protect your data from? [/quote[
People at rival corporations or just family/friends? State or Federal police agencies or foreign nations?

Before everyone.
I am obsessed man and I 'm affraid of everything - from competition /rivals to the police.

Different situations require different levels of security.

yes, so I need to have drive:
-not readable /accessible without my authorization
-not readable in other device/case/similar computer

How likely is the person you are worried about to be successful with something like a cold boot attack?

Are you asking for accessing my computer in authorized location? E.g. when I will go outside? Sorry for misunderstanding

Did you talking abouyt If you physically leave the area where your laptop is powered on, perhaps Bitlocker would be a better choice. All the info is already out there, you just need to search.

Not all important informations exactly for my specific case. So, I am asking you, good people, for help. Thank you

(sorry I just noticed that you are in Poland, change the words State/Federal/dollar to your relevant equivalents)

absolutely no problem, I know US reals.

EOMtp wrote:+1. [Importantly, it is open-source, "safe" from backdoors.]

Did this mean that encryption from TrueCrypt could be totally unreadable? ( without authorization )

waterloo wrote: Using Truecrypt or other software method supposedly ruins the performance of your SSD by a lot

Thank you for this information ! It is important info ! What will be performance on hardware encrypted drives? Did HW encryption can be usable in my situation?

Thank you for helping,
Sorry for my English
Sorry, I know, that I'm difficult
No problem, I know US standards

Why are software solutions far inferior than hardware ones?

Cheers.

loyukfai wrote:Why are software solutions far inferior than hardware ones?

I think the "inferiority" is mainly focused on performance. Proper software encryption will protect your data very well.

Hardware encryption is seen as superior because there is a purpose built, dedicated chip (on your hard disk, SSD, add-on card or motherboard) that encrypts and decrypts your bits on the fly.

Usually, software encryption simply uses your CPU to encrypt. This places a performance strain on the system whenever you are reading or writing data, because your CPU needs to decrypt/encrypt ever single bit you are dealing with, as well as running the normal functions of your software. I believe that some of the newer Intel Core series CPUs have some special acceleration instructions, but software based encryption is usually slower than hardware encryption.

loyukfai wrote:Why are software solutions far inferior than hardware ones?

Primarily because the integrity of the data/drive (depending on what is being encrypted: file, partition, or drive), depends on flawless software operation. Software failures, not limited to the encryption software, will occur which can render the entire file/drive unreadable and inaccessible, but no such "additional" risk exists with hardware-based encryption, i.e., for the purposes of this discussion, the failure rate of a self-encrypting drives is no higher than the failure rate of non-self-encrypting drives.

Ideally, one wants to eliminate software as a point of failure. The preference for hardware-based encryption is not so much for performance, as it is for encryption which is "bulletproof"/softwareproof/idiotproof/failureproof.

Consider the following: If one is intent on using software encryption, then the best approach would be to use TrueCrypt on top of a self-encrypting drive, i.e., regardless of the need for encryption, there is no technical reason to have anything other than a self-encrypting drive!

Wait, isn't those firmware inside those "hardware" self-encrypting drives is in effect "software" as well?

Logic error can exist in hardware (ever heard of errata/erratum?), software and for that matter, firmware.

So are you saying open source software like TrueCrypt, is inherent less reliable than closed source software developed in-house?

Cheers.

loyukfai wrote:Wait, isn't those firmware inside those "hardware" self-encrypting drives is in effect "software" as well?
Logic error can exist in hardware ...

The concern is not logic errors, but rather failures in spite of correctly implemented correct logic.

Yes, firmware is "software", but it is also categorically different. Firmware/microcode has been part of hardware since the mid-1970s -- CPUs are microcoded, "coded" DSP (Digital Signal Processing) algorithms are ubiquitous in every cell phone, camera, modem, everything! ... but no one thinks of that as "software". Famously, many years ago, Intel had an error in the microcode of the 386 chips in a table-driven algorithm for computing floating point operations, and millions of chips were recalled. Once in 30+ years!

Software that runs in the RAM of the machine, like TrueCrypt, is a whole other species, dependent for stability on an entirely different "ecosystem" ... and, for that reason, hardware -- with all its embedded microcode/firmware -- is categorically different than software that a users runs in RAM.

loyukfai wrote:So are you saying open source software like TrueCrypt, is inherent less reliable than closed source software developed in-house?

