My bios locked HD (yes i know the password)

hello,

This is NOT a question to forcefully REMOVE a hard disk password. I am well aware that such questions are banned from this forum. I have ALL my bios supervisor, user, user hard disk and master hard disk passwords and I am the legal owner of this computer.

Recently my x200 died. It refuses to even power on but when I pull the hard drive out and put it in an external enclosure I can hear it spinning. I need to access the hard drive so I can pull out work files but because it was password protected by the x200 BIOS, no other computer will even recognize the hard drive inside an external enclosure (it does not load in Windows period. doesn't show up requesting a password). I had no idea password protecting the HD will cause it to be "married" to the laptop's BIOS - on my desktop it's a simple password any computer can login to.

I just want to ask, where do I enter my password for the x200 HD? (which I do know!) I am not asking to REMOVE the security features! Simply, what LEGAL solutions do I have to access the HD. Is sending it to lenovo the only way? Am I overlooking any settings which would enable me to login legally and properly? Thank you.

 

try putting the hdd on your x201.

 

I lent the x201 to a family member who is currenly overseas. Actually I think this does work but regardless I would like to see if members of the forum have any other legal solutions to this problem. The computer company can't possibly expect you to have a secondary laptop on standby to retrieve the data, should your first laptop malfunction. Maybe you send it to lenovo with the password to unlock the HD or something, I don't know...

Thank you very much for your help regardless. I appreciate any help.

 

What did tech support say?

 

^I haven't called them yet, I was wondering if the answers could be found here. Hoping there was a safe setting in Windows to enter your password. I was under the impression that anything lenovo did would cost me, the x200 is past its warranty so it probably will.

I'm not sure why I would need to pay to unlock a working hard drive using a known password though, unless this IS part of the security feature (only manufacturer or your actual x200 can access it). Just clarifying if this is true.

 

the pw is tied to the HDD, so when you load it up in another comp it SHOULD ask you for the hard drive password for the drive. How exactly are you accessing it? Just via a USB external enclosure as a secondary drive?

 

Hello,

I simply stuck the sata 7200rpm hard drive into a sata USB enclosure and tried to plug it into a desktop computer running windows 7. I tried 2 other hard drives in this enclosure and it works perfectly, so problem is not the usb casing.

The way it was locked on my x200 was simply one supervisor password and Hard Disk1 Password set to: User. It wouldn't matter because I used the same password for BIOS and hard drive. There is no other passphrase.

 

Does the x200 power up with a different drive?

Surprises me you lent out the x201 instead of the x200. I wouldn't.

 

Well it could be your harddrive, or you might be trying to hack someone's system. Either way let me tell you what you're up against.

Bad news. When you set a harddrive password in the BIOS on a Thinkpad you are actually using the Trusted Platform Module (TPM) which is a chip on your motherboard to hold the keys to the harddrive. [EDIT--This sentence is not correct. Setting a harddrive password is different from encrypting a harddrive using TPM. Allow me to restate.]


Bad news. If you encrypted the drive using Thinkpad's Client Security Software it uses the Trusted Platform Module (TPM) which is a chip on your motherboard to hold the keys to the harddrive. TPM was designed to make it impossible (or close to impossible) to take a TPM protected harddrive out and put it in another computer to access it. This security feature is targeted at enterprise customers who have company servers with all their data backed up.

The only way you get your data is to put the harddrive back in the computer it was encrypted on. You mention you lent the computer to a "family member overseas", if they encrypted their drive using TPM I have no idea if it still carries the keys to your drive or erases them. EDIT: I see now that was a different notebook, never-mind.

Trucrypt free software might be a better solution for consumers trying to safely encrypt their drives. But even then, it is essential that you keep your data backed up somewhere else, to ensure that you don't loose it. EDIT--actually I shouldn't comment on Trucrypt drive encryption as I do not use it.

Some more info for you on TPM:

Lenovo Thinkvantage Client Security Solution

Trusted Computing Group FAQ

Trusted Platform Module - Wikipedia, the free encyclopedia

EDIT--------------------------------------------
There might be someway to export, or backup the TPM security keys from the notebook used to encrypt the drive. Import those keys into another TPM enabled notebook, and then use them decrypt the drive. I have no idea if this is possible though.

 

I'm pretty sure you're not quite correct. The TPM is only used by CS to store the fingerprint and master key information, or things like Windows Bitlocker key. And even if it was stored in the TPM it wouldn't matter...

If you know the password to the drive, you will still be able to access the data from another computer, however you may have to connect it directly to the computer, not to a USB enclosure. Why? Because most BIOS support entry of a HDD password on internal drives only.

Basically the BIOS passes the hdd password to the drive using a standard drive command on power up. So if you know the password, it doesn't really matter where the TP stores it anyway!

Look to putting your drive in another laptop or desktop directly.

 

Yeah I have my tpm chip disabled but I still use a hdd pw.

 

I was not clear in my pervious post. I was confusing setting a harddrive password with encrypting a harddrive.

The guy who started this thread, the Original Poster (OP) said the drive from his x200 was "password protected by the x200 BIOS."

So it could be that he just set a Harddrive password, or he might of encrypted the drive using Lenovo's security software. It's hard to tell from the information he's given.

