Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemPre-Installed Lenovo Software and Applications
All Forum Topics
Options

18 Posts

03-29-2008

Azerbaijan

51 Signins

668 Page Views

  • Posts: 18
  • Registered: ‎03-29-2008
  • Location: Azerbaijan
  • Views: 668
  • Message 1 of 17

Encryption CONNIPTION

2008-03-29, 7:34 AM
Has anybody gotten clarity on the encryption scene using a T61 with TPM, Seagate fde drive, Vista ultimate,  considering:
 
•    http://www.pc.ibm.com/us/security/securecomm.html  says, quote: “SafeGuard® Easy is full hard disk encryption software …. SafeGuard® Easy from Utimaco Safeware comes from Lenovo with 1 year of MSU (Maintenance, Support and Upgrades).”
*    But IBM tech at 800-426-7378 as of  3/27/2008 hasn’t heard of this software and refers the call to Lenovo sales, who can’t find anything about it.   Ultimaco Safeguard Easy isn’t mentioned as preloaded software on the T61Datasheet either (accessible from a link on the page
       http://shop.lenovo.com/SEUILibrary/controller/e/web/LenovoPortal/en_US/catalog.workflow:category.details?current-catalog-id=12F0696583E04D86B9B79B0FEC01C087&current-category-id=19C791A03AF24034A0011B825513BCED
 However, the sheet does state Client Security Solution is preloaded, and the sales pitch page cited above notes the software is part of it.
•    Which leaves me right where I was when I did a search on my machine for Utimaco  and for SafeGuard but came up dry.  I also didn’t see it as a free-standing App when looking in the Apps folder of SWTools folder.  (Is it maybe buried in some other folder?  Wouldn’t a search on the machine have produced it if it is buried somewhere else?)
•    So, what IS the fde mechanism, if it isn’t UtimacoSafeGuard Easy?
•    And if it IS UtimacoSafeGuard Easy, wouldn’t it be helpful to know FAQs about this product as listed on the Utimaco website?  FAQs such as:
• If you want to add additional hard disks to the system, you should consider to completly remove SafeGuard Easy from the system first. After removing, install the new hard disk and re-install SafeGuard Easy.    http://americas.utimaco.com/support/faq/detail.html?ID=107783
• A computer on which the hard disk was divided into several partitions  For some reason, the operating system was re-installed on the first partition without first uninstalling SafeGuard Easy. During the re-installation of the operating system, the c: drive was reformatted (and therefore is in plaintext).
Booting up the freshly set up computer, the d: drive is still visible in the Windows explorer, but the data on it cannot be accessed.
Is there a way to access the data on the d: drive?   http://americas.utimaco.com/support/faq/detail.html?ID=106920
• It is not possible to change the configuration/partitioning, once a hard disk has been encrypted.
You must consider the partitions and their dimensions "frozen". http://americas.utimaco.com/support/faq/detail.html?ID=107074
*    A phone call to Utimaco discloses the individual user does not have an agreement with Utimaco.  IBM (or Lenovo?) does.  So call them.  (But I already did !!!  …………… And for some reason I have the feeling that plunking down $100 for a chat with a live rep might not get me any farther down the road.
*    Of course, if you have been so rash as to repartition or add another HD, there is the problem of:    How do you reinstall this software if you can’t find it on your machine so that it’s presumably not on the “Recovery CDs” either.    And what’s the status of your encryption which might be so important to you as to have paid a little extra to get it?  And have you been flitting about thinking you’re protected when you haven’t been?  And have you yet experienced any measurable losses because of your ignorance?  Since money talks, ready, set, class:    ACTION !     (Mercifully I will not be  part of it since I only recently acquired this machine and haven’t experienced any losses I’m aware of (yet),  and I sure do hope to stay out of any such class. 
 
A little help, anybody?


