Hard Drive with Disk Encryption

[midiman]

Am considering ordering an X61s with the 160GB hard drive (5400rpm) with disk encryption. Am curious as to others' experience with this drive -- does the disk encryption work well? Any problems or bugs? Is it noisier than the same drive without encryption? Can the encryption be turned on and off easily if desired? Thanks.

[ryengineer]

FDE is transparent to the user and independent of the operating system; users don’t need to turn the encryption feature on and cannot turn it off.

Seagate - Introduction to Full Disk Encryption.

Q: How do I enable Bulk Data Encryption on the hard drive?
A: Bulk Data Encryption is always enabled. It cannot be turned on or off. To protect the data and prevent unauthorized access the end-user would need to enable the "user" hard drive password in the system's BIOS. With no HDD password set, bulk encryption will still be enabled but there will be no access barrier. Anyone who obtains the hard drive will be able to access the prior user's data.

Hitachi - Bulk Data Encryption.

[SteveDC]

From the Seagate link . . .

"FDE is always encrypting and the data is always protected."

But, only if one supplies an HDD password in BIOS.

Even then, what is the advantage of Hard Drive Encryption if all the underworld has to do is guess a simple BIOS password to get at the "encrypted" data?

[dfumento]

Just to be helpful, do you really need the encryption? I think the encrypted drives are more expensive, and if so, consider getting a 7200 RPM 160 GB hard drive instead w/o encryption. Standard random read on a 5400 RPM drive is 18 ms vs. about 14 for a modern 7200 RPM drive (www.tomshardware.com) which is something of a speedup and useful for Vista...

Otherwise, consider getting a larger 5400 RPM drive. www.newegg.com has a 320 GB Western Digital drive that is getting rave reviews for performance at about $200.

[mgo]

Am considering ordering an X61s with the 160GB hard drive (5400rpm) with disk encryption. Am curious as to others' experience with this drive -- does the disk encryption work well? Any problems or bugs? Is it noisier than the same drive without encryption? Can the encryption be turned on and off easily if desired? Thanks.

You could also just create a hard drive password in the ThinkPad bios settings. I hear it it pretty much solid and safe.

[SteveDC]

It would seem to me that mgo is correct. Overall, the Hard Drive Encryption scheme seems no more secure than a plain hard drive password in BIOS, as a hard drive password in BIOS is all that is needed to access the encrypted data.

[pmeinl]

Alternatively you might use Vista Bitlocker which is part of Ultimate and Enterprise edition (not Business) with any disk.
http://en.wikipedia.org/wiki/Bitlocker

I have read that normal HD password can be cracked or bypassed (at least by some data recovery companies).

[mfbernstein]

You could also just create a hard drive password in the ThinkPad bios settings. I hear it it pretty much solid and safe.

Is this effective if the drive is removed?

[SteveDC]

Likewise, is the HD encryption password still effective if the drive is removed?

[ryengineer]

It is effective when you remove a HDD from one machine and plug into another.

[mfbernstein]

It is effective when you remove a HDD from one machine and plug into another.

So the data is in fact encrypted then? Or is the password just something that well-behaved BIOSes check for and refuse access to if you don't enter it? Thanks.

[mgo]

It is effective when you remove a HDD from one machine and plug into another.

So the data is in fact encrypted then? Or is the password just something that well-behaved BIOSes check for and refuse access to if you don't enter it? Thanks.

No, the data itself is not encrypted. The password is a function of the firmware (some sort of security chip I suppose) within the hard drive's circuit board.

This implies that a lab could possibly remove the drive's platters and extract the data. I might be wrong here, but that does seem logical since there is no actual encryption of the data, which would take a long time to implement at first running. Because the password is set pretty much instantly, that says the data is not affected, only the ability to run the drive till the password is entered.

Now, I wonder, if a user moves the drive to a different make of computer, would that computer's BIOS ask for and recognize the hard drive password? I have never tried that, so I cannot answer the question.

I do know that if I move a password protected drive from ThinkPad to ThinkPad, the password process works well, whether the drive is in the main slot, or in a Ultra Bay.

[mfbernstein]

So the data is in fact encrypted then? Or is the password just something that well-behaved BIOSes check for and refuse access to if you don't enter it? Thanks.

No, the data itself is not encrypted. The password is a function of the firmware (some sort of security chip I suppose) within the hard drive's circuit board.

Well, it supposedly works on all hard drives (not just the IBM-installed ones, so either that circuitry is on all hard drives (seems unlikely) or it's on none of them.

At any rate, you don't need to stick it in another computer to check - a 2.5" USB enclosure would do the trick - and I don't see how the BIOS would figure any of this out (since it'd just be another USB device at that point).

Guess I'm still wondering how secure this actually is. I've used PGP Whole Disk in the past, but it's something of a headache, not to mention rather slow.

Thanks.