Setting a harddrive password in the BIOS prevents the Thinkpad from starting up the harddrive until the correct password is entered. If he did this then I would expect the drive to be readable if he put it in a USB enclosure and plugged it into another computer.

Encrypting a drive, on the x200, using Lenovo's Client Security Software stores the keys in the Trusted Platform Module (TPM) on the x200's motherboard. This makes it impossible (nearly impossible) to read the drive on another computer.

TPM FAQ LINK

 

Try plugging the HD directly to the computer (without using external enclosure, unless you are using eSATA that bypasses the enclosure chipset), you should be able to access the HD with your password and change/remove password via BIOS. Alternatively, you can use HDDerase to remove the password; it is not "illegal" because you have/know the password.

 

Yeah I think hardware drive encryption utilizes the TPM. It was for that reason (the disk being "tied" to that comp) that I went with software encryption. I use truecrypt as a software encryption solution. I believe the HDD needs to support FDE to be able to use the TPM chip for hardware level based encryption.

To the OP: The HDD should be accessible as an external drive. Perhaps it's the drive itself? If you have a linux environment try mounting it in there and seeing if you can access the volume maybe.

 

I do know that you won't be able to access the drive on an enclosure; I'd say the best bet on removing the password is to stick it into another ThinkPad(I don't think another brand of notebook will recognize a password-protected TP drive) and accessing the BIOS to remove the password. If you had the X201 you lent out handy, I'd be willing to bet you could access the drive with that method.

 

A HDD does not need to support FDE to use the TPM chip. The two are unrelated.

HDD FDE is enabled with a HDD password, just as a regular drive can use. Anything more (BIOS fingerprint/passwords) are simply protecting the same HDD password.

TPM is used with solutions like Bitlocker/OS/CS independent of HDD FDE.

 

The password you put on the drive is a SATA password. You will need to interface the drive with a SATA interface with a SATA controller. An external USB HD enclosure does NOT work, even if USB boot is enabled in the bios.

Simply put, place the harddrive into a notebook HD slot with the proper SATA interface. You will need to unlock the SATA password before the drive will function and allow I/Os. This can only happen if it recieves the SATA password. The password can typically only be intiated at boot, and often only on notebooks where the BIOS has allowed and unlocked the use of the optional SATA security measures (i.e. often only business notebooks like thinkpads or dell lattitude). In other words, if you have another thinkpad that has a SATA interface, and you have an external HD enclosure, temporarily pop the HD out from that into your external enclosure and replace that with your locked HDD.

It has nothing to do with the TPM unless you are using a FDE drive. Even with a FDE drive, it may not store part of the decryption keys (along with the set paraphrase) on the TPM. Again this is an option left for the notebook manufacturers. Even thinkpads however do not implement the higher security FDE key storage on the TPM as far as I know and requires only the paraphrase, even though that capability is there on say the seagate FDEs.

 

Some updates:

firstly, very valuable information given in this thread everyone. No matter what happens this has helped me and hopefully will help future users who encounter this problem and search the archives.

I've never touched client security software and the hard drive is not FDE so it's unlikely there's any additional security layers on it. I am the only user of the x200 so no other family member could've mistakenly set a different supervisor password on.

Today I used a coworker's x201 and put my locked hard drive into his computer. Turned it on, BIOS startup asked me for the hard drive password (as usual). I entered it and got a checkmark, then the computer proceeded to boot windows off the drive as if nothing happened. It had no idea the motherboard was different (my x200 wasn't even using the same CPU as the coworker's x201) and I was able to move around windows normally. That's really puzzling but files were accessed thankfully. We now know the hard drive isn't broken.

BUT. I went into coworker's x201 BIOS and tried to delete my own hard drive password, using my known passphrase of course *nothing illegal*. It allowed me to enter my "old password" but refused to let me enter a new one and delete it (putting in a blank passphrase and pressing enter normally deletes and unlocks the drive). My hard drive is pretty much useless to all other computers now unless I fix the x200, which I probably won't because used thinkpad X series don't even cost that much. Kinda sucks, it was 7200rpm 500GB.

So in a way I believe the thinkpad DOES "marry" your motherboard to your hard drive when you set an HD password. To the point where even a secondary "similar" model laptop can NOT remove the password! my own x201 won't be back for a while and I can't do much now. I have no other computer in the house which uses SATA interface (they are all old IDE computers)! My friends lent me 3 other SATA USB external enclosures and my desktop refuses to read the locked hard drive in all of them. But thank you all regardless for your kind help.

LegendaryKA8/Smellycant/MAA83/@Thinkpad - even using a different X201 with my drive DIRECTLY inside (no external enclosure) the most it will do is let me access it but not remove the password in BIOS The fact that I can boot into it means the password has to be correct at least. I'm dead certain it was a user only password and not a master one. I never set a master password on my drives and again my BIOS + hard drive had the same passwords anyway. Sigh, but thank you sirs. I'm not dead certain I understood and attempted fully what you guys suggest by using a SATA external enclosure on another SATA laptop, I guess that might make a difference but at the moment I don't have a computer to try this.

halobox - She needed the faster computer, I don't really care as much so that's why she has it heh. The x200 does not power up at all - you can press the power button and no light comes on.

 

On the X201 have you tried disabling the 'use passphrase' option in the BIOS before clearing the password?

Edit: Note, power cycle after toggling this option.