Message Edited by Cripes on 03-29-2008 08:56 AM

Message Edited by Cripes on 03-29-2008 03:01 PM

Message Edited by Cripes on 03-29-2008 03:03 PM
Reply
Options

77 Posts

03-06-2008

Brisbane, Australia

200 Signins

5546 Page Views

  • Posts: 77
  • Registered: ‎03-06-2008
  • Location: Brisbane, Australia
  • Views: 5546
  • Message 2 of 17

Re: Encryption CONNIPTION

2008-03-30, 3:13 AM
Welcome to the forum Cripes.  I love seeing a well thought out and documented post.

I think the central answer is that Safeguard Easy is not part of the standard software suite that is bundled with Lenovo products.  It is a full disk encryption(FDE) product that is sold separately by Lenovo to compliment the security features bundled with the machines.

Client Security Solution is bundled with machines and available for download.  It provides enhanced certificate and password security using the TPM hardware security chip.

Some models have a hard drive with "Disk Encryption".  The encryption is done on the drive itself.  Combined with a HDD password, this prevents unauthorized data recovery by software or even direct reading of the HDD platters.

Models with Windows Vista Utimate or Vista Enterprise installed support Microsoft Bitlocker which is another FDE alternative.
__________________________________________________
I was previously employed by Lenovo but have no formal role on this forum.
I am here on my own time because I like fooling with PCs, especially Lenovo ones. ALL my posts are purely my personal opinion.
Reply
Options

18 Posts

03-29-2008

Azerbaijan

51 Signins

668 Page Views

  • Posts: 18
  • Registered: ‎03-29-2008
  • Location: Azerbaijan
  • Views: 668
  • Message 3 of 17

Re: Encryption CONNIPTION

2008-03-31, 20:11 PM
Cedric -

Thanks,  BUT:
The Lenovo sales page I cite at the very beginning of my post; namely:
http://www.pc.ibm.com/us/security/securecomm.html
seems to me to state that Safeguard Easy is central to the proper functioning of Lenovo hardware-based full disk encryption and to its relationship to the TPM chip and fingerprint reader.  The page states that Safeguard Easy comes from Lenovo (not that it can come from Lenovo if bought separately) and that it is part of Client Security Solution that is preloaded.

Since the creator of Safeguard Easy states on their own pages procedures for ensuring Safeguard Easy's effectiveness when repartitioning or adding HDs, I am distressed to not find such information replicated on the Lenovo site or on the Lenovo preload, (assuming my understanding of Safeguard Easy's central role in Lenovo hardware-based full disk encryption is correct).

Certainly central to this functionality in my machine is the Seagate fde HD.  Seagate says in
http://www.seagate.com/docs/pdf/datasheet/disc/ds_momentus_5400_fde.pdf
and
http://www.seagate.com/docs/pdf/marketing/po_momentus_5400_fde.pdf
that software (?) on its drive, namely DriveTrust™ security exploits drive’s closed
environment [ and offers] • Transparent AES hardware-based encryption   • Pre-boot authentication required  • On-the-fly drive erasure   • Hashed passwords maintained on the drive  • Emergency password recovery file kept on a separate device

Lenovo is not alone in supplementing the Seagate fde HD with software (Safeguard Easy):   Dell offers a couple models with the Seagate fde drive, and supplements those models "with the Embassy Trust Suite from software company Wave Systems, also promoted by Seagate during the drive's soft-launch in March. This allows IT admins to manage laptops using the drives, accessing such features as password recovery, and data backup of encrypted drives."  (Quote is from: http://www.pcworld.com/article/id,137303/article.html

This suggests to me that although the Seagate fde HD is great stuff, it seems to need something else to make it work.

So, Cedric, aka Lenovo, please tell me I'm wrong and that everything's okay because Safeguard Easy isn't needed to accomplish full disk encryption, password file maintained on the TPM chip, etc etc, and in fact isn't even supposed to be on a Lenovo machine unless it's separately asked for and bought.  This would help explain why I can't find it on my machine.

If that's the case, how about getting the ad dept to revise the sales page.

