Take a look at our
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message

T420 w/ Intel series 320 SSD: FDE encryption reality check

T400/T410/T420 and T500/T510/T520 Series
Post Reply
Message
Author
dmp
Posts: 2
Joined: Thu May 03, 2012 11:26 am
Location: Cambridge, MA

T420 w/ Intel series 320 SSD: FDE encryption reality check

#1 Post by dmp » Thu May 03, 2012 11:56 am

My boss is convinced that merely setting the bios supervisor password should be enough to ensure that if the Intel 320 SSD is removed it will be unreadable. So I am suppose to figure out why this is not the case in our small fleet of new T420s equipped with said SSDs.

As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).

My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental [censored] here.

I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.

dmp
I.T. Dogsbody
Cambridge, MA

smugiri
Senior Member
Senior Member
Posts: 774
Joined: Tue Nov 23, 2004 4:29 pm
Location: Mississauga, ON
Contact:

Re: T420 w/ Intel series 320 SSD: FDE encryption reality check

#2 Post by smugiri » Thu May 03, 2012 12:12 pm

dmp wrote:My boss is convinced that merely setting the bios supervisor password should be enough to ensure that if the Intel 320 SSD is removed it will be unreadable. So I am suppose to figure out why this is not the case in our small fleet of new T420s equipped with said SSDs.

As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).

My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental *****Expletives removed by Moderator***** here.

I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.

dmp
I.T. Dogsbody
Cambridge, MA
The facts:

Hard drive password controls access to the drive but not the computer. Without a password, you can use the computer with another drive but the drive cannot be used.
BIOS password controls access to the computer but not the drive. Without a password, you can use the drive with another computer but the computer cannot be used.

Hard drive + BIOS password will be enough to protect both the machine (BIOS password) and the drive (HDD password): you do not need to encrypt but legislation may require it in some domains (e.g. management of personal health information in Canada requires encryption for compliance even though this is not explicitly stated). The Intel SSD 320 drive supports full disk encryption so the data would be encrypted no matter what, all the HDD password does is change how the key(s) to decrypt / encrypt data on the drive are accessed. Without the password, the keys are available as soon as the drive is powered on, with the password, key(s) are not accessible until the password is entered.

Definitive evidence here.
Last edited by smugiri on Thu May 03, 2012 2:04 pm, edited 1 time in total.
Steve

twistero
Senior Member
Senior Member
Posts: 852
Joined: Sun Feb 26, 2012 2:25 am
Location: Princeton, New Jersey
Contact:

Re: T420 w/ Intel series 320 SSD: FDE encryption reality check

#3 Post by twistero » Thu May 03, 2012 1:06 pm

Well, presumably you can take your boss's ThinkPad which doesn't have HDD password, take out the SSD and put it in an enclosure, and demonstrate to him that you can read all his files. :roll:
X60 tablet 6363-P3U, 3GB ram, 128GB SanDisk Extreme SSD, SXGA+ screen, Intel 6300
T61 Frankenpad in 15 inch T60 body, UXGA LED-lit AFFS LCD, T9300, 6GB RAM, NVidia NVS140m, Intel 6205, 128GB Crucial M4 SSD, 1TB HGST HDD + eBay caddy in Ultrabay
701c butterfly, 75MHz 486DX4, 40MB ram, 1GB CF card

dmp
Posts: 2
Joined: Thu May 03, 2012 11:26 am
Location: Cambridge, MA

Re: T420 w/ Intel series 320 SSD: FDE encryption reality check

#4 Post by dmp » Thu May 03, 2012 1:23 pm

Thank you to twistero and smugiri for their replies.

I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.

We do need the full disk encryption to protect our data and, in some instances, to comply with Massachusetts regulations for keeping some personnel data secure.

That FAQ may well do the trick . . .

Thanks again.

twistero
Senior Member
Senior Member
Posts: 852
Joined: Sun Feb 26, 2012 2:25 am
Location: Princeton, New Jersey
Contact:

Re: T420 w/ Intel series 320 SSD: FDE encryption reality check

#5 Post by twistero » Thu May 03, 2012 4:27 pm

dmp wrote: I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.
Ouch. I feel your pain, my friend. :roll:
X60 tablet 6363-P3U, 3GB ram, 128GB SanDisk Extreme SSD, SXGA+ screen, Intel 6300
T61 Frankenpad in 15 inch T60 body, UXGA LED-lit AFFS LCD, T9300, 6GB RAM, NVidia NVS140m, Intel 6205, 128GB Crucial M4 SSD, 1TB HGST HDD + eBay caddy in Ultrabay
701c butterfly, 75MHz 486DX4, 40MB ram, 1GB CF card

ThinkRob
Senior ThinkPadder
Senior ThinkPadder
Posts: 2394
Joined: Wed May 20, 2009 9:54 am
Location: near RTP, NC

Re: T420 w/ Intel series 320 SSD: FDE encryption reality check

#6 Post by ThinkRob » Thu May 03, 2012 8:35 pm

Personally I'd just deploy TrueCrypt/BitLocker/GELI/LUKS/whatever-FDE-your-OS-supports and be done with it. Yeah, you'll lose a couple percentage points on benchmarks, but so what? At least this way there's no confusion about what's getting stored.
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer ;)
Toy: Miata!

Post Reply
  • Similar Topics
    Replies
    Views
    Last post

Return to “ThinkPad T400/T410/T420 and T500/T510/T520 Series”

Who is online

Users browsing this forum: Bing [Bot] and 42 guests