Difference between revisions of "Full Disk Encryption (FDE)"

From ThinkWiki
Jump to: navigation, search
m (Template:FDE moved to Full Disk Encryption (FDE): Wrong page name when created)
(Disadvantages)
 
(13 intermediate revisions by 8 users not shown)
Line 4: Line 4:
 
<div style="margin: 0; margin-right:10px; border: 1px solid #dfdfdf; padding: 0em 1em 1em 1em; background-color:#F8F8FF; align:right;">
 
<div style="margin: 0; margin-right:10px; border: 1px solid #dfdfdf; padding: 0em 1em 1em 1em; background-color:#F8F8FF; align:right;">
 
=== Full Disk Encryption ===
 
=== Full Disk Encryption ===
Lenovo Full disk encryption is a technology (based on Pointsec FDE) that Encrypt the whole hard-disk content..
+
Lenovo's 'Full Disk Encryption' (FDE) is a technology incorporated into some of Seagate's FDE-ready hard disks. It provides encryption of all of the contents of the hard disk.
  
{{HINT|This page have been written base on commercial documentation. It should be reviewed based on real life experience}}
 
  
 
=== Features ===
 
=== Features ===
 
* Multi platform (Linux, Windows).
 
* Multi platform (Linux, Windows).
* Protects the whole disk (including FAT partition).
+
* Protects the whole disk (including FAT partition...)
* Low performance impact.
+
* No performance impact.
* Common Criteria EAL 4 (CC EAL4)
+
* Compatible with TPM
 +
* AES (the chip  which performs AES encryption has been [http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=null&vgnextoid=ade81f7095904110VgnVCM100000f5ee0a0aRCRD certified] by [http://csrc.nist.gov/cryptval/aes/aesval.html NIST] )
 +
* Wiping the disk (for disposal...) takes just a second.
 +
 
  
 
</div>
 
</div>
 
|style="vertical-align:top" |
 
|style="vertical-align:top" |
[[image:pointsec_fde_small.gif|Diagram]]<br/>[[http://www.thinkwiki.org/images/6/63/Pointsec_fde.gif Large]](credits: pointsec.com)
+
[[image:momentus5400_3_fde_sm_106x106.gif|FDE Hard disk Photo, credits: seagate.com]]
 
|}
 
|}
  
=== Links ===
+
=== Using Seagate FDE ===
* [http://www.pointsec.com/ PointSec]
+
Using FDE as as easy as setting up the hard disk password (from BIOS). You can choose to have just a user password, or both a user and a master password.
* [http://www.techworld.com/midsizedbusiness/features/index.cfm?featureid=2037&pagtype=samecatsamechan Techworld review]
+
You can export the key to an external storage, for password recovery (you need the password !!)
  
 +
N.B.: The [http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-69621 Lenovo FAQ on FDE] specifically states that on the T60 & T61, there is no means of backing up or exporting the key, but that the drive may be used in another system (it is evidently not tied to a motherboard [http://en.wikipedia.org/wiki/Full_disk_encryption#Full_disk_encryption_and_Trusted_Platform_Module Trusted Platform Module]).
  
 +
==== Lost password ====
 +
Three possibilities :
 +
* Use the master password to change the user key.
 +
* Recover the password using the previously exported key. (See note from Lenovo FAQ, above.)
 +
* Reset the encryption key (which causes the hard disk to be instantly "wiped", and resets the "hard disk password").
  
=== ThinkPads that may include this feature ===
+
==== Wipe the disk ====
* {{T61}}
+
Wiping the disk is as easy as reseting the encryption key from the BIOS..
* {{R61}}
+
 
 +
==== TPM ====
 +
It should be possible to use TPM (with fingerprint readers...) not tested yet.
 +
* T61 with TPM & fingerprints, FDE password works with a configured fingerprint but you must use windows based software to program the imprint. By keeping a small windows partition, I am able to boot linux with a fingerprint, fingerprint passes the TPM power-on password AND the FDE disk 1 password, which is separate.
 +
 
