Harddisk (ATA) password vs Full Disk Encryption

I read a bit about the BIOS (aka ATA) hard disk password but I am still a bit confused as to how secure it is compared to using Full disk encryption (FDE). Also being that Lenovo does things usually a bit better than most other laptops in terms of security, I wonder if that makes any difference in this case too.

From what I understood, it seems that the BIOS HDD password is stored both in the HDD controller and on a special place on the HDD platters. Idea seems to be that this would prevent people from swapping the controller and reading the platters. To further complicate things, I have a SSD so I wonder how that fits such setup. While I do not have an Ultimate edition to use BitLocker, there are other FDE solutions like TrueCrypt that can be used and while I’m sure it will not have much impact on performance I rather not lose even 1% speed.

Thanks for any input!

 

Are you are trying to compare software based FDE (e.g. TruCrypt) vs hardware based FDE (e.g. the built-in hard drive FDE)?

 

I strongly doubt that it would toss the password onto the actual drive sectors itself. If so it would be easily recoverable.

 

AFAIK, on a mechanical disk drive, the ATA password is indeed written to the platter, but to a specific location of the platter that is not addressable (thus unreadable) through ATA commands.

You can recover the password by attaching a high-speed logic analyzer to the internal data bus of the disk, but this approach is neither easy nor cheap (IIRC the price for such a recovery operation is typically north of USD $5K).

Summary: harddisk password is probably insufficient to safeguard high-value military, government, and corporate secrets, but alright for everything else. I don't think anyone would pay $5K to read my harddrive

Edit: Apparently harddisk password is not as secure as I thought.
http://forum.hddguru.com/unlocking-ata-password-for-western-digital-t8374.html

 

FDE requires a pre-boot authentication or password of some sort and without it, encryption be useless. As I understand, the ATA password functions to fill this role. Essentially entering the password lets your particular laptop access the drive. In a sense, it's a secure "link" between the interface your laptop uses to access the drive (ATA) vs the raw encrypted data on the platters. The encryption key itself is tied to the drive. I don't know for certain, but with educated guesses, if you take 2 identical FDE drives and swap their boards (all HDDs have these), they would not be able to read the physical medium. non-FDE drives would allow you to interchange them.


Lenovo is somewhat odd in the manner in which they implemented their drives.
This is my opinion in how FDE should have been implemented on the hardware level, while retaining compatibility with hardware encrypting HDD: The user password should have been given an option to generate and randomly store the user password directly in the TPM in the BIOS, and the master password (the recovery) you set, saved to a USB drive, smart card, or text string, or set with an existing smart card or USB drive. That way routine access would force a hard drive to be tied to a particular machine, with a seperate master key to recover. This is how bitlocker works and it works both on the small scale and large scale with companies.

I suspect the reason why hardware FDE is very uncommon is because implementing the scheme is very difficult with an organization with a lot of machines, and the management is also very hard to enforce. Afterall, the main driving factor to encrypting data at rest lies with interest in business (and Thinkpad is oriented towards companies). Even on a personal level, this form of encryption is a PITA, because you always have to enter another password or a fingerprint and forget it if you have multiple people using the system.

If you didn't already purchase a harddrive with the FDE option (you need this first and foremost), I would forgo the likes of hardware encryption with your particular model. A pure ATA password without hardware FDE is absolutely useless and pretty much just a nuissance at boot because you aren't actually protecting your data, just the interface on the HDD to access it (and I just explained how to easily defeat it above).


Bitlocker, or something like truecrypt is better IMO, but encryption has a performance penalty with your laptop. In fact Intel's new Arrandale CPUs actually have hardware acceleration for AES for this particular reason (another reason why I wait for the T410).

Assuming you use windows, I would actually recommend you just encrypt your personal files with EFS (I'm hoping you had the smarts to at least get the Pro version). If you can figure out what's uniquely yours, where the files are (usually a single source) and you commit to using a strong Windows password, EFS is going secure enough for you. This will provide you the smallest performance impact with the most convenience.

 

I was waiting to find more information before replying in the thread but it seems that no up-to-date and reliable information is available to the general public.

There are many pieces of information online that relate mostly to HDDs and not SSDs but event the link that ckx provided is info for some old controllers used by WD and most probably would not apply to current models (as it appears from the last few posts in the thread there).

I will make a post in the general hardware section (hopefully this does not anger anyone) and see if someone has more info.

 

I've done a considerable amount of more research on this topic. In terms of security mechanisms, SSD and HDD albeit ATA password, or FDE (software or hardware) is the same. What specifically do you have for questions?

 

FDE is obviously more secure. IIRC, lenovo will recover ata password for a fee.