Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

ThinkPad NotebooksThinkPad: P and W Series Mobile Workstations
All Forum Topics
Options

7 Posts

03-11-2016

australia

7 Signins

57 Page Views

  • Posts: 7
  • Registered: ‎03-11-2016
  • Location: australia
  • Views: 57
  • Message 1 of 15

Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-11, 7:40 AM

I have  recently acquired a nice P70 Thinkpad. Great machine upgradeable and all., with  an Opal 2.0 compliant  hardrive.

On my previous desktop machine i used TRUECRYPT to  encrypt the  entire hard drive, it is and has been brilliant. I thought i would use it on this P70 laptop, but it turns out that Truecrypt willl slow it down as its not designed for SSD drives. So to Bitlocker, they say theres a 17% drop in performance.

So it seems Software based encryption slows the system to much, time to look into the internal OPAL 2.0 SED encyption.

But before that, i considered the lenovo  Passswords security features offered, namely, 

1. Power on  password

2. Hard disk HD password

3. System Bios password.

 

Unfortunelty it seems these are all useless. The Hard disk password to my understanding only prevents the disk from being booted, it is not the encrytpion key for the SED(self encryptiog drive), its something different.

 

Back to the OPAL SED.. which is a seperate setup to that HD password above....The data on the SED is indeed already encrypted but not activated  with a lock (password). To my understanding  PC manufacturers could have included this in the BIOS and you would be ready to go, but they didnt want  customers locking their drives up, so they contracted out this "privildge" to other companies, and Winmagic through "securedoc" is basically just an updated BIOS for this SED on your PC. But they want you to pay for this privlidge.

 

My question is, has anyone  activated the SED (self encrypting drive) on their machine, does it slow down your machine? Did you use winmagic to  manage/activate the SED or  is it possible to write the  command lines up  to activate it  like in some LINUX SED setups and save on this  winmagic liscence fee?

 

regards

Peter

 

 

Moderator comment: Post edited to conform with the Community Rules.

Reply
Options

21 Posts

12-01-2007

Canada

111 Signins

1102 Page Views

  • Posts: 21
  • Registered: ‎12-01-2007
  • Location: Canada
  • Views: 1102
  • Message 2 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-11, 14:56 PM

I've been configuring a W520 with a Crucial MX200 SED, and have spent some time trying to understand the best/cheapest/safest/official method(s) for activating encryption on SEDs in my machine. I am finding it a challenge to get full and accurate information about SEDs, and the W520 compatibility is different than the P70, but I may be able to add some partial responses to your questions.

 

RE: TrueCrypt:

I'm a bit surprised that the performance hit is as high at 17% for either Bitlocker or Truecrypt software-based encryption on a machine with hardware decryption code included in the CPU, but maybe that's right. Also, I would recommend VeraCrypt [codeplex.com] instead of TrueCrypt - TrueCrypt is no longer supported and VeraCrypt is an improved fork that is being actively worked on.

 

RE: BIOS Passwords and security in non-SED disk:

If you use a non-SED disk, then the HDD password in the BIOS (aka ATA Password) is exactly as you describe - it locks the drive from access. I do not think it is true that a current generation ATA Password can be trivially bypassed by shortcircuiting the EEPROM chip. I have seen videos and reports showing how easy it can be to bypass an HDD password, but I guess I kind of assumed that those were based on older implementations of the protocol and that properly configured, recent model Thinkpads would not be so easily broken into. If you enable TPM (aka the Security Chip in the BIOS), along with all 3 passwords, then I think you make it more difficult for someone to bypass your HDD password. But regardless of what you do, this does not encrypt the data on your drive if you don't have an SED disk.

 

RE: Speed of SED, and protecting the SED's encryption key:

As you indicated, an SED is always already encrypted, so when you activate the encryption, all you are really securing is the key that will unlock that encryption. There should be absolutely no difference in speed between an SED drive that uses an encrypted key vs one that doesn't - the drive itself has to decrypt the data all the time regardless. And that decryption is done entirely in the hardware. The only difference is that if you haven't activated the encryption, then the key that is used to decrypt the drive is itself not encrypted and is therefore retrievable by someone looking at the drive. The purpose of the BIOS password method, or the SecureDoc/Winmagic/Bitlocker software is to encrypt the hard drive key.

 

RE: BIOS HDD Password in an SED disk:

Things get a bit trickier here. But in a properly configured system, with a compatible SED disk, the HDD Password (aka ATA Password) should indeed coordinate smoothly with the SED to control encryption on the drive. This method does not require an OPAL compliant drive, or other special system hardware. Some experts seem to think that it is not as secure as some of the other methods below that rely on OPAL/SecureBoot for the same reasons that you doubt the security of such HDD passwords. I'm not sure. But it has the advantage of being free and perhaps simplest to implement. And it is completely OS agnostic. Not all SED drives are compatible with using ATA Passwords to secure their encryption key.

 

RE: SecureDoc, WinMagic, Bitlocker

Bitlocker I think is Windows only, but as I understand it, you can use Bitlocker for full disk software encryption (a la Truecrypt/Veracrypt), but in Win 8+, you can also use it just to encrypt the drive key of an SED. To do this, though, you need to meet the Bitlocker hardware requirements and I think the drive also needs to be "initialized" as an eDrive (Microsoft's proprietary FDE-related thingy, I think?). SecureDoc/WinMagic by contrast I think can be used to work with older systems and with a wider array of OSes - they have some promotional info on their site that refers to Linux, but I'm a bit vague on whether it is a truly OS agnositc method or not.

 

Hope this helps.

Reply
Options

553 Posts

10-03-2011

Canada

2893 Signins

14770 Page Views

  • Posts: 553
  • Registered: ‎10-03-2011
  • Location: Canada
  • Views: 14770
  • Message 3 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-11, 20:46 PM
The Hard disk password to my understanding only prevents the disk from being booted, it is not the encrytpion key for the SED(self encryptiog drive), its something different.

HDD password is passed during boot to the drive. If the drive is a SED drive, and most of mid-level and up SSD drives from Intel/Samsung/Sandisk/Crucial today support encryption natively, the password is used to decrypt drive encryption key, and then decrypt the drive.

 

What kind of algorithm is used, and whether this is done properly, and whether it's done following the standards, is up to drive manufacturer. There is also eDrive standard, which makes those newer drives to integrate with Bitlocker for centralized key management.

 

Having the same BIOS password & HDD password(s) helps with typing it once or allows using fingerprint reader. And having a PowerOn/BIOS password, with an appropriately locked machine, helps somewhat with 'evil maid' attacks, and smbd unauthorized misusing the machine by booting it up from unapproved media.

 

So not really sure how any of this is useless.

Reply
Options

7 Posts

03-11-2016

australia

7 Signins

57 Page Views

  • Posts: 7
  • Registered: ‎03-11-2016
  • Location: australia
  • Views: 57
  • Message 4 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-12, 10:18 AM

The inbuilt passsords are indeed useless as they are not really secure.

 

[Security measure circumvention discussion removed]

 

I would have loved for the  system to be fully secure right from out of the box. But  computer manufacurers do not want to make 100% lockable systems it seems that cannot be reopened as then there will be many angry  customers with  inopperable machines. This is why they pass on the "privildge" of activating the hardware SED setup as an external option, ......external to the company its self,  so it has no liability.

The point is, the only way to ensure security of data is to  either use software or hardware (SED) encrytpion. As i mentioned Truecrypt was brilliant, but is not a viable option on SSD. same with bitlocker, or an other software encrytion. The performance loss is too great.

Veracrypt as  a gentleman here suggested is the successor to truecrypt, but i am unaware  that it is suitable for SSD. I do know that Veracrypt is slower than Truecrypt, as it goes through more iterations of the encryption algorithm.

I would be happy to pay for good encryption and security,  i beleive the SED option is the way to go for efficiency. Documentation, discussion on  managing the SEDsetup is almost non existant.

Even Lenovo staff said to enquire online as they dont have enough experience.lol!!!!!

Personally i would love to by pass the companies, either enable the SED setup up  myself .  I lnow it is possible to write up a few command line in LINUX to do it, but am not sure of this lenovo wondows setup.

Using some OPENSOURCE  software  along the lines of Winmagic is a good option, but i dont see anything around.

 

I beleive the WINMAGIC  software is just ONE THING. THat is , a BIOS software alteration that opens up the possiblity of setting up the SED. something i think that Lemovo should have  installed right from the start.

 

If people have any  insights in how to set up the SED,  what option there are along that line....... do tell

best regards

Peter

 

 

Moderator comment: Post edited to conform with the Community Rules.

Reply
Options

21 Posts

12-01-2007

Canada

111 Signins

1102 Page Views

  • Posts: 21
  • Registered: ‎12-01-2007
  • Location: Canada
  • Views: 1102
  • Message 5 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-12, 14:07 PM

Mmmm....well, I guess I can't speak with confidence about the true state of BIOS/password security in current generation Thinkpads. However, I'll add two possible corrections, I think to what peterk12 says.

