BIOS disk password

[Caterpillar]

Can anyone explain what does the Thinkpads's BIOS disk password? Does it encrypt disks?

[RealBlackStuff]

No, it just blocks access to the hard disk.
You can not do anything with that hard disk without the password.
The password is stored on the HD itself, and is practically unbreakable, unless you have a forensic laboratory.
Without the password, you just have a door stopper.

[comps]

The "classic" BIOS disk password / fingerprint protection uses security features available on most HDDs. It locks the drive and unlocks it only after entering a valid password/valid fingerprint. I can imagine it using the TPM to generate a unique HDD "password" out of your password/fingerprint using the TPM's private key, making you unable to unlock the drive outside your thinkpad machine (well, it's theoretically possible, but who does that?).

Please note that this kind of protection is NOT full disk encryption (FDE). It merely uses HDD firmware to lock the drive. One can probably recover a locked drive by using the SECURITY ERASE ATA commands (which will erase all data on the drive).

Again, the data itself are NOT encrypted. A data recovery company (or somebody else with similar equipment) can still open the drive physically and read it block-by-block.

[ajkula66]

comps wrote:

I can imagine it using the TPM to generate a unique HDD "password" out of your password/fingerprint using the TPM's private key, making you unable to unlock the drive outside your thinkpad machine

True for the most part, but the ability to lock the hard drive on ThinkPads is older than the implementation of TPM. And it worked well back in the days...

[Caterpillar]

Thank you for all so good explainations.
And what about security chip options in BIOS settings?
Active
Inactive
Disabled
What does it do?

[RealBlackStuff]

It wouldn't be secure anymore if we told you, wouldn't it?
Anyway, I always disable them on my laptops, as they rarely leave the house.

[Caterpillar]

It wouldn't be secure anymore if we told you, wouldn't it?
Anyway, I always disable them on my laptops, as they rarely leave the house.

Ah, so it is like a "general power switch". Disabling it will disable all security on laptop

[comps]

Disabling it will disable all security on laptop

Depends on what you define as "security". It will simply disable the TPM, so you probably won't be able to do things that involve TPM, like setting a power-on password or using TPM-related software.
It won't affect any other "security" like TrueCrypt, linux dm-crypt, encryption acceleration on some CPUs, etc.