English Community

ThinkPad NotebooksThinkPad: T400 / T500 and newer T series Laptops
All Forum Topics
Options

3 Posts

04-25-2014

Boston

5 Signins

52 Page Views

  • Posts: 3
  • Registered: ‎04-25-2014
  • Location: Boston
  • Views: 52
  • Message 1 of 10

T440s hardware encryption - picking an SSD

2014-04-25, 17:32 PM

I'm hoping to buy a new T440s.  My employer requires that I encrypt the hard drive -- I'd like to do this with as little performance impact as possible, so am interested in doing hardware encryption.  I've tried to read the threads, and it seems like some people have gotten this to work out of the box, others only after formatting the hard drive, and others not at all.

 

The site is offering me five SSD choices:

 

128 GB Solid State Drive, Serial ATA3
180GB Solid State Drive, Serial ATA3 Opal
256GB Solid State Drive Serial ATA3
240GB Solid State Drive, Serial ATA3 Opal
512GB Solid State Drive SATA3

 

Will any of these allow me to do hardware encryption?  Either through the BIOS or through BitLocker?  And how will I enable?  Will I need to reformat?

 

Thanks!

Solved! See the solution
Reply
Options

42 Posts

08-15-2012

US

48 Signins

802 Page Views

  • Posts: 42
  • Registered: ‎08-15-2012
  • Location: US
  • Views: 802
  • Message 2 of 10

Re: T440s hardware encryption - picking an SSD

2014-04-25, 18:28 PM

I also just posted a similar question (for the T440s). I already received my T440s. I ordered a HDD (not SSD) with OPAL. No answer yet on how to implement or activate the hardware encryption. I'm hoping someone from Lenovo is looking into this.

Reply
Options

6476 Posts

10-29-2009

NC

17630 Signins

161523 Page Views

  • Posts: 6476
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 161523
  • Message 3 of 10

Re: T440s hardware encryption - picking an SSD

2014-04-28, 15:18 PM

If you want HW encryption, the easiest way to get there is to buy the OPAL drive and then set a HDD password in BIOS setup.  Your drive will be HW encrypted and you don't need to worry about what OS you install or anything else.

 

However, SW encryption (bitlocker) on SSDs is very fast and I don't think you'll notice any performance impact.  

 

My last comment is that most employers who require encryption will tell you what to buy and/or how to enable the encryption.

0 person found this solution to be helpful.

This helped me too

Reply
Options

3 Posts

04-25-2014

Boston

5 Signins

52 Page Views

  • Posts: 3
  • Registered: ‎04-25-2014
  • Location: Boston
  • Views: 52
  • Message 4 of 10

Re: T440s hardware encryption - picking an SSD

2014-04-28, 16:01 PM

Thanks, this is very helpful!  Luckily my employer lets me use any disk encryption, so long as it meets some minimum standards (256-bit, AES, whole drive).  Two follow-up questions:

 

1. If I get the OPAL drive and then enable a password in the BIOS, how can I confirm that the drive is really encyrpted and that the password is protecting the key?  I'm sure it works, but would be nice if there was some way to confirm that's happening.

2. I've heard that there can be issues with performance with BitLock on SSDs, particularly if Trim isn't supported.  Do you know if they've worked this out, were I to get the 512GB drive without OPAL.

Reply
Options

6476 Posts

10-29-2009

NC

17630 Signins

161523 Page Views

  • Posts: 6476
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 161523
  • Message 5 of 10

Re: T440s hardware encryption - picking an SSD

2014-04-28, 16:10 PM

wrote:

1. If I get the OPAL drive and then enable a password in the BIOS, how can I confirm that the drive is really encyrpted and that the password is protecting the key?  I'm sure it works, but would be nice if there was some way to confirm that's happening.


This is the issue with any hardware encryption, there's no way for you as the end-user to confirm it is really happening.  You would need to disassemble the drive in a lab and read the contents of the NAND chips to see whether they are really encrypted or not.  Beyond this, you have to simply trust the manufacturer that the drive operates as they claim.  And all OPAL drives that Lenovo sells work this way.  :smileyhappy:

On the other hand, it's easy to tell if a drive is software-encrypted or not.


2. I've heard that there can be issues with performance with BitLock on SSDs, particularly if Trim isn't supported.  Do you know if they've worked this out, were I to get the 512GB drive without OPAL.


