cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
joe_e_e
Punch Card
Posts: 40
Registered: ‎01-09-2014
Location: SE
Views: 4,328
Message 21 of 129

Re: T440s: How to enable the Windows eDrive feature?

Hello guys,

I have just bought a ThinkPad Yoga with an eDrive capable SSD.  Though this is a T400&T500 forum I am posting here as there is absolutely no proper information anywhere on how to get BitLocker working on an eDrive with hardware encryption.

I have tried someotherguy's steps to get BitLocker working but to no avail.  The unfortunate side effect of those steps is that I have lost the Lenovo recovery partition, and I only have the USB stick with the recovery image.  Plus, the SSD feels a bit slowish now (in a similar to an SSD that had all sectors written to).  Is there a way to do a secure erase on a ThinkPad, which should reset the SSD?

Lenovo really needs provide proper instructions on how to enable BitLocker on eDrive SSDs.  I am working for a large company where full disk encryption (for example BitLocker) is a requirement.

Best regards,

Karol

david4321
Fanfold Paper
Posts: 9
Registered: ‎12-14-2013
Location: Germany
Views: 4,324
Message 22 of 129

Re: T440s: How to enable the Windows eDrive feature?

someotherguy,

 

what problems does eDrive still have? On my machine it works well and I haven't experienced any problems yet.

 

My steps to enable the eDrive feature are as follows:

  • I enabled "OS optimized defaults" in the bios settings
  • Loaded them and saved them
  • Did a clean install of Windows 8.1 Pro and removed all partitions during this process (when asked for the license key, I used the Windows 8.1 client setup key from http://technet.microsoft.com/en-us/library/jj612867.aspx)
  • Installed the power management driver and chipset driver manually
  • Installed all Lenovo drivers EXCEPT the Rapid Storage driver with the Lenovo Update utility
  • Installed all Windows updates
  • Turned on bitlocker

Up until now, it works well.

 

 

someotherguy said "As I explained before, the encryption engine and level of protection is exactly the same." I agree with you that the encryption engine is the same. But how do you know that the level of protection is exactly the same? Did you do a thorough security review? Do you even know how Samsung implemented the ATA security feature? The interesting question is how the Data Encryption Key (DEK) is stored and how it is protected. In particular, is the ATA password used to encrypt the data encryption key? I could not find any information on this on the internet. The best I could find, was the blog post [1]. On the other hand, OPAL or eDrive respectively is a well known standard.

 

[1] http://vxlabs.com/2012/12/22/ssds-with-usable-built-in-hardware-based-full-disk-encryption/

 

Lenovo Staff
Lenovo Staff
Posts: 4,887
Registered: ‎10-29-2009
Location: NC
Views: 4,319
Message 23 of 129

Re: T440s: How to enable the Windows eDrive feature?

joe_e_e,

 

eDrive (and hardware-mode BitLocker) simply doesn't work in Lenovo preload.  Beyond this statement, there is really nothing else I can add.  

 

Microsoft has eDrive deployment information on their website here.  All of the Microsoft documentation assumes you are deploying your own image of the OS (e.g. not a Lenovo preload)

 

http://technet.microsoft.com/en-us/library/hh831627.aspx

 

 

joe_e_e
Punch Card
Posts: 40
Registered: ‎01-09-2014
Location: SE
Views: 4,312
Message 24 of 129

Re: T440s: How to enable the Windows eDrive feature?

someotherguy, thank you for the good link.  From there it would seem that it should work on Lenovo's preload as long as the SSD in clean: "The drive must be in an uninitialized state."  What is the way to do a secure erase of the SSD on a ThinkPad?  That way one can get a clean SSD and do the installation from the USB recovery.

 

Best regards,

 

Karol

Lenovo Staff
Lenovo Staff
Posts: 4,887
Registered: ‎10-29-2009
Location: NC
Views: 4,309
Message 25 of 129

Re: T440s: How to enable the Windows eDrive feature?

david4321

 

The way you enabled eDrive (using your own Win8.1 image and NOT the lenovo preload) is the only way I'm aware of to make this work.  The other posters in this thread are trying to make it work with the preload (or Lenovo recovery media), but after my investigation, I have concluded that this is not possible.  Only a clean-install of Windows 8/8.1 can make eDrive work with Hardware-mode BitLocker.  And the key point is never to install the Intel RST driver.

