T Series - Passwords and encrypted hard disk

New T510 arrived today with the hardware encrypted hard disk.

Does anyone have a guide or suggestions for setting passwords to lock down the system?

I would like to set a single password that prevents unauthorized access to bios, booting, and the hard disk.

Thank you!

 

I believe you have to set a master password which must be different from the user password (for HDD). At least that's how it works on most T-series ThinkPads. But I don't have your model or the hardware-encryption HDD. I think there's a T510 Owner's thread here somewhere and someone in there could probably give you more precise info.

 

I have this setup with my Thinkpad T410. I'm using a Seagate 500GB FDE drive.

Before I dive into your options, did you get a smart card reader or a fingerprint reader? Having either (or possibly both) will greatly increase the security on the HDD. If you have both then you have more options.

 

How? A FDE drive is basically given an unlock key at BIOS boot. You could have 300 authentication methods on the PC, but the drive is only protected by one password - the HDD password which is in the BIOS settings.

See here:

Lenovo Support & downloads - Full Disk Encryption Hard Disk Drive Frequently Asked Questions

 

No that is wrong. I suppose I won't dive into a very detailed explanation of out enterprise FDE drives are deployed as it's very complicated. Entering BIOS passwords is incredibly hard to manage (if not impossible) in a centralized fashion. Most of the FDE management software (Im still talking hardware FDE here, not software) has additional options like recovery keys, smart card usage and TPM. It uses something called a "dCard". It was interesting, because when the drive is locked in this mode, it appears as a 200MB partition which is meant to store the pre-boot environment. Once it unlocks the drive, it showed up as 460GB-ish and the 200MB partition was gone until I powered down.

Anywho, that mode of operation is tricky to understand, the software will be at least $100.

So, if you want just BIOS passwords, the fingerprint reader would be ideal here as it can be used to unlock the drive in lieu of entering a password every time. You can then go about setting a highly secure password, which would be more like a randomly generated key. You would enter this password manually on setup, and then store a copy of it in a safe place, AWAY from the laptop. But if you forget the password, you'll also be buying a new HDD.

You really only need a user (instead of a master/user HDD) password assuming you keep the password safely kept away so you don't forget it. Then I recommend setting a master BIOS password which would be needed to enter the BIOS. A power-on password is not necessary. Once you do this, it will be necessary to lock down the BIOS so you can only boot via the HDD, at least without intervention. My fingerprint also releases the master BIOS password as well.

Also I ran into problems with trusted execution technology enabled and the TPM enabled and initialized when I tried to make the laptop go to sleep. It wouldn't respond to a resume and I had to do a hard power down. It could have been a BIOS issue that was fixed recently, but just an FYI. It works fine with TXT disabled and the TPM cleared and disabled. I suspect the BIOS stores the HDD/BIOS passwords in the TPM chip and enabling the chip made it work in a conflicting manner.

Hope this helps.

 

This more detailed description from the drive manufacturer confirms what I stated:

http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf

 

You don't prove your point by dishing out a marketing brochure you found after Googling...
The link from Hitachi proves nothing on how to secure a drive, they just briefly discuss technology (and by brief I really do mean brief). How do you even know his is a Hitachi and not a Seagate? The two manufacturers differ enough that the management of securing the drive differs.



Again (to pelikan, the one that actually has an FDE drive other than myself) , do you have a fingerprint reader?

 

My Lenovo supplied FDE 250GB drive is a Hitachi. That is irrelevant to how an FDE drive works. A Seagate is the same.

Offering security advice is important, but offering incorrect advise is dangerous.

Your statement:

was plainly wrong. The security on the drive has nothing to do with Fingerprint or smart card readers. Unless you're using Bitlocker or similar software based solutions.

You can use the Fingerprint reader to unlock the BIOS, but that has nothing to do with security on a FDE HDD.

 

I did not get the smartcard or fingerprint reader.

Can I configure the system so I enter a single password that would clear:
1) Power on password
2) Hard disk password
3) Windows password

 

I guess I have to dive into the details because you don't believe me.

You have two classes of hardware-based FDE drives (contemporary at least), OPAL-compliant or Seagate Secure. I can't say for certain as I haven't personally tried an OPAL compliant drive, but for the most part they are functionally the same. OPAL is a standard from the Trusted Computing Group, the same consortium that brought you TPM, and Seagate was a huge player in developing the standard. Also Seagate's upcoming 3-gen FDE drives in fact will be OPAL compliant (popped up on FIPS 140 pending list just a little bit ago). Ironically, Seagate also is the only laptop drive manufacturer with drives in the FIPS 140 pending list (none are currently approved). Seagate Secure and OPAL compliant drives for all intents and purposes are basically the same (except current shipping Seagate FDE drives aren't explicitly OPAL compliant, ie they didn't get the "stamp"). Though, I'll talk about Seagate FDE.

Seagate FDE drives, assuming you enable the access protection, operate in 2 modes: Enterprise or BIOS password based. All FDE drives are always encrypting, rather it's the matter of access to the encryption key. It's critical in AES encryption to protect the key and keep it secret, as with any symmetrical encryption algorithm, once you have it, you can both encrypt and decrypt data freely. For FDE drives, this is done via PBA (the same is necesary with software FDE, too).

In Enterprise mode, management software generates and installs a "dCard" onto the Seagate FDE drive. When the drive is locked, it presents itself as a 200MB drive, in which the management software installs a pre-boot authentication environment. In this PBA, you can use a number of authentication techniques, such as smart cards, TPM, fingerprint, password or a combination of them. On a successful authentication, the PBA presents the key to the dCard (there can be up to 4 keys/passwords) which in turn unlocks the drive. Once this happens, the 200MB partition is gone and the full contents of the FDE drive is presented, presumably with your installed OS. The moment you power off the drive (D3 state), it locks itself presenting only the 200MB partition again. This mode of operation is the only one that is FIPS 140-2 compliant.
The obvious advantage to this mode is that it can be managed in an organization, even a large one and it also gives you more PBA authentication options. The disadvantage is no discounts (it's actually quite cheap per seat in bulk purchases) as the single-seat licensing costs are about $100 a pop, and it's complex to understand. Assuming your laptop is for personal use, I doubt you're going to shell out $100 for this option, though just giving you the details on one of the modes your drives operates in...

You're most familiar with BIOS protection in the form of passwords. It prompts for a password, and until you do, it blocks access to the drive and thus the encryption key (the key never leaves the drive, nor can you ever extract it directly). You can either set a user password, or a master and user password. Keep in mind that passwords typically are the weakest link to any security scheme. If you set a simple password, like say 8-chars, you essentially limit the security of your HDD significantly, perhaps to the point you negate the advantage of an FDE drive. My drive, and I suspect all the FDE drives incorporate 128-bit AES in CBC-mode, and SHA-1.
To prevent the BIOS password from being the weakest link, you need to set a random password of sufficient length. For SHA-1, that's at least a 27-length, case sensitive alpha numeric password. Considering truly random passwords are incredibly difficult for people to memorize, if you have a fingerprint reader, you leverage it to unlock the drive. There aren't detailed specs, but I'm guessing if you enable this, the password is tied and stored in the TPM, and the proper fingerprint template on FPR releases it from the TPM to the HDD (or so I *hope*).

Also none of the above options uses software FDE, the software involved is only for management of the hardware FDE.