This has all been worked out as of a few years ago.  All modern SSDs and OS (Win7/Win8/Win8.1) support TRIM with encryption.  I believe the issue you are referring to is from early SSDs that didn't support TRIM in firmware (or instead supported some proprietary TRIM-like function).  If you have some specific link where someone claims this is still a problem I am happy to take a look and let you know my opinion about it.

Reply
Options

200 Posts

06-13-2008

SE USA

437 Signins

2394 Page Views

  • Posts: 200
  • Registered: ‎06-13-2008
  • Location: SE USA
  • Views: 2394
  • Message 6 of 10

Re: T440s hardware encryption - picking an SSD

2014-07-02, 19:03 PM

 

 

Thank your for your suggestion in message #3

 

It almost seems too simple  ... :smileyvery-happy:

 

Q1: I want to replace the standard drive in a T440s, I did make the set of "recovery media" so can I simply install the new drive, turn on the HD Password option then boot the recovery media and go from there?

(There is no data on old hard drive that needs to be migrated)

 

Q2:  You said:

This is the issue with any hardware encryption, there's no way for you as the end-user to confirm it is really happening.  You would need to disassemble the drive in a lab and read the contents of the NAND chips to see whether they are really encrypted or not.  Beyond this, you have to simply trust the manufacturer that the drive operates as they claim.  And all OPAL drives that Lenovo sells work this way.  

 

If a guy took the encrypted drive out of it's mated machine and slaved it to another machine and it was either not recognized or not mountable would that not provide validation (at least at a high level) that the drive was encrypted?

 

Thanks,

Jim

 

Reply
Options

332 Posts

12-01-2009

Czech Republic

378 Signins

2497 Page Views

  • Posts: 332
  • Registered: ‎12-01-2009
  • Location: Czech Republic
  • Views: 2497
  • Message 7 of 10

Re: T440s hardware encryption - picking an SSD

2014-07-03, 7:51 AM
SSDs without TRIM i guess are not sold today i guess (new once). I used Bitlocker on SSD on T400s, T420s, T430s, now on T440s and no performance issues. I guess for todays state of technologies, SSD with eDrive support in combination with Bitlocker is optimal.
----------------------------------------------------
Lenovo T440s, 20AQ0067MC, Windows 8.1 Pro x64 UEFI, Samsung 840 EVO SSD 250 GB, 8 GB RAM
Lenovo T430s, 2356LQG, Windows 8.1 Pro x64 UEFI, Intel 520 SSD 180 GB, 8 GB RAM
Lenovo T420s, 4171-6SG, Windows 8 Pro x64 UEFI, Intel 320 SSD 120 GB, 8 GB RAM
Lenovo T400s, 2808-CYG, Windows 7 Ultimate x64
Reply
Options

42 Posts

08-15-2012

US

48 Signins

802 Page Views

  • Posts: 42
  • Registered: ‎08-15-2012
  • Location: US
  • Views: 802
  • Message 8 of 10

Re: T440s hardware encryption - picking an SSD

2014-07-04, 1:15 AM

Since my T440s already came with an OPAL capable drive, all I did add a HD password to my setup to activate encryption. My 'assumption' is as far as already existing files on my drive (i.e. Windows operating system files) would either:   remain unencrypted until the individual files were updated  or  the system would over time encrypt all the existing files.    Since none of my personal data files existed prior to activating encryption, either alternative would be fine with me.

 

I'm fairly certain that if you were to install the new OPAL capable hard drive, then used the recovery media to restore windows AND then after that add  a HD password (thus activating encryption), everything would be fine.  You would have a drive similar to mine (one that came from Lenovo with OPAL capabilities not yet activated and then activated after windows was already loaded.)

 

I'm not sure about adding an HD password BEFORE to using the recovery discs to re-install windows.  It sounds like it should work though.  

Reply
Options

200 Posts

06-13-2008

SE USA

437 Signins

2394 Page Views

  • Posts: 200
  • Registered: ‎06-13-2008
  • Location: SE USA
  • Views: 2394
  • Message 9 of 10

Re: T440s hardware encryption - picking an SSD

2014-07-05, 13:37 PM

 

Ok .... I will be the first to admit that I don't quite have all the details of BitLocker / FDE / HD passwords / Opal compliant drives / eDrives / etc. squared away yet ...

 

I opened a ticket with Crucial and here's what they say:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

My initial Question:

I am going to purchase a new Lenovo Thinkpad T440s and would like to install a Crucial 1Tb M550 SSD. I need to have the encryption function enabled. I have read the knowledge base article:

 

http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/System-Requirements-for-Hardware-Encryption-on-Crucial-SEDs/ta-p/145520

 

Based on that article, I will order Windows 8.1 PRO edition so as to have BitLocker available.

 

Do you by chance have a document that addresses cloning the factory drive to a Crucial SSD (I am concerned about the hidden partitions) and any specific tips for the T440 series?

 

How can a person "test" to be sure the drive is in fact encrypted?

 

~~

Crucial’s initial answer:

Thank you for contacting Crucial. As you can see from the article the system needs to meet all the Microsoft requirements for eDrive technology, and you will need to have Windows 8.1 Pro or Enterprise as you mentioned. The link below will direct you to the official Microsoft page for the requirements of the system to utilize the built in hardware encryption. I would recommend contacting Lenovo to ensure that your system supports the Microsoft eDrive requirements.

http://technet.microsoft.com/en-us/library/hh831627.aspx

You will see that the requirements for the eDrive technology requires the drive to be in an unitialized state. This means that cloning an existing HDD to an SED SSD and utilizing this function will likely not be possible. Typically, this means that you will need to perform a fresh install on the SSD and activate the BitLocker at the time of install. You can still use BitLocker with a cloned drive it will likely be a software based encryption and not take advantage of the encryption features built into the SSD, but the data will still be encrypted.

Once BitLocker is activated you will have some type of pre-boot authentication (type depends on setup.)

 

You will know the SED is encrypted at this time as you will not be able to access any data on the drive until it is unlocked. You will also see an icon on the volume in Windows showing that it is locked (when booted to the drive). Another way to test the encryption is to connect the SED as a secondary drive, you will find all the data to be inaccessible.

 

Cloning Instructions (cloning will likely not allow you to take advantage of hardware based encryption)

http://forum.crucial.com/t5/Solid-State-Drives-SSD-Knowledge/Cloning-using-Acronis-True-Image-HD/ta-p/125596

 

~~

 

My first follow-up:

 

Thank you Wade!

Awesome overview!

I'll do some more research, but am thinking that if I order the laptop with the least expensive standard hard drive,

then build a set of DVD "recovery media". Then install the M550 in un-initilzed state and do the recovery ...

 

This thread is a bit confusing:

 

http://forums.lenovo.com/t5/T400-T500-and-newer-T-series/T440s-Crucial-SSD-and-firmware-password-encryption/m-p/1513900/highlight/true#M95475

 

I read another suggestion that stated:

 

"If you want HW encryption, the easiest way to get there is to buy the OPAL drive and then set a HDD password in BIOS setup. Your drive will be HW encrypted and you don't need to worry about what OS you install or anything else. "

If that is actually workable, it sounds easy...

 

Build media

Install new drive

set HD PW in BIOS

then "recover"?

 

~~

 

answer to my follow-up:

 

Thank you for emailing us today. I was speaking with Wade about your question and he is fairly confident that using the restore media will not let you turn bitlocker on which is how you would be able to use edrive.

 

As far as the HD password in the BIOS is not the same thing. In order to use the hardware encrytion built into the SSD you will need to use a Windows disk and do a fresh install.

 

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

 

So ............. now I'm a bit baffled ... .

I have a Microsoft TechNet subscription, so can download the ISO of Win8.1 Pro and assuming it will pick up the license key from the BIOS I can do it that way ............ but will then loose access to the Lenovo recovery partition ...

I'm not sure how big a loss that it is .........

 

Any help and observations would be much appreciated!

Thanks,

Jim

 

Moderator Note; subject edited; reverted to original

Reply
Options

200 Posts

06-13-2008

SE USA

437 Signins

2394 Page Views

  • Posts: 200
  • Registered: ‎06-13-2008
  • Location: SE USA
  • Views: 2394
  • Message 10 of 10

Re: T440s hardware encryption - picking an SSD

2014-07-05, 15:37 PM

 

 

PS:

It appears that activating the password in BIOS turns on ATA-Security mode.

 

Apprently it's not all that secure:

 

https://wikis.utexas.edu/display/ISO/Breaking+ATA+password+security

 

Moderator Note; subject edited; reverted to original

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete