Full Disk Encryption (FDE)
Using Seagate FDE
Using FDE as as easy as setting up the hard disk password (from BIOS). You can choose to have just a user password, or both a user and a master password. You can export the key to an external storage, for password recovery (you need the password !!)
N.B.: The Lenovo FAQ on FDE specifically states that on the T60 & T61, there is no means of backing up or exporting the key, but that the drive may be used in another system (it is evidently not tied to a motherboard Trusted Platform Module).
Three possibilities :
- Use the master password to change the user key.
- Recover the password using the previously exported key. (See note from Lenovo FAQ, above.)
- Reset the encryption key (which causes the hard disk to be instantly "wiped", and resets the "hard disk password").
Wipe the disk
Wiping the disk is as easy as reseting the encryption key from the BIOS..
It should be possible to use TPM (with fingerprint readers...) not tested yet.
- T61 with TPM & fingerprints, FDE password works with a configured fingerprint but you must use windows based software to program the imprint. By keeping a small windows partition, I am able to boot linux with a fingerprint, fingerprint passes the TPM power-on password AND the FDE disk 1 password, which is separate.
It is possible to get similar security, at a very slight performance impact, by using appropriate software-based full disk encryption solutions. For example, under Linux, you can use dm-crypt to encrypt the whole disk (including swap and root partitions) except for a bootloader. Numerous tutorials are available on the Internet.
- Lenovo Full Disk Encryption Hard Disk Drive Frequently Asked Questions
- Thinkpad Bios simulator (R61/T61 not available yet, unfortunately)
- Seagate MoMentuS 5400 FDe.2
- Wikipedia - Full disk encryption (why FDE ??)
- Full-Disk-Encryption Mailing list