(PS - By the way, it's my understanding that Bitlocker's been cracked.)









Message Edited by Cripes on 03-31-2008 01:13 PM
Reply
Options

12 Posts

03-28-2008

Canada

15 Signins

200 Page Views

  • Posts: 12
  • Registered: ‎03-28-2008
  • Location: Canada
  • Views: 200
  • Message 4 of 17

Re: Encryption CONNIPTION

2008-04-07, 1:40 AM

This suggests to me that although the Seagate fde HD is great stuff, it seems to need something else to make it work.
I have also recently found the lack of information on the FDE option I ordered with my T61 a little frustrating. After a lot of digging around, I came to the conclusion that all you need to do is set a HDD password in your BIOS. The extra 3rd party software is not required.

From a Seagate Product Manual:
The Momentus 5400 FDE contains two security interfaces:

1.The ATA Security Interface

This interface is provided for compatibility with the existing ATA Security Command Set. The ATA Security Interface is active upon shipment and ready for use.

2.The Drive Trust Security Interface

This interface is provided to enable a robust enterprise-level security and management policy. Use of the Drive Trust Security Interface requires additional software to manage the Drive Trust interface. Please contact your system or software provider for more details.
Reply
Options

5 Posts

05-07-2008

Arizona

6 Signins

107 Page Views

  • Posts: 5
  • Registered: ‎05-07-2008
  • Location: Arizona
  • Views: 107
  • Message 5 of 17

Re: Encryption CONNIPTION

2008-05-07, 17:02 PM
Apologies, but that is not the point. Lenovo said that the drives would do 1 thing. Now I am finding when it comes time to support them Lenovo doesn't seem to know anything about the drives.

If it is a FDE drive, then the information on the drive is encrypted. There is no other way to view this. Am I wrong here? That is my impression of what the FDE (full disk encrypted) drive is supposed to be doing. So why would I need the ATA Password on the drive at all?

The data is encrypted. The only way to get the encryption off is to have the key. Which is also on the drive. So what exactly is the drive interfacing with to get the "ok" to decrypt the information?
Reply
Options

18 Posts

03-29-2008

Azerbaijan

51 Signins

668 Page Views

  • Posts: 18
  • Registered: ‎03-29-2008
  • Location: Azerbaijan
  • Views: 668
  • Message 6 of 17

Re: Encryption CONNIPTION

2008-05-08, 0:10 AM
Progress report:
I used to use a Dell, so I am learning my way around the Lenovo labyrinth. And here's what I can say so far:
Today I plunked down $69 for Lenovo Experts Live to get clarification from them on encryption.  The first thing I learned is that $69 pays for a lengthy phone call or chat session to be had 3 days after payment.  ($99 gets you instant access.)  This reality sounds like a different story than the one one gets online by clicking
http://shop.lenovo.com/SEUILibrary/controller/e/web/LenovoPortal/en_US/catalog.workflow:show-category-with-items?category-id=F332733624A94FF3994004676C8A7982&show-page=1
and its subsequent pages, where it says $69 is the price per incident for telephone or chat help rendered 3-5 days after payment, and $99 is the price for computer set-up telephone or chat help rendered 1 to 2 weeks after payment.
I don't mean to muddy the waters, but since nearly 500 people have read the initial entry on this thread, I feel it might be useful to some.
 
So I am currently in waiting mode to hear some expert info about this matter. 
 