 +
==== Disadvantages ====
 +
FDE is only safe when the computer is off or hibernated.
 +
When the computer is stolen while it is on or suspended, a restart which boots from a USB stick will reveal your data.
 +
The problem is that these warm restarts will not ask for the HD password, nor the power-on-password for that matter.
 +
This can be seen as a security risk.
 +
 
 +
Dm-crypt solutions are better in this respect as they will prompt for a password on any reboot.
 +
 
 +
Another disadvantage is that the disk can not be read if it is put in a USB enclosure.
 +
Again, dm-crypt does allow to mount encrypted partitions from a USB disk (password protected, of course), which is useful when upgrading disks, or when using disks across computers.
 +
 
 +
=== Software alternatives ===
 +
 
 +
It is possible to get similar security, at a very slight performance impact, by using appropriate software-based full disk encryption solutions. For example, under Linux, you can use <tt>dm-crypt</tt> to encrypt the whole disk (including swap and root partitions) except for a bootloader. Numerous tutorials are available on the Internet.
 +
 
 +
=== Links ===
 +
* [http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-69621 Lenovo Full Disk Encryption Hard Disk Drive Frequently Asked Questions]
 +
* [http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=TPAD-SIMS Thinkpad Bios simulator] (R61/T61 not available yet, unfortunately)
 +
* [http://www.seagate.com/www/en-us/products/laptops/momentus/momentus_5400_fde.2/ Seagate MoMentuS 5400 FDe.2]
 +
* [http://en.wikipedia.org/wiki/Full_disk_encryption Wikipedia - Full disk encryption] (why FDE ??)
 +
* [http://www.xml-dev.com/pipermail/fde/ Full-Disk-Encryption Mailing list]

Latest revision as of 09:18, 4 October 2010

Full Disk Encryption

Lenovo's 'Full Disk Encryption' (FDE) is a technology incorporated into some of Seagate's FDE-ready hard disks. It provides encryption of all of the contents of the hard disk.


Features

  • Multi platform (Linux, Windows).
  • Protects the whole disk (including FAT partition...)
  • No performance impact.
  • Compatible with TPM
  • AES (the chip which performs AES encryption has been certified by NIST )
  • Wiping the disk (for disposal...) takes just a second.


FDE Hard disk Photo, credits: seagate.com

Using Seagate FDE

Using FDE as as easy as setting up the hard disk password (from BIOS). You can choose to have just a user password, or both a user and a master password. You can export the key to an external storage, for password recovery (you need the password !!)

N.B.: The Lenovo FAQ on FDE specifically states that on the T60 & T61, there is no means of backing up or exporting the key, but that the drive may be used in another system (it is evidently not tied to a motherboard Trusted Platform Module).

Lost password

Three possibilities :

  • Use the master password to change the user key.
  • Recover the password using the previously exported key. (See note from Lenovo FAQ, above.)
  • Reset the encryption key (which causes the hard disk to be instantly "wiped", and resets the "hard disk password").

Wipe the disk

Wiping the disk is as easy as reseting the encryption key from the BIOS..

TPM

It should be possible to use TPM (with fingerprint readers...) not tested yet.

  • T61 with TPM & fingerprints, FDE password works with a configured fingerprint but you must use windows based software to program the imprint. By keeping a small windows partition, I am able to boot linux with a fingerprint, fingerprint passes the TPM power-on password AND the FDE disk 1 password, which is separate.

Disadvantages

FDE is only safe when the computer is off or hibernated. When the computer is stolen while it is on or suspended, a restart which boots from a USB stick will reveal your data. The problem is that these warm restarts will not ask for the HD password, nor the power-on-password for that matter. This can be seen as a security risk.

Dm-crypt solutions are better in this respect as they will prompt for a password on any reboot.

Another disadvantage is that the disk can not be read if it is put in a USB enclosure. Again, dm-crypt does allow to mount encrypted partitions from a USB disk (password protected, of course), which is useful when upgrading disks, or when using disks across computers.

Software alternatives

It is possible to get similar security, at a very slight performance impact, by using appropriate software-based full disk encryption solutions. For example, under Linux, you can use dm-crypt to encrypt the whole disk (including swap and root partitions) except for a bootloader. Numerous tutorials are available on the Internet.

Links