TrueCrypt may or not be bulletproof -- it does not matter to this discussion. What matters is that the environment in which it "lives" makes its operation less reliable. The reliability concern comes from its operating environment, not from who developed it.

There are many more errata than that, just that most of them aren't bad enough to warrant a recall.

Whether you think firmware is or is not a kind of software is irrelevant, because it consists, after all, circuits and program codes, which are designed and coded by humans, and humans make errors.

The question at stake, is the quality of the designs/codes, and judging by the past records of many commercial companies, I find your confidence in them making reliably secure hardware... Amusing.

If you ask me, commercial companies, in general, have shown a worse history of implementing proper security than dedicated open source hackers. But that's my opinion and you don't have to agree with me.

It's true that a closed system has less variables to deal with and possibly less vulnerable points. However, it does not automatically make a closed system inherently more secure.

Again, given various shortfalls/oversights reported, like the TPM in ThinkPads, DVD/Bluray DRM... I just perhaps don't have as much confidence in the companies as you.

At the same time, I don't think most, if any, of us here need to be that paranoid and concerned about this, at all.

In fact, I'm inclined to recommend a hardware solution (i.e. FDE drives), but for other reasons than being "just more secure", and it really depends on the situations.

Cheers.

loyukfai wrote:In fact, I'm inclined to recommend a hardware solution (i.e. FDE drives), but for other reasons than being "just more secure"

It is not that it is "more secure" -- let's stipulate that "hardware" and "software" implementations are equally secure. It is that "hardware" encryption is demonstrably more RELIABLE.

Simply put, one can easily contrive an operating scenario, unrelated to hardware failures, in which TrueCrypt (or similar software) fails, through no fault of its own, with catastrophic effects on the encrypted data file or partition. No such scenario has any effect on data integrity on a self-encrypting drive.

Note that nobody ever asks if hardware encryption is less reliable than software encryption -- the question is always the other way around, and for good reason.

EOMtp wrote:Simply put, one can easily contrive an operating scenario, unrelated to hardware failures, in which TrueCrypt (or similar software) fails, through no fault of its own, with catastrophic effects on the encrypted data file or partition. No such scenario has any effect on data integrity on a self-encrypting drive.

I cannot at the moment, please enlighten me.

Cheers.

loyukfai wrote:... please enlighten me.

Self-encrypting drives require no user interaction, whereas software encryption requires explicit user action -- that alone decreases reliability. "Software" implementations are necessarily more complex code-wise than "hardware" implementations of the same algorithm, and higher complexity means lower reliability. Software implementations are higher up the computational food chain than hardware implementations, i.e., software is dependent on a whole lot more "going right" ... you get the idea!

However, this debate on the relative reliabilities of algorithms implemented in "hardware" vs. "software" has run its course, and is not relevant to this thread. Let's take this discussion off-line if you want further clarification. Otherwise, just ask yourself how many times in a year do you need to reboot your machine due to a transient hardware glitch vs. a transient software glitch ... the answer leads to enlightenment.

EOMtp wrote:Self-encrypting drives require no user interaction, whereas software encryption requires explicit user action -- that alone decreases reliability.

It's my understanding that many software encryption products are set-and-forget, including but not limited to TrueCrypt and BitLocker. In that sense, there's really no difference, you also have to do the initial setup with FDE drives.

EOMtp wrote:"Software" implementations are necessarily more complex code-wise than "hardware" implementations of the same algorithm, and higher complexity means lower reliability.

Again, all this software and hardware are coded and designed by humans who make mistakes from time to time. I can also make a counter argument that, software problems are easier to correct than hardware ones. Let's say, the chance of A) BitLocker is found to be defective in design or implementation, and Microsoft pushing out an update to fix the problem, is probably higher than B) an FDE drive is found to be the same, and the maker replacing the drives that are already on the market.

EOMtp wrote:Software implementations are higher up the computational food chain than hardware implementations, i.e., software is dependent on a whole lot more "going right" ... you get the idea!

No, I do not. What I'm saying is that, be it software or hardware, such system is complex enough that simply saying one is better than the other is simply... Naive. There are reasons that I'd prefer FDE drives than software solutions, but it's not that they're more "reliable". Convenient? Perhaps, but convenient often goes against security.

Also, what kind of "reliability" are we actually talking about? It seems that we're talking about different aspects of "reliability"... Is it reliability in the sense of avoiding human errors? Is it reliability from something goes wrong in the algorithm or implementations in itself?

