Full Disk Encryption (FDE)

2010-04-05T18:47:11Z

Mprefix: Removed hint line as it contained por grammar and made no sense

__NOTOC__
{| width="100%"
|style="vertical-align:top" |
<div style="margin: 0; margin-right:10px; border: 1px solid #dfdfdf; padding: 0em 1em 1em 1em; background-color:#F8F8FF; align:right;">
=== Full Disk Encryption ===
Lenovo's 'Full Disk Encryption' (FDE) is a technology incorporated into some of Seagate's FDE-ready hard disks. It provides encryption of all of the contents of the hard disk.

=== Features ===
* Multi platform (Linux, Windows).
* Protects the whole disk (including FAT partition...)
* No performance impact.
* Compatible with TPM
* AES (the chip which performs AES encryption has been [http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=null&vgnextoid=ade81f7095904110VgnVCM100000f5ee0a0aRCRD certified] by [http://csrc.nist.gov/cryptval/aes/aesval.html NIST] )
* Wiping the disk (for disposal...) takes just a second.

</div>
|style="vertical-align:top" |
[[image:momentus5400_3_fde_sm_106x106.gif|FDE Hard disk Photo, credits: seagate.com]]
|}

=== Using Seagate FDE ===
Using FDE as as easy as setting up the hard disk password (from BIOS). You can choose to have just a user password, or both a user and a master password.
You can export the key to an external storage, for password recovery (you need the password !!)

N.B.: The [http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-69621 Lenovo FAQ on FDE] specifically states that on the T60 & T61, there is no means of backing up or exporting the key, but that the drive may be used in another system (it is evidently not tied to a motherboard [http://en.wikipedia.org/wiki/Full_disk_encryption#Full_disk_encryption_and_Trusted_Platform_Module Trusted Platform Module]).

==== Lost password ====
Three possibilities :
* Use the master password to change the user key.
* Recover the password using the previously exported key. (See note from Lenovo FAQ, above.)
* Reset the encryption key (which causes the hard disk to be instantly "wiped", and resets the "hard disk password").

==== Wipe the disk ====
Wiping the disk is as easy as reseting the encryption key from the BIOS..

==== TPM ====
It should be possible to use TPM (with fingerprint readers...) not tested yet.
* T61 with TPM & fingerprints, FDE password works with a configured fingerprint but you must use windows based software to program the imprint. By keeping a small windows partition, I am able to boot linux with a fingerprint, fingerprint passes the TPM power-on password AND the FDE disk 1 password, which is separate.

=== Software alternatives ===

It is possible to get similar security, at a very slight performance impact, by using appropriate software-based full disk encryption solutions. For example, under Linux, you can use <tt>dm-crypt</tt> to encrypt the whole disk (including swap and root partitions) except for a bootloader. Numerous tutorials are available on the Internet.

=== Links ===
* [http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=MIGR-69621 Lenovo Full Disk Encryption Hard Disk Drive Frequently Asked Questions]
* [http://www-307.ibm.com/pc/support/site.wss/document.do?sitestyle=lenovo&lndocid=TPAD-SIMS Thinkpad Bios simulator] (R61/T61 not available yet, unfortunately)
* [http://www.seagate.com/www/en-us/products/laptops/momentus/momentus_5400_fde.2/ Seagate MoMentuS 5400 FDe.2]
* [http://en.wikipedia.org/wiki/Full_disk_encryption Wikipedia - Full disk encryption] (why FDE ??)
* [http://www.xml-dev.com/pipermail/fde/ Full-Disk-Encryption Mailing list]

ThinkWiki - User contributions [en]

Full Disk Encryption (FDE)