[ryengineer]

Data encryption through HDD hardware:

The growth in use of notebook computers as business machines has lead to an increase in the number of professionals carrying private customer data during their travels. It comes as no surprise that this trend leads naturally to an increase in laptop theft. Pound for pound, a laptop computer is one of the best targets for thieves — easy to carry, easy to sell. And, if the thief is lucky, access to private data that can be used for identify theft.

Notebook computers currently have four levels of security that can be utilized to protect content. These are listed below in order of what many consider “easiest to crack” to “hardest to crack”.

1) Operating system-based system password
2) BIOS password
3) Hard disk drive (HDD) ATA password
4) Data encryption through either HDD hardware or system software

The OS-based password works when the system is up and running to prevent people from using the computer. It is effective for an office environment where a user would like to prevent others from using — and potentially changing — his computer without permission, or gaining access to confidential and personal data. However, in the case where a computer has been stolen, it is easy for someone to gain access to all the content on the system by simply removing the HDD from the system and inserting it into another machine or booting from a Linux CD.

The BIOS password is set in the system BIOS, resident on the notebook computer motherboard. It is more effective than the OS-based password because a user has to enter the password to even start up the system. However, there appear to be utilities on the Internet that claim to permit a user to overcome a BIOS password. Furthermore, as in the previous case, if a thief removes the hard drive and plugs it into another system without a BIOS password, the thief can easily gain access to the sensitive contents of the drive.

The HDD itself may also have a password, whose behavior is defined by the ATA security feature set. If enabled, the drive cannot be used without this password. In most notebook computers, this represents the strongest security method available. A search of the Internet, including some forums where people routinely discuss how to defeat security schemes, reveals information that HDD passwords are very tough to crack. However, there are two potential weaknesses. First, a skilled technician could develop a custom tool to swap the electronics cards on the fly from two HDDs — one password protected, the other not — after startup in order to potentially defeat the password. Second, a person determined to read the contents of the hard drive could pay a data recovery service to physically dismantle the hard drive and then attempt to directly read all of the data from the disks using commercially available tools.

These examples of circumventing security are a bit extreme. It is reasonable to assume that most laptop thefts occur with resale of the system as the primary motivation. However, systems providers who support major financial institutions, for example, cannot afford to take this level of risk. If a thief knew that there was a strong likelihood of gaining access to thousands of credit card numbers and social security numbers by paying someone to recover data from a stolen HDD, then the return in selling that information could be enough motivation for the thief to take that step. Furthermore, security and identity theft issues have been the subject of legislation, thus showing a recognition of the importance of protecting sensitive and important data. In the US for example, California enacted The Information Practices Act that relates to the security and confidentiality of personal information, see California Civil Code § 1798 et seq. With specific laws addressing data security, companies are likely to evaluate their security measures for protecting data.

Safeguarding Your Data with Hitachi Bulk Data Encryption

A useful and strong solution for providing data security is encryption of the data on the disk , either by use of software or hardware. In other words, if the data on the disk drive is scrambled in a way that cannot be understood without the decoding key, then even if a thief were to pay a data recovery service to recover the actual data on the disk drive, the data would be nothing but meaningless characters.

Data encryption is already possible through use of specialized software on the system. The software uses the power of the CPU to encrypt the data that is sent to the HDD, and then decode it when it is read back. This provides the added security, but with three key drawbacks. First is the cost of the software. Second, it requires CPU time to actually perform the encryption and decryption, forcing the user to accept a decrease in system performance for the added security. Finally, software security is more susceptible to attack than encryption implemented on a hard disk drive.

Hard Drive “Bulk Data Encryption”

It would be more advantageous to have the security of encryption without paying for extra software and/or losing system performance. A hard disk drive, with encryption as part of the HDD hardware itself, is such a solution. Bulk Data Encryption by Hitachi enables a powerful encryption engine, Advanced Encryption Standard (AES 128), as part of the drive electronics System on Chip (SoC). When this option is enabled, the hard drive will encrypt all data that comes from the system and write it to the media. When read back, the drive decrypts the data so that it can be understood by the system. Since the hard drive is doing all the encryption work using hardware, there is no impact on system performance and no need for additional software.

A Hitachi hard drive with the Bulk Data Encryption option enabled is always automatically encrypting data, so the system user never has to worry about whether or not the data is being protected. Once the HDD password is set, the resulting security system on the disk drive is highly effective and difficult to penetrate. Furthermore, the drive encryption engine uses a 128-bit key. This means that the generated code would be very difficult to decrypt, even with the assistance of powerful computers and tools. For an idea of just how powerful this engine is please refer to: http://www.nist.gov/public_affairs/releases/aesq&a.htm

The implications for end users are huge. Once the HDD password is set, the user’s data is continuously protected. One can easily imagine that HDD-based encryption would be highly attractive for any company routinely carrying sensitive information on laptops. Even if a system were lost or stolen, the company — and its customers — could rest assured that the data would have protection.