EOMtp wrote:However, this debate on the relative reliabilities of algorithms implemented in "hardware" vs. "software" has run its course, and is not relevant to this thread. Let's take this discussion off-line if you want further clarification. Otherwise, just ask yourself how many times in a year do you need to reboot your machine due to a transient hardware glitch vs. a transient software glitch ... the answer leads to enlightenment.

I think we're talking about choosing a solution, and if a hardware solution is not (necessarily) better than a software solution, why pay for the extra (if any) and go to the length to specifically find an FDE drive?

But I understand the futility of such discussions, you know, it would be of epic scale of fun when one goes the length to research, choose and adopt a solution, and then he/she backs up his/her data unencrypted to an external drive and then it's stolen...

Obligatory xkcd: http://xkcd.com/538/

I rest my case.

Cheers.

loyukfai wrote:... choose and adopt a solution, and then he/she backs up his/her data unencrypted to an external drive and then it's stolen...

Totally agree! Exactly my point: One should own ONLY self-encrypting drives. And if every drive that a person owns is a self-encrypting drive, then there is no such worry ... all backups automatically become self-encrypting!

loyukfai wrote:Obligatory xkcd:


I rest my case.

Yes, that's funny! ... HOWEVER ... a self-encrypting drive can be easily, instantly, permanently, and irreversably "erased" by changing its encryption key ... and once the owner does that, Oops! There is no wrench large enough to overcome that situation! Not true for software encryption. Now I rest MY case. (... but somehow, I suspect this is not the end! )

EOMtp wrote:Yes, that's funny! ... HOWEVER ... a self-encrypting drive can be easily, instantly, permanently, and irreversably "erased" by changing its encryption key ... and once the owner does that, Oops! There is no wrench large enough to overcome that situation! Not true for software encryption. Now I rest MY case. (... but somehow, I suspect this is not the end! )

wow, thank you for nice discussion, your advices, etc

so, that better solution for me will be buying self encrypting SSD drive ? Will be faster than normal unencrypted hdd?

Could anyone confirm how Intel 330 or 520 works in t410 25184ju? I would like to know how I will be authorised that I am owner.

rychuu wrote:... self encrypting SSD drive ? Will be faster than normal unencrypted hdd? ... I would like to know how I will be authorised that I am owner.

Hardware encryption does not affect drive speed in present drives, because the bottleneck is the speed of the data storage chips, not the encryption engine. You are the "owner" if you know the HDD Password, which can be set via the BIOS.

the bottleneck is the speed of the data storage chips,

What you can tell about Intel QM57 chipset in Lenovo t410 ? What speed should I expect?

You are the "owner" if you know the HDD Password, which can be set via the BIOS.

Ok, what in situation when I resume computer after hibernation? There is only windows logon which can be broken in simple way...

rychuu wrote:1) What you can tell about Intel QM57 chipset in Lenovo t410 ?
2)... when I resume computer after hibernation? There is only windows logon ...

1) Nothing outside the drive has anything to do with the drive's self-encryption function.
2) Incorrect -- resuming from Hibernate is a "power-on" operation, which requires the HDD Password if it was set.

Perhaps something like the Kingston SKC100S3B may be what you are looking for. There are no reviews or benchmarks out there for such drives, so figuring out the performance numbers would have to be trial and error. Since your data is worth so much, money should not be any object in finding the best solution, and you may want to try out several different SED SSDs.

It sounds like you need an enterprise class solution. I once had a business partner who's company used an enterprise level encryption system company wide. He had a little device on his key ring that would display rolling keys. After a certain number of minutes, he had to enter in whatever key that was displayed on the keyring device. That way, if the encryption key ever was broken, that key would no longer be valid a short time later.

It sounds like you need an enterprise class solution. I once had a business partner who's company used an enterprise level encryption system company wide. He had a little device on his key ring that would display rolling keys. After a certain number of minutes, he had to enter in whatever key that was displayed on the keyring device. That way, if the encryption key ever was broken, that key would no longer be valid a short time later.

You are writing about solution with usage token device - something like in bank authorization.

i would like to got the encryption which will make my ssd unreadable when any other situation happen than normal, my usage.

I have started to think seriously about intel 330 ssd. Is it worst than Intel 520 in encryption technologies? Someone on this forum wrotes that 520 not work good with 256bit encryption.

What determines how many bit is encryption ?

I ve got Intel 520 - what should I do with it?