Password protecting X220

So I was messing with the bios password settings. I set a boot password, and I figured my finger print would be able to bypass it. Well it bypasses it the first time but right after it confirms my finger print, the bios still asks for a password. I do not know if this is a feature but this only happens if i leave the computer off for a couple hours. Usually it bypasses all the way through.


Any thoughts? What do you think of password protecting the drives as well? Will it do anything for me?

 

Yeah; it'll make it much harder to recover from a major system failure.

Unless you are handling classified documents, I don't really see the point. (Especially if you are going to use the fingerprint reader, which is easier to crack than a normal password.) You have a system password which you can use to log in, and that should be more than enough security for most people.

 

Nope.

It looks impressive, but it's useless from a security standpoint.

If you care about keeping the data on your drive safe, use full-disk encryption (Truecrypt, BitLocker, LUKS/dm-crypt, etc.) Otherwise you're just giving yourself a false sense of security.

 

ThinkRob, do you have a intel 320 SSD? Supposedly it can do low level AES128?

 

Yes, the 320 does claim to have hardware support for AES in conjunction with an ATA password (and thus, presumably, sane BIOS support.)

Personally I'm more trusting of software-based solutions like dm-crypt. I don't use hardware FDE.

 

I haven't used dm-crypt b4, only TrueCrypt.
I guess my complaint there is that I need to manually mount it by typing in a password.
If there's a solution that incorporates a fingerprint swipe, or an expressCard insert... come to think of it, our company uses SecureDoc...

 

It doesn't take that long to type a sentence, and a reasonably-complex sentence will be tremendously more secure than a fingerprint-based solution.

As far as an ExpressCard solution, you absolutely can do that with TrueCrypt or LUKS. AFAIK both of those support the use of key files, so I can't see why you couldn't just stick a key file on an ExpressCard SSD or a USB key and use that. Assuming you never let the drive out of your sight (and that your key generation was done correctly), something like that can provide stellar security.

Of course the most secure solution of all would be to use both a key file and a password. That's what I currently use for encrypting my home partition -- you need both a key file and a multiple-sentence password. It doesn't take me very long to plug in the drive and enter the password when I boot my machine, and anyone wanting to get access to my data would be better off using rubber-hose cryptanalysis than trying to break that setup...

 

Lol all good responses, I wasn't meaning to be this extreme with security.

It was a more of if my laptop gets stolen, I want it to be the biggest pain in the to get it up and running for someone

 

Then it's very simple: use full-disk encryption. Anything else is trivial to bypass, provided the thief is capable of using Google.

 

actually the best solution that we use is RDP under a VPN so basically there's nothing on the laptop but security tools. the rest is a shell. soon as I know my laptop is gone I call up comutrace and usually have my laptop back in my hands with in a day. great service highly recommend it if you work in alot of data centers or fortune 500 clients with sticky fingers. half the time I have called them my laptop is still onsite. so between computrace support and onsite security I get it back pretty fast and get to watch someone get fired.
fun fun.

ym

 

For some enterprise settings, RDP + VPN is definitely an option. I kinda assumed that the OP was a home user...

 

I know but there is no reason. you can't set that up with your desktop at home at some level. even RDP itself is encrypted. I may be wrong on this but doesn't win XP and win 7 allow 1 RDP admin connection. Otherwise FDE would be a solution. but what happens when you want to upgrade. I don't think programs like ghost or acronis can work with FDE. it would diffently kill off any use of any offsite programs like Mozy if the HD was encrypted already before mozy could run.

a power on password pretty much ends their play day and they would just move on to the next lappy they lifted.
ym

 

Imaging programs work just fine. If it's a bit-level copy there's no reason why it wouldn't.

I'm not sure what you mean about "it would definitely kill off any use of any offsite programs like Mozy". If the machine is on, the drive is accessible -- so why wouldn't backup software work?

 

I should have been more clear. give. me a min need to switch from tablet to laptop since its kinda long winded.

Ok so with FDE on your drive is fully encrypted end to end. With programs like Mozy etc use their own encryption be it https/SSL-3 to AES 256bit depending on the service you use. This is done pre of sending your files downline to the collecting rack server. The problem would lye if your HD crashed and you lost your FDE key or if your FDE key got crupt. Your could restore your data but it would still be encrypted via FDE with no way to do anything with your data. Also the browser sharing service like with Mozy that allows you to just restore a file through your browser that was backed up from say your FDE laptop to another PC wouldn't work since again the use of FDE. FDE is nice and great on a rack server level but the added user education and CPU load most of the time it just isn't worth it. However try it for yourself if you think its a fit for you. Just rem to never lose your FDE key and make more than one copy if your software allows.

 

Unless I'm misreading your post, this is incorrect.

FDE encrypts the data on the actual storage device. Once the machine is running and the encrypted volume mounted, the OS and programs can access the data just fine. Mozy and any other automated programs would be able to do whatever they like -- they'd get plaintext, same as if the drive was just a regular drive.

It's the same for both software and hardware FDE solutions. The encryption/decryption happens way below userspace in either case.

 

not sure what your missing. on drive access issues only arise when ghosting to another drive. offfsite access to data that came from a FDE related drive without your FDE key or keys depending on your solution. if you can restore data from a FDE or other software related encrypted drive without using or need of your keys the the drive isn't truly encrypted.

Most of the time when this comes into play on a laptop out side research labs and Government. liabilitys is when a user finds out about FDE enables it usually a corporation version of the OS. later down the road he gets a virus or hoses his OS in some way and takes it back to support. Those really important key or keys they were supposed to save they lost so data recovery is pointless. trying to restore from online backup won't work either since that data is encrypted via the FDE or other solution. this what you have to think ahead about with disaster recovery and big time on laptops since their given life span is typically less than a 3.5.

If just using your laptop day to day with FDE enabled you have higher disk load and CPU load. Most won't notice over time since all laptops get slower as time goes by. the reg grows in size from the programs you have installed etc. everything works fine ON that PC its when you try to take that data with you issues arise.

 

If you image a drive that's encrypted, you can still access it just fine if you have the keys. I know this because my laptop's drives are all imaged periodically, and I can unlock and access the partitions just fine both on the original and the imaged drive.

Any backup programs that run while the drives are mounted/unlocked will, of course, be able to access the data just fine, even if FDE is in use, so no problems there.

Honestly, the only issues you'd get with backing up an encrypted drive would be if you imaged the drive, lost the original, and lost the keys... but that's a problem with *any* encrypted drive, regardless of whether or not you imaged it. So... you know... remember the damn passphrase.

And not all laptops "get slower as time goes by". Not all laptops run poorly-maintained Windows installations.