Thinkpads Forum

Is there an advantage to using Bitlocker over just using the Thinkpad's built-in 3 levels of password protection (logon, bios, hard drive)? Thanks to all.

hello and welcome to the forum..

i've heard of bitlocker but never used it..
BUT, the built in protections on a thinkpad have, in the past, been pretty hard to break..
AFAIK impossible..
there are a LOT of locked hard drives and system boards in the garbage world wide for lack of the correct password..

in my mind it all depends on what you are protecting and from whom..

if it is that confidential then both might allow you to sleep at night..

Many thanks.

Good and complex question. BIOS password protection is weak and does not protect data on drive, just access to BIOS settings, no more. The hard drive password (known as HDD ATA password) is more secure but does not encrypt data on the drive unless a special hard disk with hardware encryption is used (known as FDE drives). This is what BitLocker solve, full data encryption on every hard disk. The cons is that BitLocker usage is more complex for users because in some scenarios it has to be temporarily turned off (BIOS update for instance). In case of drive failure data recovery is also complicated or rather impossible on such encrypted drive, regular backups are mandatory. I'd recommend it for corporate or advanced users. It provides the best level of security.

There is also another option with modern SSDs. The good old hard drive password can be used with modern SSDs as well. There is a bonus of encryption because all modern SSDs encrypts data by default even without using a password. The hard drive password provides better security there because it protects both access to the drive and data are also encrypted. More information here http://forum.thinkpads.com/viewtopic.php?f=18&t=120972 This option is still not that secure as BitLocker but enough for non-corporate customers.

The other day I got a used SSD with Bitlocker, that wouldn't let me access the drive.
I was not interested in its contents anyway, but ~2 minutes with Parted-Magic cleared the drive completely for normal use.

RealBlackStuff wrote:I was not interested in its contents anyway, but ~2 minutes with Parted-Magic cleared the drive completely for normal use.

Of course, it is software encryption. But the data were lost and inaccessible.

If you're just a single user, the built-in options are likely just fine with an appropriate drive that supports encryption. If you're in an enterprise environment (Windows Domain, etc.) then Bitlocker can integrate with that to provide things like auditing (are all of the drives encrypted? great!), etc. The built-in stuff is also available if you're on Windows 7, where Bitlocker isn't unless you're on Windows 7 Ultimate or Enterprise. On Windows 8.1 or 10, Bitlocker is there on Pro as well.

If you're on Linux, you can use either the built-in stuff with an encrypting drive in which case the system won't boot without a password, or you can use an encrypting filesystem as appropriate, in which case how it works will vary by how you configure it.

Many but not all SSDs support AES-256 encryption, and you can use that with the ThinkPad hard drive password. Also consider using the SSD manufacturer's software. Note that it's mostly the higher-end SSDs (e.g. Samsung EVO and EVO Pro product line, etc.) that support encryption - if the specs for the drive don't mention AES, there's no encryption. Traditional hard drives with encryption support are also available, but I believe not all that common.

Last time I looked in 2015, my notes for encrypting drives were:

Samsung 840 & 850 drives (EVO and PRO)
Crucial MX100 and MX200, but NOT BX100
Sandisk X300s
Kingston KC300
OCZ ARC 100
OCZ Radeon R7
OCZ Vector 180
PNY CL4111
Intel 520 series (128-bit only? Old model)
Intel 530 series (old)
Intel 535 series
Intel 730 series

NOTE: BIOS Also has to support drive encryption! Or be Win8 and higher.