On 2017-04-22 12:45, Jan Ritzerfeld wrote:
Am Samstag, 22. April 2017, 00:41:21 CEST schrieb Carlos E. R.:
On 2017-04-20 23:20, Anton Aylward wrote: [...]
You need a HARDWARE ENCRYPTED DISK !!!
Well, it does exist. It is a standard. But I have no idea how to enter the password when powering the laptop before the hard disk can be read at all.
It is done by the "BIOS".
How? I have not seen any option in the BIOS mentioning this feature, on several computers. Where to enable it? [Reading the blog later, it appears that some BIOSES do have this feature]
And there is no standard how the "BIOS" translates your key presses into the password that you can use with hdparm.
To use with hdparm it is the Linux keyboard drivers and maps, not the bios. To activate the disk before booting with the bios would be the bios, the same keyboard native to the computer, which is used on the several bios screens. It is even better with UEFI, it seems.
So, if your computer dies and you have to move your disk to another computer, you will not be able to unlock it and all your data will be lost. This is unacceptable.
You can boot with another disk, then enable the encrypted disk using hdparm in Linux.
Besides the "BIOS" may reduce your password strength and might even store it: https://jbeekman.nl/blog/2015/03/lenovo-thinkpad-hdd-password/ Luckily I was curious enough to check this before I activated the hardware encryption on my new SSD...
Ah. The inability to access the disk refers to Lenovo and SSDs, not necessarily to all implementations. Ant the blog author has written a tool to open the disk with hdparm. The problem is (reading the blog) that the BIOS changes the password before sending it to the disk in a bios specific way for that computer. And the second problem is that, the blog says, all SSD drives use encryption already without the user knowing. When the user enables it, what it does is place a password on top of the password (or something similar, read the article for correct details). Nasty. You can use encryption safely only if you manage to, after setting it up in the bios, you can manage to access it using hdparm. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)