 

As for the merits of ATA security vs eDrive I will save that for another day.  You are right that Samsung doesn't publish how it does ATA security, but neither does Microsoft publish how they do BitLocker security.  As you know BitLocker generates a recovery key (which is not in eDrive spec) and you have no idea what other ways may or may not be possible to generate the Authentication Key that is used to decrypt the DEK.  If security is your #1 goal, then we would only consider open-source (or your own developed) OS and encryption infrastructure.  Neither ATA security or eDrive/BitLocker would suffice for that.  Just my $0.02

Lenovo Staff
Lenovo Staff
Posts: 4,887
Registered: ‎10-29-2009
Location: NC
Views: 4,300
Message 26 of 129

Re: T440s: How to enable the Windows eDrive feature?


@joe_e_e wrote:

someotherguy, thank you for the good link.  From there it would seem that it should work on Lenovo's preload as long as the SSD in clean: "The drive must be in an uninitialized state."  What is the way to do a secure erase of the SSD on a ThinkPad?  That way one can get a clean SSD and do the installation from the USB recovery.

 


What model SSD is in your Yoga (it's either Samsung or Lite-On)?  You can find out by pressing F12 during boot to load the boot menu, or else look in Device Manager.  Let me know this info and I will send you the tool you need to revert the drive to factory state.

 

However I'm telling you that Lenovo preload and Lenovo recovery media won't work with eDrive.  The reason is because the Lenovo preload includes the RST driver which is incompatible with eDrive.  What I found today is that even if I uninstall the RST driver (and switch to the MS standard AHCI driver instead), eDrive still has problems.  The only way to avoid the problems is to do what @david4321 did, which is to use a clean-install of Windows and never install the Intel RST driver.

joe_e_e
Punch Card
Posts: 40
Registered: ‎01-09-2014
Location: SE
Views: 4,294
Message 27 of 129

Re: T440s: How to enable the Windows eDrive feature?

someotherguy, the SSD is Lite-On.  Ok, I see now that installing RST might not enough.  I can test with the SSD secure erase first.

 

I can also try a vanilla Windows 8.1 Pro approach.  Is there a way to obtain a vanilla Windows 8.1 from Lenovo and my Windows key?  The key was not sent to me, and it is not attached to the bottom of the machine as it used to be.

Lenovo Staff
Lenovo Staff
Posts: 4,887
Registered: ‎10-29-2009
Location: NC
Views: 4,270
Message 28 of 129

Re: T440s: How to enable the Windows eDrive feature?

joe_e_e

 

Can you please check something for me?  Reboot into BIOS setup (press F1 at Lenovo logo screen).  Then go to Security -> Password menu.  At the bottom, do you see an option for "Hard Disk1 Password"?

 

HDD_password.jpg

joe_e_e
Punch Card
Posts: 40
Registered: ‎01-09-2014
Location: SE
Views: 4,266
Message 29 of 129

Re: T440s: How to enable the Windows eDrive feature?

someotherguy, yes I can see the "Hard Disk1 Password" option, and password status is disabled in the same way as in your screndump.

 

/Karol

Lenovo Staff
Lenovo Staff
Posts: 4,887
Registered: ‎10-29-2009
Location: NC
Views: 4,263
Message 30 of 129

Re: T440s: How to enable the Windows eDrive feature?

joe_e_e

 

If you see the "Hard Disk1 Password" option, it means that eDrive is not enabled and your SSD is still in normal ATA security mode.  I'm not sure exactly what you want to do.  You could do ATA secure erase to reset all NAND blocks to uninitialized state, but on a modern SSD that supports TRIM this really isn't necessary.  Windows itself will TRIM the SSD to reset unused blocks.

 

As for full-disk encryption, your options are:

  1. Clean install Win8.1 and try to get eDrive working the same way that david4321 did.  But Lenovo does not (and contractually cannot) provide Win8.1 clean-install DVD.  The license key to activate clean-install Win8.1 is embedded in BIOS on your ThinkPad Yoga which originally shipped with Win8.1.  There are other forum threads about this.
  2. Set the "Hard Disk1 Password" option in BIOS setup, this gives you a fully-encrypted SSD protected by the password.
  3. Use software encryption tools like what you are probably already using on other laptops.

eDrive (HW BitLocker) on the Lenovo preload is not currently an option due to technical limitation of RST driver.

Holiday Deals
HAPPENING NOW!

Get the best deals on PCs and tech now during the Holiday Sale
Shop the sale

Top Kudoed Authors