X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Uwe Brauer-2
Hi

Several months ago, I asked about full disk encryption (I first was
thinking about luks cm-crypt) but then I was pointed out to encryption
"in hardware" which has no performance issue, but finally I did not do
anything.

Now I came back to that idea, but before enabling it I would like to
know:

Will that erase all my data and I have to reinstall everything?

I ask because this is happening if one wants to enable luks for a
already installed OS.

Thanks

Uwe Brauer
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Bjørn Mork
Uwe Brauer <[hidden email]> writes:

> Hi
>
> Several months ago, I asked about full disk encryption (I first was
> thinking about luks cm-crypt) but then I was pointed out to encryption
> "in hardware" which has no performance issue, but finally I did not do
> anything.
>
> Now I came back to that idea, but before enabling it I would like to
> know:
>
> Will that erase all my data and I have to reinstall everything?

No, it will not.  Enabling hardware disk encryption doesn't modify the
data, only the key metadata.  All data on disk is already encrypted.
But the key is not, until you set a password.

But big fat warning: Never trust this!  Make a full backup and be
prepared to start from scratch. Firmware can do all sorts of weird and
unexpected things.  If you are lucky, you won't have to reinstall.  But
don't be surprised if you have to.  Make the backup and reserve enough
time for a full reinstall before starting.

And do not blame me if anything goes wrong ;)

> I ask because this is happening if one wants to enable luks for a
> already installed OS.

luks has a performance penalty and will not encrypt anything unless you
explicitly configure it.  So yes, you will have to rewrite the entire
disk after enabling luks.


Bjørn
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Bjørn Mork
Bjørn Mork <[hidden email]> writes:

> Uwe Brauer <[hidden email]> writes:
>
>> Several months ago, I asked about full disk encryption (I first was
>> thinking about luks cm-crypt) but then I was pointed out to encryption
>> "in hardware" which has no performance issue, but finally I did not do
>> anything.
>>
>> Now I came back to that idea, but before enabling it I would like to
>> know:
>>
>> Will that erase all my data and I have to reinstall everything?
>
> No, it will not.  Enabling hardware disk encryption doesn't modify the
> data, only the key metadata.  All data on disk is already encrypted.
> But the key is not, until you set a password.

See also http://www.lenovo.com/support/fde



Bjørn
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Uwe Brauer-2

   > Bjørn Mork <[hidden email]> writes:

   > See also http://www.lenovo.com/support/fde

Thanks, that looks all innocent and easy, did you try it out?

Uwe
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Bjørn Mork
Uwe Brauer <[hidden email]> writes:

>    > Bjørn Mork <[hidden email]> writes:
>
>    > See also http://www.lenovo.com/support/fde
>
> Thanks, that looks all innocent and easy, did you try it out?

I've only ever done it on brand new disks.  It was as easy as
described.  But Murphy dictates that something will go terribly wrong if
you depend on it being that easy :)


Bjørn
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Yves-Alexis Perez-2
In reply to this post by Bjørn Mork
On jeu., 2016-03-10 at 14:48 +0100, Bjørn Mork wrote:
> But big fat warning: Never trust this!  Make a full backup and be
> prepared to start from scratch. Firmware can do all sorts of weird and
> unexpected things.  If you are lucky, you won't have to reinstall.  But
> don't be surprised if you have to.  Make the backup and reserve enough
> time for a full reinstall before starting.
>
> And do not blame me if anything goes wrong ;)

Note that we actually don't even know if the drive really encrypt stuff.

One thing to keep in mind, too, is that if it's your boot drive, the only way
to enter the password is the BIOS interface. When you set a password through
the BIOS setup menu, it won't actually pass that string to the disk, but
rather mix it with some data (usually the model number, stuff like that), hash
it, *and then* pass it to the drive.

That means that you need that derivation algorithm if you ever want to gain
access to your data. If the BIOS (of your laptop, at least of the same model)
didn't unlock the drive and you don't know the algorithm, then you won't be
able to unlock it (for example with hdparm).

Regards,
--
Yves-Alexis


signature.asc (484 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Bjørn Mork
Yves-Alexis Perez <[hidden email]> writes:

> On jeu., 2016-03-10 at 14:48 +0100, Bjørn Mork wrote:
>> But big fat warning: Never trust this!  Make a full backup and be
>> prepared to start from scratch. Firmware can do all sorts of weird and
>> unexpected things.  If you are lucky, you won't have to reinstall.  But
>> don't be surprised if you have to.  Make the backup and reserve enough
>> time for a full reinstall before starting.
>>
>> And do not blame me if anything goes wrong ;)
>
> Note that we actually don't even know if the drive really encrypt stuff.

Sure.  But then we don't actually know what the drive firmware does with
our data in any case.  It could make duplicates of everything and send
it to some external part. Or more technically feasible: it could sniff
"interesting stuff" and keep in a protected area until someone with the
right tool downloads it.

Just feeding the paranoia :)  Base line is that you simply have to trust
your drive firmware.  And if the manufacturer says it encrypts, then you
might as well trust that.

If you don't, then by all means use LUKS.  But you still have to trust
your keyboard controller, which is firmware running on the EC...

> One thing to keep in mind, too, is that if it's your boot drive, the only way
> to enter the password is the BIOS interface. When you set a password through
> the BIOS setup menu, it won't actually pass that string to the disk, but
> rather mix it with some data (usually the model number, stuff like that), hash
> it, *and then* pass it to the drive.
>
> That means that you need that derivation algorithm if you ever want to gain
> access to your data. If the BIOS (of your laptop, at least of the same model)
> didn't unlock the drive and you don't know the algorithm, then you won't be
> able to unlock it (for example with hdparm).

Yes.  Luckily someone has done all the hard work for modern ThinkPad
UEFI BIOS implementations:
https://jbeekman.nl/blog/2015/03/lenovo-thinkpad-hdd-password/

Don't know if that holds for older Thinkpads?  Anyone tried it?  Maybe I
should... Will have to find some way to physically attach my X301 SSD to
another computer then, but that is probably wise in any case.


Bjørn
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad
Reply | Threaded
Open this post in threaded view
|

Re: X200s, X61s, turn on HDD (SDD, Samsung 840 EVO) BIOS, re-installation?

Henrique de Moraes Holschuh-2
In reply to this post by Bjørn Mork
On Thu, 10 Mar 2016, Bjørn Mork wrote:

> Uwe Brauer <[hidden email]> writes:
> >    > Bjørn Mork <[hidden email]> writes:
> >
> >    > See also http://www.lenovo.com/support/fde
> >
> > Thanks, that looks all innocent and easy, did you try it out?
>
> I've only ever done it on brand new disks.  It was as easy as
> described.  But Murphy dictates that something will go terribly wrong if
> you depend on it being that easy :)

Especially if there are any SSDs involved.

That said, SSD/HDD-hardware-assisted FDE cannot be trusted for much.  You
can use ATA-SECURITY-PASSWORD based FDE to protect against unsophisticated
thieves retrieving your data, but it won't keep that data safe should the
storage device end up in the hands of someone who is really "curious" about
what could be inside.

TCG OPAL mode is supposed to help fix this since you can send to the device
a really large key (supposedly sealed with the help of the TPM, or stored in
removable media for example) and the device is not supposed to retain any
state about that key.  However, the whole thing is too complex and usually
the implementations are too buggy, so it is not only unsafe in the security
sense (the SSD/HDD firmware is likely to have lots of security
vulnerabilities), but it actually puts your data at risk (SSD/HDD firmware
bugs rendering it unaccessible).

And TCG OPAL support in Linux is... troublesome at *best*.  If the BIOS/UEFI
firmware can manage it all and hand to the O.S. the storage device already
unlocked when booting and when resuming from sleep (and lock it when
suspending), fine.  Otherwise, no go.

--
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
--
The linux-thinkpad mailing list home page is at:
http://mailman.linux-thinkpad.org/mailman/listinfo/linux-thinkpad