But here are a few things I can report:
 
An email to Ultimaco led to this reply:
Hello Cripes;
My apology for taking so long in responding back to you.  I have approached my colleagues in regards to your email and concerns and they have stated the following:
The word "offering" is used and there is a drop down box on the page referenced where you can select the correct part number to order SafeGuard Easy.  The article does say "SafeGuard Easy from Utimaco Safeware comes from Lenovo with 1 year of MSU (Maintenance, Support and Upgrades).  The statement is true, when you order the software through Lenovo it comes with 1 year of maintenance included, this is not the standard case with our other partners  there is no mention of SGE being included on a PC.
SafeGuard PrivateDisk Personal Edition IS available as a free download on Lenovo machines at the following link:
http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-68523
If you have any further question please feel free to email me back and I will see what I can do to assist you further.
Have  a Good Day;
Robert McFetridge
Customer Support Engineer
Utimaco Safeware US
10 Lincoln Road, Suite 102
Foxboro, MA 02035
1-877-Utimaco
1- 877-884-6226
In brief, it sounds like Ultimaco is saying their stuff isn't on a virgin Lenovo machine unless one orders it specifically.  And that therefore whatever the Lenovo machine is supposed to do by itself, it does without any help from Ultimaco.
 
Also, shortly after Cedric (above) posted his posting on this thread, the following was put on the Lenovo Corp website:
http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-69621
(This sounds so similar to what Cedric said I wonder if it was Cedric who composed it.  Anyway, thanks, whoever.)
In short, this also seems to say that a Lenovo with TPM chip and Seagate fde drive ought to do fine without anything other than a HD password cooked up by the user and entered into the appropriate box in the bios.
 
So why should I blow $69 to pursue this topic?  Because I have a couple more questions, to wit:
1) I have another Seagate FDE drive that I bought separately, and I find I can store documents on it from any machine via usb, and that I can access those documents from any machine without producing an encryption key to decipher them. (The same is true of the Seagate FDE drive that's inside a Lenovo prior to composing a password for it.)  I have created a
password for the  Seagate FDE drive that's in my Lenovo and find I cannot access documents on that drive (when I take it out) via usb on any machine, which is to be expected  because of the password.  But how do I know the documents on it are encrypted, not just password protected?
2) If encryption is occuring thanks to the Seagate FDE drive and the TPM, does Password Manager make encryption stronger?  Or is it purely for the convenience of not having to remember more than one password/fingerprint.
Does putting password info on the TPM via Password Manager make this info more secure while on the internet than
a) manually typing in a website's logon info when presented with the website's logon window? Is such typing visible to a hacker?
b) allowing the logon info to be remembered by the website  (or does this mean a cookie is put on computer.  If the latter, I presume the cookie is in an encrypted file (thanks to FDE) when the file is not open, but is the cookie readable by a hacker when it's viewed by the website it's for?)
Are the answers to questions a and b above the same regardless of how one is connecting to the internet:  wireless router, cell modem, dial-up, landline DSL, cable?
3) Does using a wireless modem, or using a wire that's accessing the net thru the same network that the wireless modem uses, make online activities easier for an eavesdropper to see than if not using the network that the wireless modem uses? If so, if one is subscribed to just one account at one ISP, where the modem has an antenna as well as ports for dsl wires, does one have a choice of wireless or wired?  (I'm assuming if one is connected with a wire to a modem able to provide the same data wirelessly, that the data is being broadcast even when my (one and only) machine is connected to it via a wire.
4) If an intruder has your IP address (which I know they can get by sitting at my computer with a little knowledge), can they monitor your activities online or interfere in some other way?
5) Can files that I have opened on the encrypted drive be read by an online snoop?  What about files that are not open (=not readable by me on screen?)  
(Lenovo sales page says of Ultimaco Safeguard Easy: "SafeGuard® Easy's sector-level hard drive encryption combined with secure pre-boot user authentication ensures that disk data remains encrypted and HACK-PROOF..."  May I assume that Lenovo machines equipped with TPM and Seagate fde drive have equal bragging rights?)
6) For machines I used prior to this Lenovo machine,  I understood it was a good idea for the sake of curtailing hackers' opportunities to control one's machine to set up a user for oneself separate from the administrator.  Is that still recommended in the situation where the HD is encrypted and password protected as on this Lenovo machine?
 
No doubt Al Qaida, the Mafia and child pornographers are up to speed on all these matters.  But for those of us just trying to keep enterprising miscreants from pilfering the ol' online cookie jar at the local bank branch, I will post what I find out, if and when.  
 
Reply
Options

3 Posts

12-31-2009

New York

11 Signins

121 Page Views

  • Posts: 3
  • Registered: ‎12-31-2009
  • Location: New York
  • Views: 121
  • Message 7 of 17

Re: Encryption CONNIPTION

2010-01-01, 19:51 PM

Wonder if answers were ever obtained.

Reply
Options

5 Posts

05-07-2008

Arizona

6 Signins

107 Page Views

  • Posts: 5
  • Registered: ‎05-07-2008
  • Location: Arizona
  • Views: 107
  • Message 8 of 17

Re: Encryption CONNIPTION

2010-01-01, 21:28 PM

After this amount of time? I think we would be lucky if this thread even gets an active hit from Lenovo employees.

 

I also never did get any clear answers to those questions. I went so far as to contact Seagate, figuring it was their drive...

 

They didn't have any clear concise answers either. I really wish someone with at least some of the answers would step up. I had moved onto other things before I got a notice saying that this had been updated.

 

Now that I have been reminded of this again, I have a few new avenues open to me that I didn't have 6 months ago. I believe I will start asking some questions again.

 

With your permission Cripes, I would like to take these questions to some associates of mine & see what (if anything) they can tell me.

 

I hope that you are also still monitoring this thread for activity.

 

& Thank you Ceteris. Without your post, this might have faded completely.

Reply
Options

12 Posts

03-28-2008

Canada

15 Signins

200 Page Views

  • Posts: 12
  • Registered: ‎03-28-2008
  • Location: Canada
  • Views: 200
  • Message 9 of 17

Re: Encryption CONNIPTION

2010-01-02, 2:32 AM

Between reading the Seagate manual and the page on the Lenovo site (both linked to previously in this thread), I am not really sure what all the confusion is.

My take on some of the items in this thread:

1. The SafeGuard software and the Seagate FDE HDD are two different approachs to FDE. SafeGaurd is a purely software solution to encrypting the data on your hard drive. Your computers CPU is then doing the encryption/decryption so there will be a performance hit. The Seagate FDE is all done in hardware transparent to the rest of your system with no performance hit. The whole point of putting FDE in the hard drive is so you don't need to use software like SafeGaurd.

2. The Seagate FDE drive always encrypts the data. Although, this encryption is pointless unless you set a HDD password. The encryption keys and HDD password storage/verification are all handled by the HDD itself.

3. I don't think the TPM chip in the T61 comes into play at all here. The Password Manager certainly does not. The BIOS prompts for the HDD password at boot up and passes this straight to the HDD. The HDD determines if the password is correct.

4. A lot of Cripes questions are related to network security and other issues not really related to FDE at all. One important point to note is that FDE of any type (software or hardware) does nothing to protect you against remote exploits and eavesdropping. The only thing FDE is good for is preventing someone with physical access to your HDD from accessing the data. If you have a trojan on your system, after you enter your password and the computers is booted and running, the trojan can access your data even if you are using FDE.

 

Reply
Options

5 Posts

05-07-2008

Arizona

6 Signins

107 Page Views

  • Posts: 5
  • Registered: ‎05-07-2008
  • Location: Arizona
  • Views: 107
  • Message 10 of 17

Re: Encryption CONNIPTION

2010-01-04, 16:34 PM

Kevin, 

 

I follow & agree with some of what you say. But why would SafeGuard even be offered with a FDE drive?

 

Also regarding the HDD password, there are some serious concerns I have over that as well. Here is a link that I found this weekend talking about it.

 

http://www.wwpi.com/index.php?option=com_content&task=view&id=2669&Itemid=129

 

Now, if this thing is not interfacing with the TPM chip... Then it is just an ATA password. Those are easy to beat.

 

So my question still is to Lenovo (or Seagate), How do I know that this is actually encrypted?

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms