Difference between revisions of "Full Disk Encryption (FDE)"

From ThinkWiki
Jump to: navigation, search
m (Full Disk Encryption: "base(d))
(TPM)
Line 37: Line 37:
 
==== TPM ====
 
==== TPM ====
 
It should be possible to use TPM (with fingerprint readers...) not tested yet.
 
It should be possible to use TPM (with fingerprint readers...) not tested yet.
 +
* T61 with TPM & fingerprints, FDE password works with a configured fingerprint but you must use windows based software to program the imprint.
  
 
=== Software alternatives ===
 
=== Software alternatives ===

Revision as of 21:44, 18 August 2008

Full Disk Encryption

Lenovo's 'Full Disk Encryption' (FDE) is a technology incorporated into some of Seagate's FDE-ready hard disks. It provides encryption of all of the contents of the hard disk.

Hint:
This page have been written based on commercial documentation. It should be reviewed based on real life experience

Features

  • Multi platform (Linux, Windows).
  • Protects the whole disk (including FAT partition...)
  • No performance impact.
  • Compatible with TPM
  • AES (the chip which performs AES encryption has been certified by NIST )
  • Wiping the disk (for disposal...) takes just a second.


FDE Hard disk Photo, credits: seagate.com

Using Segate FDE

Using FDE as as easy as setting up the hard disk password (from BIOS). You can choose to have just a user password, or both a user and a master password. You can export the key to an external storage, for password recovery (you need the password !!)

Lost password

Three possibilities :

  • Use the master password to change the user key.
  • Recover the password using the previously exported key.
  • Reset the encryption key (which causes the hard disk to be instantly "wiped", and resets the "hard disk password").

Wipe the disk

Wiping the disk is as easy as reseting the encryption key from the BIOS..

TPM

It should be possible to use TPM (with fingerprint readers...) not tested yet.

  • T61 with TPM & fingerprints, FDE password works with a configured fingerprint but you must use windows based software to program the imprint.

Software alternatives

It is possible to get similar security, at a very slight performance impact, by using appropriate software-based full disk encryption solutions. For example, under Linux, you can use dm-crypt to encrypt the whole disk (including swap and root partitions) except for a bootloader. Numerous tutorials are available on the Internet.

Links