Take a look at our
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message
ThinkPads.com HOME PAGE
For those who might want to contribute to the blog, start here: Editors Alley Topic
Then contact Bill with a Private Message
T420 w/ Intel series 320 SSD: FDE encryption reality check
T420 w/ Intel series 320 SSD: FDE encryption reality check
My boss is convinced that merely setting the bios supervisor password should be enough to ensure that if the Intel 320 SSD is removed it will be unreadable. So I am suppose to figure out why this is not the case in our small fleet of new T420s equipped with said SSDs.
As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).
My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental [censored] here.
I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.
dmp
I.T. Dogsbody
Cambridge, MA
As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).
My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental [censored] here.
I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.
dmp
I.T. Dogsbody
Cambridge, MA
-
- Senior Member
- Posts: 774
- Joined: Tue Nov 23, 2004 4:29 pm
- Location: Mississauga, ON
- Contact:
Re: T420 w/ Intel series 320 SSD: FDE encryption reality check
The facts:dmp wrote:My boss is convinced that merely setting the bios supervisor password should be enough to ensure that if the Intel 320 SSD is removed it will be unreadable. So I am suppose to figure out why this is not the case in our small fleet of new T420s equipped with said SSDs.
As best I can discover it is necessary to set the bios hard disk password (user and/or user+master) in order to make use of the 320 encryption. I also understand that one can utilize various central management alternatives to link a hard disk password to a domain password and thus avoid having users typing their password twice (or swiping their fingerprint twice).
My boss is one of the smarter people I know and it is difficult to convince him that he is wrong about something -- his life experiences have tended, I believe, to reinforce the notion that he is almost always right, particularly when it comes to detailed, persnickety stuff. IOW, we're not talking about some monumental *****Expletives removed by Moderator***** here.
I'm afraid that if I can't provide strong evidence that the hard disk password is necessary I will be forced to spend long hours trying to get "support" from Lenovo. Can anyone help me persuade my boss? I'm about to start sniveling . . . please help.
dmp
I.T. Dogsbody
Cambridge, MA
Hard drive password controls access to the drive but not the computer. Without a password, you can use the computer with another drive but the drive cannot be used.
BIOS password controls access to the computer but not the drive. Without a password, you can use the drive with another computer but the computer cannot be used.
Hard drive + BIOS password will be enough to protect both the machine (BIOS password) and the drive (HDD password): you do not need to encrypt but legislation may require it in some domains (e.g. management of personal health information in Canada requires encryption for compliance even though this is not explicitly stated). The Intel SSD 320 drive supports full disk encryption so the data would be encrypted no matter what, all the HDD password does is change how the key(s) to decrypt / encrypt data on the drive are accessed. Without the password, the keys are available as soon as the drive is powered on, with the password, key(s) are not accessible until the password is entered.
Definitive evidence here.
Last edited by smugiri on Thu May 03, 2012 2:04 pm, edited 1 time in total.
Steve
-
- Senior Member
- Posts: 852
- Joined: Sun Feb 26, 2012 2:25 am
- Location: Princeton, New Jersey
- Contact:
Re: T420 w/ Intel series 320 SSD: FDE encryption reality check
Well, presumably you can take your boss's ThinkPad which doesn't have HDD password, take out the SSD and put it in an enclosure, and demonstrate to him that you can read all his files.
X60 tablet 6363-P3U, 3GB ram, 128GB SanDisk Extreme SSD, SXGA+ screen, Intel 6300
T61 Frankenpad in 15 inch T60 body, UXGA LED-lit AFFS LCD, T9300, 6GB RAM, NVidia NVS140m, Intel 6205, 128GB Crucial M4 SSD, 1TB HGST HDD + eBay caddy in Ultrabay
701c butterfly, 75MHz 486DX4, 40MB ram, 1GB CF card
T61 Frankenpad in 15 inch T60 body, UXGA LED-lit AFFS LCD, T9300, 6GB RAM, NVidia NVS140m, Intel 6205, 128GB Crucial M4 SSD, 1TB HGST HDD + eBay caddy in Ultrabay
701c butterfly, 75MHz 486DX4, 40MB ram, 1GB CF card
Re: T420 w/ Intel series 320 SSD: FDE encryption reality check
Thank you to twistero and smugiri for their replies.
I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.
We do need the full disk encryption to protect our data and, in some instances, to comply with Massachusetts regulations for keeping some personnel data secure.
That FAQ may well do the trick . . .
Thanks again.
I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.
We do need the full disk encryption to protect our data and, in some instances, to comply with Massachusetts regulations for keeping some personnel data secure.
That FAQ may well do the trick . . .
Thanks again.
-
- Senior Member
- Posts: 852
- Joined: Sun Feb 26, 2012 2:25 am
- Location: Princeton, New Jersey
- Contact:
Re: T420 w/ Intel series 320 SSD: FDE encryption reality check
Ouch. I feel your pain, my friend.dmp wrote: I should clarify: I did have occasion to pull a drive and test it via USB thingamajig and, of course, the drive was quite readable. My boss saw this as evidence of a Lenovo or Intel failure to properly implement the hardware/firmware security stuff.
X60 tablet 6363-P3U, 3GB ram, 128GB SanDisk Extreme SSD, SXGA+ screen, Intel 6300
T61 Frankenpad in 15 inch T60 body, UXGA LED-lit AFFS LCD, T9300, 6GB RAM, NVidia NVS140m, Intel 6205, 128GB Crucial M4 SSD, 1TB HGST HDD + eBay caddy in Ultrabay
701c butterfly, 75MHz 486DX4, 40MB ram, 1GB CF card
T61 Frankenpad in 15 inch T60 body, UXGA LED-lit AFFS LCD, T9300, 6GB RAM, NVidia NVS140m, Intel 6205, 128GB Crucial M4 SSD, 1TB HGST HDD + eBay caddy in Ultrabay
701c butterfly, 75MHz 486DX4, 40MB ram, 1GB CF card
Re: T420 w/ Intel series 320 SSD: FDE encryption reality check
Personally I'd just deploy TrueCrypt/BitLocker/GELI/LUKS/whatever-FDE-your-OS-supports and be done with it. Yeah, you'll lose a couple percentage points on benchmarks, but so what? At least this way there's no confusion about what's getting stored.
Need help with Linux or FreeBSD? PM or catch me on IRC: I'm ThinkRob on FreeNode and EFnet.
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer
Toy: Miata!
Laptop: X270, running Fedora
Desktop: Intellistation 285 (currently dead)
Workstation: owned by my employer
Toy: Miata!
-
- Similar Topics
- Replies
- Views
- Last post
-
-
Keyboard stickers for ThinkPad T400/T410/T420 and T500/T510/T520 Series
by PowerPC » Fri Feb 09, 2024 2:52 pm » in ThinkPad T400/T410/T420 and T500/T510/T520 Series - 1 Replies
- 443 Views
-
Last post by dr_st
Fri Feb 09, 2024 4:14 pm
-
-
-
T14 Gen3 (Intel) and SSD Samsung 990 Pro 4TB
by Jan_888 » Tue Feb 13, 2024 5:54 pm » in Thinkpad T14/T15/T16 - 1 Replies
- 570 Views
-
Last post by ZaZ
Thu Feb 15, 2024 7:56 pm
-
-
- 0 Replies
- 4105 Views
-
Last post by bjain29
Mon Nov 20, 2023 9:28 am
-
- 1 Replies
- 7529 Views
-
Last post by robinadams
Fri Dec 15, 2023 12:05 pm
Who is online
Users browsing this forum: No registered users and 104 guests