thinkpads.com Support Community Forum Index Bill Morrow's thinkpads.com Open Forum - The Original Thinkpad Support Forum
Follow ThinkpadsForum on Twitter
 Support this forum, shop at newmodeus.com
 Support the forum, shop at newmodeus.com
 The thinkpads support forum is now hosting legacy model ThinkPad driver and driver updates..
A link is provided in the MENUBAR just above for registered forum members only..

If you so wish:
Donate using PayPal

It is currently Sat Oct 25, 2014 3:44 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 6 posts ] 
Author Message
PostPosted: Thu May 03, 2012 11:56 am 
Offline

Joined: Thu May 03, 2012 11:26 am
Posts: 2
Location: Cambridge, MA
My boss is convinced that merely setting the bios supervisor password should be enough to ensure that if the Intel 320 SSD is removed it will be unreadable. So I am suppose to figure out why this is not the case in our small fleet of new T420s equipped with said SSDs.

As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).

My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental *****Expletives removed by Moderator***** here.

I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.

dmp
I.T. Dogsbody
Cambridge, MA


Top
 Profile  
 
PostPosted: Thu May 03, 2012 12:12 pm 
Offline
Senior Member
Senior Member

Joined: Tue Nov 23, 2004 4:29 pm
Posts: 771
Location: Mississauga, ON
dmp wrote:
My boss is convinced that merely setting the bios supervisor password should be enough to ensure that if the Intel 320 SSD is removed it will be unreadable. So I am suppose to figure out why this is not the case in our small fleet of new T420s equipped with said SSDs.

As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).

My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental *****Expletives removed by Moderator***** here.

I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.

dmp
I.T. Dogsbody
Cambridge, MA


The facts:

Hard drive password controls access to the drive but not the computer. Without a password, you can use the computer with another drive but the drive cannot be used.
BIOS password controls access to the computer but not the drive. Without a password, you can use the drive with another computer but the computer cannot be used.

Hard drive + BIOS password will be enough to protect both the machine (BIOS password) and the drive (HDD password): you do not need to encrypt but legislation may require it in some domains (e.g. management of personal health information in Canada requires encryption for compliance even though this is not explicitly stated). The Intel SSD 320 drive supports full disk encryption so the data would be encrypted no matter what, all the HDD password does is change how the key(s) to decrypt / encrypt data on the drive are accessed. Without the password, the keys are available as soon as the drive is powered on, with the password, key(s) are not accessible until the password is entered.

Definitive evidence here.

_________________
Steve


Last edited by smugiri on Thu May 03, 2012 2:04 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu May 03, 2012 1:06 pm 
Offline
Senior Member
Senior Member

Joined: Sun Feb 26, 2012 2:25 am
Posts: 792
Location: Princeton, New Jersey
Well, presumably you can take your boss's ThinkPad which doesn't have HDD password, take out the SSD and put it in an enclosure, and demonstrate to him that you can read all his files. :roll:

_________________
X60 tablet 6363-P3U, 3GB ram, 128GB SanDisk Extreme SSD, SXGA+ screen, Intel 6300
T61 Frankenpad in 15 inch T60 body, UXGA LED-lit AFFS LCD, T9300, 6GB RAM, NVidia NVS140m, Intel 6205, 128GB Crucial M4 SSD, 1TB HGST HDD + eBay caddy in Ultrabay
701c butterfly, 75MHz 486DX4, 40MB ram, 1GB CF card


Top
 Profile  
 
PostPosted: Thu May 03, 2012 1:23 pm 
Offline

Joined: Thu May 03, 2012 11:26 am
Posts: 2
Location: Cambridge, MA
Thank you to twistero and smugiri for their replies.

I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.

We do need the full disk encryption to protect our data and, in some instances, to comply with Massachusetts regulations for keeping some personnel data secure.

That FAQ may well do the trick . . .

Thanks again.


Top
 Profile  
 
PostPosted: Thu May 03, 2012 4:27 pm 
Offline
Senior Member
Senior Member

Joined: Sun Feb 26, 2012 2:25 am
Posts: 792
Location: Princeton, New Jersey
dmp wrote:
I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.


Ouch. I feel your pain, my friend. :roll:

_________________
X60 tablet 6363-P3U, 3GB ram, 128GB SanDisk Extreme SSD, SXGA+ screen, Intel 6300
T61 Frankenpad in 15 inch T60 body, UXGA LED-lit AFFS LCD, T9300, 6GB RAM, NVidia NVS140m, Intel 6205, 128GB Crucial M4 SSD, 1TB HGST HDD + eBay caddy in Ultrabay
701c butterfly, 75MHz 486DX4, 40MB ram, 1GB CF card


Top
 Profile  
 
PostPosted: Thu May 03, 2012 8:35 pm 
Offline
Senior ThinkPadder
Senior ThinkPadder

Joined: Wed May 20, 2009 9:54 am
Posts: 2342
Location: near RTP, NC
Personally I'd just deploy TrueCrypt/BitLocker/GELI/LUKS/whatever-FDE-your-OS-supports and be done with it. Yeah, you'll lose a couple percentage points on benchmarks, but so what? At least this way there's no confusion about what's getting stored.

_________________
Need help with Linux or FreeBSD? Catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Code:
Current laptop: X200s/X201 hybrid
Current workstation: none


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group