Want to use BitLocker and/or my hard drive's FDE...

[Crunch]

...so I have a couple of quick q's: I have Vista Ultimate, and my Thinkpad has a TPM, version 1.2. Four of my hard drives have FDE, which stands for Full Disk Encryption.

First of all, is one "better" than the other, and if so, in what way? Except for that Bitlocker will be able to encrypt NON-FDE drives.

Outside of losing/forgetting the key, how "dangerous" is this operation as far as losing data, or anything else happening, which I'm not thinking about?

Will my system slow down at all?

How important is choosing the key, i.e. manual vs. the "recommended" setting of manually entering a phrase? I know I can always back up the key. Is it "the more the merrier" as far as the length of the password?

Should I use BOTH encryption methods, or should I specifically *NOT* use both simultaneously?? If possible, would the drives be any more secure, or might the two encryption methods interfere with one another?

How strong will the encryption of the drives be? How would anyone break into a stolen or lost drive, for example?

Alright, and finally, are there any other important questions that I'm leaving out, and/or is there any add'l information I should know?

Thanks all!!

[msb0b]

IMO, full disk encryption is the best option. It works transparently with all OS's and file systems. Hard disk manufacturers claim there is little to negligible performance decrease with FDE.

According to reports, BitLocker has been less than stellar. It was the source of several BSOD bugs. I would skip it.

Of the third party disk encryption software, I highly recommend TrueCrypt. I have personally used TrueCrypt both in volume and partition mode, and it works without a hitch. The best part is TrueCrypt is free and open source software. TrueCrypt's performance varies between 60 MB/s to 15 MB/s depending on the algorithm on my computer.

If the encryption algorithm is AES-256 or better, I would not worry about the data being brute-force cracked. Instead, it is faster and easier for the assailant to get the password out of the user.

Using two different encryption programs on top of each other does not really get you anything.

I am getting a sense of deja vu...

[tylerwylie]

The best part is TrueCrypt is free and open source software. TrueCrypt's performance varies between 60 MB/s to 15 MB/s depending on the algorithm on my computer.

Bingo.

[Crunch]

Thanks guys...TrueCrypt, huh? Umm...BitLocker was half the reason I opted for Ultimate, as I knew I'd need it eventually... There have been "BitLocker and EFS enhancements" available for download recently. It's probably not a good idea to use it with the RTM version of SP1, and instead wait for the final version of SP1, which I had planned on...Oh well...

So ok fine, whatever works best I guess. So *whatever* I use, there WILL be a lag in performance? What does "60MB/sec. to 15MB/sec." mean? And how will I "experience", or "feel" whatever the "lag" will be?

THANKS again!!!!!!!!!!

[tylerwylie]

Umm...BitLocker was half the reason I opted for Ultimate, as I knew I'd need it eventually...

Ouch man... Hopefully MS fixes their crap then hehe.

[msb0b]

It all depends which algorithm you choose. TrueCrypt has 3 algorithms (AES, Twofish and Serpent), and can use any combination of 1 to 3 of these algorithms. Naturally, the more algorithm it uses makes things slower, but data are more secure. In the event should one of the algorithms found to have a vulnerability, the other algorithms can still keep the data from prying eyes.

Consider the MB/s number part of the disk i/o bottleneck. Usually your disk will perform better than this. TrueCrypt limits how fast the disk can be written to.

I like TrueCrypt not because it is FOSS, but it is the most capable tool for the job. The fact that it is FOSS makes it even better.

[sreins]

HI,

Since 4 Weeks i have a new Thinkpad T61 and no problms with bitlocker. What problems do you have? It's very fast and out of the box.

regards Sven

[tinue]

I am using Bitlocker for more than a year first on a X60s, now on a X61s with Vista 64. I never had any problem with it.
Bitlocker esentially wants to detect if a harddisk is moved to another system, so it is sensitive to hardware / BIOS changes. Whenever you do a BIOS update, for example, Bitlocker kicks in and prevents unlocking the drive.
If you forgot to disable it before the BIOS update you need to have the USB Stick with the password ready to boot.

Having said this, there recently was news about an attack against full disk encryption which essentially works by removing the RAM from the machine and read out its content to find the key. This works especially well if the RAM can be frozen (with a spray can)before removal, which is easy on a Thinkpad.

Bitlocker is more vulnerable than other systems because it actually unlocks the Disk during boot, even if you cannot logon to Vista later on. But the key is in the RAM by this time.

Since you cannot remove the RAM from the hard disk electronic itself I guess full disk encryption is for the time being safe against this type of attack.

Regards, Martin

[Crunch]

I am using Bitlocker for more than a year first on a X60s, now on a X61s with Vista 64. I never had any problem with it.
Bitlocker esentially wants to detect if a harddisk is moved to another system, so it is sensitive to hardware / BIOS changes. Whenever you do a BIOS update, for example, Bitlocker kicks in and prevents unlocking the drive.
If you forgot to disable it before the BIOS update you need to have the USB Stick with the password ready to boot.

Hmm...Interesting...So when the next BIOS comes out, and it asks for the key, would I be able to just enter it, if it's a manually entered key? Or does it take the key and apply some kind of algorithm to it that I obviously won't know?? I swap HD's ALL the time, except for my main one...What I'd like to know is whether I can BitLock ALL of my hard drives, and if I'm able to hot-swap them, as I am used to?

As for the FDE of the high-end Hitachi's, are you saying to stay away from them because of the RAM issue?

Thanks!!!!!!!!!

[tinue]

[As for the FDE of the high-end Hitachi's, are you saying to stay away from them because of the RAM issue?
Thanks!!!!!!!!!

Sorry, quite the contrary: It looks like FDE is safe for now, while all software based disk encryption schemes are not. Bitlocker is especially bad, because you can even steal a switched-off machine and unlock it, while the other tested software needs the machine to be on or at least in sleep.
Read about it here: http://citp.princeton.edu/memory/

Hmm...Interesting...So when the next BIOS comes out, and it asks for the key, would I be able to just enter it, if it's a manually entered key?

You could, but it is a long key. Its easier to have the key on a USB stick (Bitlocker will offer to safe it on a stick duting installation) and load it from there. Of course you would keep the stick separate from the Thinkpad...

I swap HD's ALL the time, except for my main one...What I'd like to know is whether I can BitLock ALL of my hard drives, and if I'm able to hot-swap them, as I am used to? ;)

Apparently with Vista SP1 you can also encrypt other drives than boot drive using Bitlocker. But I havent tried what happens if one swaps encrypted drives. It probably works fine (of course any one encrypted harddisk only works with one system, because the decryption keys are in the machine's trusted store).