 

> Once the chip...the BIOS is fully opened, along with the  access then to change the HDD and power on passwords.

I don't think that you can change the HDD password at the BIOS level if you don't know it. Even if it is true that you could bypass all the passwords and get into the BIOS, the drive itself still requires you to enter a password. I still think that using an ATA Password to activate the encryption in an SED is a good option for most professional Thinkpad users, especially when used in combination with a TPM and other properly configured, system-level security measures.

 

> Veracrypt is slower than Truecrypt, as it goes through more iterations of the encryption algorithm.

This is true only during the mounting of the drive. After the drive is mounted, Veracrypt will perform the live decryption as fast (actually, it may be faster for some machines, since they have tried to improve performance) as TrueCrypt ever did. It is also possible to bypass the improved security of the Veracrypt mounting protocol in order to mount the drive as quickly as you did with Truecrypt.

 

One thing that peterk12 and I can agree on, though, is the sad state of documentation and support for SED's and encryption - not just at Lenovo, but also from the hard drive manufacturers. Getting accurate answers about some of these security questions is a challenge.

Reply
Options

12600 Posts

01-02-2010

United States of America

40697 Signins

430044 Page Views

  • Posts: 12600
  • Registered: ‎01-02-2010
  • Location: United States of America
  • Views: 430044
  • Message 6 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-12, 21:08 PM

 The HDD passwords cannot be bypassed.  There are no backdoor passwords.  If you lose your disk password the disk or SSD becomes a paperweight.


Rich


I do not respond to requests for private, one-on-one help. Your questions should be posted in the appropriate forum where they may help others as well.

If a response answers your question, please mark it as the accepted solution.

I am not an employee or agent of Lenovo.
Reply
Options

7 Posts

03-11-2016

australia

7 Signins

57 Page Views

  • Posts: 7
  • Registered: ‎03-11-2016
  • Location: australia
  • Views: 57
  • Message 7 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-13, 3:32 AM

Im happy to disagree with others who say that bypassing BIOS is not possible. Only thing i trust now is the SSD encryption, so thats my goal.

 

[Security measure circumvention discussion removed]

 

Personally i have no confidence in the 3  inbuilt passwords now, so if anyone has the best most efficient way to  engage the SSD encryption (SED), do enlighten us.

I even asked lenovo technicians, and they referred me  here!!! lol. THey said they didnt have enough experience yet in the area.

regards

Peter

 

 

Moderator comment: Post edited to conform with the Community Rules.

Reply
Options

7460 Posts

06-27-2008

United States of America

29478 Signins

1686753 Page Views

  • Posts: 7460
  • Registered: ‎06-27-2008
  • Location: United States of America
  • Views: 1686753
  • Message 8 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-13, 7:06 AM

Moderator comment: A post that did not conform with the Community Rules has been removed.

"No posts shall include instructions or directions intended to subvert security measures, including passwords, locking mechanisms, fingerprint scans, etc., or to subvert safety measures. Nor shall any posts provide descriptions to the location of, nor direct links to, content related to these topics."


Community GuidelinesPrivate MessagingENDEESPTRUUACZ-SKTRMoto
Requests for individual support are not answered. If a post solves your issue, please mark it.

I am not a Lenovo employee

Reply
Options

7460 Posts

06-27-2008

United States of America

29478 Signins

1686753 Page Views

  • Posts: 7460
  • Registered: ‎06-27-2008
  • Location: United States of America
  • Views: 1686753
  • Message 9 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-13, 6:36 AM

Community GuidelinesPrivate MessagingENDEESPTRUUACZ-SKTRMoto
Requests for individual support are not answered. If a post solves your issue, please mark it.

I am not a Lenovo employee

Reply
Options

21 Posts

12-01-2007

Canada

111 Signins

1102 Page Views

  • Posts: 21
  • Registered: ‎12-01-2007
  • Location: Canada
  • Views: 1102
  • Message 10 of 15

Re: Thinkpad P70 - Useless Passwords + Setting up SED

2016-03-13, 12:00 PM

> if anyone has the best most efficient way to  engage the SSD encryption (SED), do enlighten us.

If you aren't going to use the built-in ATA Password option, then you have to use software, right? So you use Winmagic, SecureDoc, Bitlocker, or some similar alternative. They all provide other options beyond using the ATA Passwords, including the possibility of working with SmartCards or some kinds of biometric readers if that's what you need.

 

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms