I just recently received my new T440s which I ordered with Windows 7 Professional and a 500GB HDD w/OPAL.  I choose the OPAL drive so that I could implement encryption at the hardware level.  I can't find information on how to implement/activate encryption on this drive in the User Manual.  

1)  Does anyone know how to do so and where the instructions are located?

2)  My other question is regarding the 16GB M.2 Solid State Drive and the M.2 slots that comes with "most" T440s.  I didn't noticed till after I had placed my order that when I chose the OPAL compliant drive, this 16GB M.2 SSD disappeared from my configuration. Also least on my configuration there was no "third" M.2 card slot included.

If I run a new T440s configuration today on the Lenovo website and choose the OPAL compliant drive, the 16GB M.2 SSD disappears but the "3rd M.2 SSD Slot" remains in the configuration.

My question is can I install a 16GB M.2 SSD in my laptop at all?  or does having a hardware encrypted drive (which I don't know is even encrypting at this point) prevent me from using this cache?  configuring a new T440s today seems to include at least the third M.2 slot so it sounds like one should be able to install an SSD there.

thanks

archie

SomeOtherGuy:

I had been told previously that setting the HD password in BIOS enabled the ATA-Security,

and NOT the Opal / eDrive / Bitlocker full drive hardware encryption - was I mislead?

What I read was that ATA-Security was enabled via the BIOS password inhibiting access to the drive at the controller level but not encrypting the drive.

and that ATA-Security mode would not allow for use of eDrive features which is required for h/w level Bitlocker protection since ATA-Security mode and eDrive can not be enabled at the same time...

Thanks if you can add any clarification on that ... ???

Jim

jwooden

You are correct that setting the HDD password in BIOS enables ATA-security.

On the OPAL/eDrive models that Lenovo sells(*), the drives are always encrypting the data at the controller level.  What setting a HDD password (or enabling OPAL/eDrive) does is protect/encrypt the controller's encryption key.

So while the 3 methods of enabling/managing encryption are different (e.g. setting the HDD password in BIOS, using OPAL management software, or enabling eDrive via Windows), the actual encryption of data being done at the HDD controller level is exactly the same.

If hardware encryption is your goal, any of the 3 methods will achieve that goal.  The only difference is how the encryption is managed. 

* if you are asking me about drives that you bought yourself, and not from Lenovo, then I can't comment on how they work in ATA Security mode.

The 512GB option in current ThinkPads is not OPAL.

ATA-Security without encryption means that you must provide the password to the SSD's controller before the controller itself will provide access to the NAND chips (although the data on the NAND chips is not encrypted).  In theory it is possible to replace the password-locked controller with an unlocked controller and then get access to the data that way.  But I think it would take an NSA lab (or similar) to do this type of hardware hacking.

Another option is to just use software encryption like BitLocker.  On an SSD system, it is very fast and you won't notice a performance decrease in any real-world usage.

So if I understand how hardware encryption works (on the OPAL compliant HDD) it works as follows:

1)  the HDD Opal complaint drive that came with my T440s always encrypts everything on the drive.

2)  if I don't implement say ATA security password in the BIOS, when the drive is accessed, it automatically decrypts the data.

3) if I do modify my BIOS with a password then the system won't allow access to the hard drive till I provide the password. Which is what is now happening on my laptop.

However say my laptop is stolen.  Could the thief not then simply remove my HDD, install it in an external HDD enclosure and connect it via USB to their laptop.  Their laptop of course doesn't have my ATA password but then it wouldn't need it.

Since the drive automatically unencrypts the data, connecting the HDD to different computer circumvents the protection.

part of my asking the question was that I was planning to replace my HDD with a SSD and I was wondering if I needed to remove the password before removing the HDD.

In a different message I posted on the forum regarding this process, a Lenovo Staff posted a reply. Here was his reply:

You will not be able to access the drive in your USB enclosure if the drive has an ATA (BIOS) password configured.  Before you remove it from the ThinkPad, you need to disable/clear the password in BIOS setup.

BIOS itself has no idea what the password is.  So when you install the new drive, you will need to configure the password on it, in BIOS setup.  This is not something that happens automatically.

So in summary, disable/clear the password from the old drive, physically remove the old drive, physically install the new drive, and then enable/set the password on the new drive.

As for your question about how to encrypt the data on your drive in the USB enclosure.  The only choices I know are (1) use software encryption or (2) specialized USB enclosures like this:

http://www.apricorn.com/apricorn-padlock-usb3.html

The conclusions that I drew from his reply (though not specifically stated as such) are:

a) when you set up a HDD password through the BIOS, a copy of the password is stored on the OPAL HDD which it uses to verify the password provided during power-up.  if the password provided does not match it will not continue to provide access to your data.

b) for an external USB enclosed HDD, (other than the special external hdd he provided a link for) the standard interface of the enclosures do not support hdd password so they are unable to interface between the bios and an OPAL hdd with regard to password verificaton.

I kind of guessed that the HDD password set up via the BIOS would some how be stored on the HDD itself because otherwise circumventing the security by removing the drive and inserting it in a USB enclosure would be very easy and it would have been stupid of those who designed the standards for OPAL drives.

now no one clearly stated exactly as I described in my conclusions but they were implied...

It would have been nice for someone to clearly explain how this works but pretty sure that's how it works.