Laptop Security and Full Disk Encryption

[jasonjason]

Hi guys, I've been wondering about this for a while, hope someone can point me in the right links or direction, as I didn't get too much searching on the forum.

Background
My last Thinkpad (T60) got stolen. I lost some critical and irreplaceable data that I had loaded on after the last backup. I was also worried about the data that I had on the HDD. Most important stuff was encrypted, but you never know what someone can dig out.

As a remedy, I signed up for a web backup service, and also opted for the FDE option in my T510.

My questions are as follow:
1. How do I check whether my HDD really is FDE?
2. If it is FDE, does it mean that if the laptop gets stolen, the thief will not be able to open up the HDD and manually read off the contents?
3. If my laptop gets stolen and the thief wants to crack the logon password, are there other forms of security I should be concerned about beyond setting a logon password and having FDE? Install Computrace etc?

As mentioned, although most of my important data on the laptop is encrypted - e.g. credit card, passport etc. I'm still concerned about residual stuff that thieves could use, such as my email passwords in outlook, bills, contact details etc.

Thanks for any help guys.

[ThinkRob]

If I were you I'd forget about FDE drives and just use software FDE like TrueCrypt or Bitlocker. The former works on any machine, plus has a bunch of neat features that FDE drives don't.

Oh, and it's free.

[blackomegax]

But unlike bitlocker, which uses the security chip present in thinkpads for hardware accel, or drive FDE which has its own chip in the drive, truecrypt is entirely unaccelerated and has zero tie in to fingerprint readers.

[ssd_thinkpad]

If you care about speed:

1. There are drives with integrated data encryption like the intel ssd 320. Data encryption does not change the speed of the drive.

2. All modern intel chip starting from i2520 have a special hardware accelleration for AES encryption. You have to use this encryption in your third party program like truecrypt to benefit from the acceleration.

[FragrantHead]

I use Truecrypt for full disk encryption. You have to be clear about who you are trying to thwart and who you think stole your previous laptop. Were they organized crime, interested in your data, or were they merely thieves interested in the hardware value of your laptop? How much effort will they spend on retrieving data? If you want to be 100% sure that can't be done, here are a couple of points:

(1) Even though your most important data was encrypted, Windows temporarily writes out data that it has in memory to the so-called swap file on the disk. In general that file will only be encrypted, if you have full disk encryption. It could contain your credit card number unencrypted (how likely this is and how difficult to retrieve, I don't know). In my opinion partial encryption of a hard disk is never good enough for this reason.

(2) Disk encryption will only protect you if your password is good enough. Every encryption system these days touts having at least "military-grade" 128-bit or 256-bit AES encryption. That's good. As a rule of thumb, you need about 100 bits worth of encryption strength for something to be uncrackable now and in the immediate future, so you're covered with AES. However you will only get that strength, if your password contains at least 100 bits of entropy. For that to happen, you need a password that is at least 18 characters long. You'll get about 5.5 bits (read it in a study somewhere) of entropy per character. However you'll only get that much entropy if the password is completely random, containing uppercase and lowercase letters, digits and punctuation, with no discernable words embedded. These days everyone uses passwords, such as "Le0p4rd", that substitute digits for letters. Cracking programs can easily account for that. It makes things only a little more difficult. Also, at 7 characters, it's way too short.

The way to get a good password is by memorising a sentence and using the initial letters of each word as the password. For example "My son and daughter have black hair" could become "M5&dhb|". Note how 5 was substituted for the "s" of "son", "&" was substituted for "and" and the vertical bar for "hair", because it looks like a hair. Of course this is example is too short. Truecrypt, for example, will warn you if your password is not at least 20 characters long.

(3) If you have an SSD, you must encrypt it from the very beginning or you must secure erase it and start fresh. SSDs contain at least 7% spare area that is cycled in and out of use. As an end-user you have no way to erase that, other than a complete secure erase of the SSD. This is a command you send to the SSD with a program such as the Intel SSD Toolbox. If an SSD contains sensitive data before it is encrypted by a program such as Truecrypt, the spare area will not be encrypted and could contain sensitive, if old, information. Presumably this won't be a problem if the SSD itself has FDE.

(4) BIOS passwords or conventional hard disk passwords won't foil an attacker who disassembles the disk and reads the platters, unless of course the disk has built-in full disk encryption and the passwords hook in to that. Unfortunately I don't know enough about how that works. The TPM is not rated highly by the guys at the Truecrypt web-site; they don't support it because of technical inadequacies, as far as I remember. They are open source. Commercial software probably couldn't get away with that. They just need to tick all the boxes, e.g. the TPM, if the competition has it.

[FragrantHead]

But unlike bitlocker, which uses the security chip present in thinkpads for hardware accel, or drive FDE which has its own chip in the drive, truecrypt is entirely unaccelerated and has zero tie in to fingerprint readers.

The latest Truecrypt (version 7) supports Intel's AES new instructions, present in the latest high-end CPUs, for acceleration. That said I use an old T30 and while I'm sure Truecrypt and the virus scanner slow it down, I don't feel it. I just had a brand-new Thinkpad X220, a high-end (Core i7) model, except for a conventional disk. No Truecrypt, no virus scanner, it took 1 minute to reach the Windows 7 desktop and another 30 seconds for disk activity to die down. By contrast my old Thinkpad T30 boots Windows XP in about 45 seconds from a conventional disk with Truecrypt and a virus scanner. There are other things that slow you down far more than Truecrypt.

As for a tie in to fingerprint readers, I wouldn't even consider it. Again this is probably something Lenovo need to sell in order to tick all the boxes, however fingerprint readers will give false positives from time to time. I work for a company that sells them. They can be useful in conjunction with other measures, but in this application I would be weary as to whether they make things more secure or less so. At least compared to a proper, 20 character random password.

[ThinkRob]

There is a performance hit with a pure software insurance... but unless you're doing something like, oh, benchmarking, you won't notice it. (At least not on any near-modern CPU.)

Regarding TPM: ignore it. It's a pretty weak tool, and is a hassle to use properly. Yes, it can stop some attacks, but setting it up and maintaining a complete trusted boot chain is not for the novice.

Fingerprint readers are good for impressing people. They are not a meaningful security measure. Unless you're trying to show off or shooting a movie or an episode of CSI, don't bother using them.

FragrantHead is completely right about picking a strong password. If you don't none of the security measures here will amount to a hill of beans.

It could contain your credit card number unencrypted (how likely this is and how difficult to retrieve, I don't know).

Likely? Depends on memory usage patterns.

Easy to retrieve? Absolutely. Trivial, in fact.

Oh, and ignore BIOS passwords unless you know for a fact that you're using a vendor-supplied FDE solution that uses them. Otherwise, it's easy for someone with basic soldering skills and/or a couple of cheap cables to simply remove the password (or the chip containing the password.)

[blackomegax]

Disclaimer: For my uses, my level of security is enough for me to feel safe about data storage.
I have an intel SSD 320-series, which AES encrypts all of its chips by default from the factory. Only the controller can pass decrypted data to the drives SATA port. Once you enable a HDD password in BIOS, Drive level FDE is on.
And with thinkpads at least, you can swipe your finger at boot to bypass typing in your HDD password.
I keep a few truecrypt files around inside the FDE disk for plausible deniability though. (ie, if the TSA ever requires you to swipe your finger to inspect data, they probably won't do a deeper search to find a properly hidden truecrypt volume/file.)

[jasonjason]

Hi guys, thanks so much for the replies.

Still slowly digesting and reading up on what they mean and the implications for personal security.

My main concern is with petty theft and basic efforts at reading and pulling off data for identity theft by reading the hard-disk.

Back to my original question though:
1. How do I check that my HDD is FDE (even though I did select that when configuring)?

2. If my HDD is FDE would software FDE then be required?

3. Would any of the tracing programs be worthwhile, or would they be the first thing circumvented when the HDD is reformatted for resale?

Thanks again guys.

[Brad]

1. On the Lenovo FDE drives that I have used FDE is noted on the drive label.

2. If your drive supports FDE then the encryption is hardware based so no software is required. Simply enabling the hard drive password turns on FDE.

3. I have not subscribed to any of the tracing programs so I can't comment on their usefullness. I have purchased second hand ThinkPads with the service installed. In my conversations with the providers their service is installed in the systems BIOS so replacing the hard drive would have no impact.

Brad

[ThinkRob]

3. I have not subscribed to any of the tracing programs so I can't comment on their usefullness. I have purchased second hand ThinkPads with the service installed. In my conversations with the providers their service is installed in the systems BIOS so replacing the hard drive would have no impact.

This is not quite true.

Computrace re-installs itself automatically when the drive has been swapped or the software has been removed, that's true, but it only does so for Windows.

I tend to think that all the tracing stuff is worthless. Anyone competent already knows how to avoid getting caught by it, and anyone incompetent is likely just going to sell the laptop ASAP. I'm sure it's caught some people -- but given that it's basically voluntarily turning over remote access to and tracking of your machine to a third party... well... I'll take my chances with the thief, thank you very much.

[TTY]

3. If my laptop gets stolen and the thief wants to crack the logon password, are there other forms of security I should be concerned about beyond setting a logon password and having FDE?

If by logon password you mean the password for logging on to the operating system, you should also set
- a power-on-password,
- a supervisor password, and
- a hard disk password.
These three can be set in BIOS.

[XCoalMiner]

1. On the Lenovo FDE drives that I have used FDE is noted on the drive label.

2. If your drive supports FDE then the encryption is hardware based so no software is required. Simply enabling the hard drive password turns on FDE.

...

Brad

Two questions on point #2.:
1) Is there some documentation somewhere on this? I'm assuming this is referring to the supervisor and user HD passwords that I've read about somewhere, sometime in the past. I'm hesitant to enable these PWs until I'm sure what's going on.

2) Does this idea apply to notebook HDs that are obtained outside the Lenovo support/accessory channels? I'm in particular thinking of Hitachi GST drives. HitachiGSTs web site lists some 7500 rpm, 750 GB drives with optional (they interchangeably use the terms BDE -- bulk drive encryption -- and "self-encryption") encryption. However the highest level drive listed on Lenovo's website is slower and lower capacity, 5400 rpm/500 GB model, (this is for for a T61).

[Brad]

There probably is documentation though I have not seen any.

I have only used Lenovo drives and do not have any experience with non Lenovo branded drives.

Brad

[XCoalMiner]

Follow up. Here's an interesting FDE FAQ from Lenovo: http://support.lenovo.com/en_US/detail. ... MIGR-69621

[ThinkRob]

It would be nice to know what cipher mode the bundled drives were operating in. I'm assuming CBC, but who knows...