There is another note-worthy benefit that Bulk Data Encryption provides. Currently, data on hard drives is relatively difficult to erase. To re-use a computer system, the hard drive must be overwritten many times to be sure that the previous data is erased. This is a time-consuming process. If a Hitachi drive with encryption is used, then simply erasing the password, thereby destroying the key that serves as the basis for the encryption can instantly render all the data on the disk unrecognizable. If the hard drive is used again, then a new key is generated, and new data will be written over the old, unreadable data. “Secure Erase,” as it is called, saves a great deal of time and protects old and sensitive information from being inadvertently accessed. These two factors are likely to be of tremendous interest to companies who previously had to take extreme care and effort to erase old data on hard drives.

Data encryption through system software:

Question: I've seen some questions online about full-disk encryption. Some people feel that encryption is only as good as the key management system. How do you handle keys?
Loiselle: There is no key management with the full hard disk. It's based on user IDs and login, so there are no keys to manage. PKI I see again as internal. When it comes to internal security, that's where PKI just thrives. You want to know which users have what right to do what in your company. SafeGuard LAN Crypt uses a PKI and that can identify user-to-user using Active Directory, group policy — what they're able to do or not do. For hard disk encryption, with SafeGuard Easy, everything's fully encrypted, and once you authenticate then it starts a decryption filter driver running and the data is decrypted but not on the drive itself. With various methods of authentication, it could be as simple as password-only. It's symmetric key-based, meaning it's very fast. The password's broken into four pieces and three of the four are hashed and encrypted on part of the drive — the fourth piece is derived by your login. When you log in, it pulls those three pieces of the keys and it takes your ID and password and makes that the fourth piece of the key. Even if someone took the hard drive out of the machine and found the three pieces of the key and were able to reverse the hashing and the encryption, they still wouldn't be able to decrypt the drive because the fourth piece is in your head. Now you take that and you marry it with biometric, two-factor with a token or a smart card, basically password plus, and you have security as easy as it can be to use and yet as secure as it can possibly be in the industry. Now you have to physically have something as well as the PIN and password. We have a release coming out in October that's going to be our FIPS release and that's SafeGuard Easy 4.20; then in the beginning of next year, SafeGuard Easy 4.30 will be integrated with IBM's built-in biometrics. You can simply swipe your finger and you're on the machine.

Loiselle, vice president of operations and technology for the Americas at Utimaco. Full transcript can be found here.

Thinkpads BIOS use "Passphrase" which stores password in a secure format that doesn't let one swap and use HDD with another PCs which do not support the secure passphrase feature.

Also according to Hitachi the encryption only works with drives in the main bay:

Q: Does the Bulk Data Encryption technology work with hard drives installed in an external USB or Firewire enclosure?
A: No, although the hard drive is capable of Bulk Data Encryption, the security command feature cannot be transferred via USB or Firewire links.

[pmeinl]

I favor the disk encryption solution.

An attacker can easily bypass Windows NTFS security when having physical access to the disk. Options to protect your notebook data against this scenario are:

[] Windows EFS, TrueCrypt, U3(secure USB sticks), etc.
Allow you to encrypt confidential files and folders.

[] HDD Password
ATA disk feature locking a disk using a BIOS HDD password. Does not(!) encrypt the data. Works with all modern drives. No performance impact. Can be bypassed (at least by some data recovery companies). I no longer consider this safe enough.
http://www.heise.de/ct/english/05/08/172/#kasten3

[] HDD Encryption: Hitachi Bulk Data Encryption, Seagate Full Disk Encryption
Disk feature encrypting the whole drive and using a BIOS HDD password to encrypt the encryption key. No performance impact.
My favorite.
Not all versions of the Hitachi 7K200 support BDE!
http://forum.thinkpads.com/viewtopic.php?t=47004

[] Vista Bitlocker, SafeGuard Easy, etc.
Software solutions allowing to encrypt the whole drive.
Some (neglectible?) performance impact.
SafeGuard seems to be favored by Lenovo, offering tight integration with other features (Ex: fingerprint reader):
http://www.pc.ibm.com/us/security/securecomm.html
Bitlocker seems to be well integrated with Vista.
Why MS does not offer Bitlocker for Vista Business edition is beyond me.

All solutions requiring passwords are only safe when using strong passwords!

[mfbernstein]

Data encryption through HDD hardware:

The HDD itself may also have a password, whose behavior is defined by the ATA security feature set. If enabled, the drive cannot be used without this password. In most notebook computers, this represents the strongest security method available. A search of the Internet, including some forums where people routinely discuss how to defeat security schemes, reveals information that HDD passwords are very tough to crack. However, there are two potential weaknesses. First, a skilled technician could develop a custom tool to swap the electronics cards on the fly from two HDDs — one password protected, the other not — after startup in order to potentially defeat the password. Second, a person determined to read the contents of the hard drive could pay a data recovery service to physically dismantle the hard drive and then attempt to directly read all of the data from the disks using commercially available tools.

Thanks, that's what I was looking for. So it's part of the ATA spec, meaning that without dismantling the drive, it's secure (assuming the good folks at the NSA haven't backdoored the whole thing).

On the other hand, it looks like it makes it impossible to use the drive in an external enclosure (even with the password).