T420 w/ Intel series 320 SSD: FDE encryption reality check

[dmp]

My boss is convinced that merely setting the bios supervisor password should be enough to ensure that if the Intel 320 SSD is removed it will be unreadable. So I am suppose to figure out why this is not the case in our small fleet of new T420s equipped with said SSDs.

As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).

My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental [censored] here.

I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.

dmp
I.T. Dogsbody
Cambridge, MA

[smugiri]

My boss is convinced that merely setting the bios supervisor password should be enough to ensure that if the Intel 320 SSD is removed it will be unreadable. So I am suppose to figure out why this is not the case in our small fleet of new T420s equipped with said SSDs.

As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).

My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental *****Expletives removed by Moderator***** here.

I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.

dmp
I.T. Dogsbody
Cambridge, MA

The facts:

Hard drive password controls access to the drive but not the computer. Without a password, you can use the computer with another drive but the drive cannot be used.
BIOS password controls access to the computer but not the drive. Without a password, you can use the drive with another computer but the computer cannot be used.

Hard drive + BIOS password will be enough to protect both the machine (BIOS password) and the drive (HDD password): you do not need to encrypt but legislation may require it in some domains (e.g. management of personal health information in Canada requires encryption for compliance even though this is not explicitly stated). The Intel SSD 320 drive supports full disk encryption so the data would be encrypted no matter what, all the HDD password does is change how the key(s) to decrypt / encrypt data on the drive are accessed. Without the password, the keys are available as soon as the drive is powered on, with the password, key(s) are not accessible until the password is entered.

Definitive evidence here.

[twistero]

Well, presumably you can take your boss's ThinkPad which doesn't have HDD password, take out the SSD and put it in an enclosure, and demonstrate to him that you can read all his files.

[dmp]

Thank you to twistero and smugiri for their replies.

I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.

We do need the full disk encryption to protect our data and, in some instances, to comply with Massachusetts regulations for keeping some personnel data secure.

That FAQ may well do the trick . . .

Thanks again.

[twistero]

I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.

Ouch. I feel your pain, my friend.

[ThinkRob]

Personally I'd just deploy TrueCrypt/BitLocker/GELI/LUKS/whatever-FDE-your-OS-supports and be done with it. Yeah, you'll lose a couple percentage points on benchmarks, but so what? At least this way there's no confusion about what's getting stored.