Hitachi drive encryption...quick question...;)

Hey all...So I decided per another thread here not to use Vista's BitLocker, but rather to go with Hitachi's FDE (Full Disk Encryption). Do I need some kind of software? I got all of my drives from Lenovo, and they didn't ship software along with it. I was on Hitachi's site for a while and also tried to google it, but at the end of the day, I'm still unsure as to the procedure as far as performing the actual encryption. What do I need? Can I also encrypt only individual parts of the drive?

Thanks all!!!

 

You do not need any software (but your notebook needs to have a compliant BIOS). You cannot encrypt individual parts of the drive.

These two documents tell you almost everything you need to know

http://www.hitachigst.com/tech/techlib.nsf/techdocs/74D8260832F2F75E862572D7004AE077/$file/bulk_encryption_white_paper.pdf

http://www.hitachigst.com/tech/techlib.nsf/techdocs/F08FCD6C41A7A3FF8625735400620E6A/$file/HowToGuide_BulkDataEncryption_final.pdf

 

jketzetera thanks for the link very good info

 

Excellent yes. Thank you. Would you be able to tell me what the best way for me would be? I have a 200GB 7200rpm w/FDE, and my BIOS is 2.20 (12/07) on a T60p (2007 type). Thanks!!

I have ALL passwords enabled (Supervisor, Hard drive) and the fingerprint reader releases the drive. Do I need Client Security Solutions? I run VUx64.

 

I am not 100% sure but I believe that you do not need the Client Security Solution (or rather that CSS does not work with the Hitachi BDE). Since Hitachi's Bulk Disk Encryption is completely hardware based, the encryption/decryption is both OS and Software independent. However, if I am not mistaken, Seagate's implementation of hardware based encryption in its FDE drives actually requires software to be loaded and relies on the TPM.

I cannot tell you whether your T60p BIOS supports the Hitachi BDE drive (you would need to ask Lenovo).

I can however tell you the following: BIOS Compliance for Hitachi's BDE seems to differ between the Thinkpad X60s and Thinkpad X61s. I have set a password for a BDE drive that resides in an Ultrabay SATA adapter with my X61s and can use the BDE function when the drive is in the Ultrabay. When a friend of mine visited with his X60s he was unable to access the drive, when we put his X60s in the Ultrabay. When using the X60s, the system would prompt for password but despite entering the correct password, the system would say incorrect password.

 

I think you're right about the software part. According to these instructions from the Hitachi website, it seems that it is based on the HDD password(s), so this is what I did. I set both User AND Master passwords for two HDD's so far, so does that mean they're fully encrypted now? I also set a Supervisor password. Does that mean that it will only run in MY system (or if the person somehow knows the password), and is therefore even better protected? Another question I have is as to why they stress NOT to create a BIOS password!? Did I interpret something incorrectly?

As for it depending on my system's BIOS, what do you mean exactly? I do not see anything about FDE, or BDE, or anything else, but again, reading the instructions for activating the encryption, it seems to as easy as setting a few passwords. I guess I don't have to erase anything first, before encrypting it?

Thanks again!

 

Seagate's and Hitachi's disk encryption is always on.

The information on the hard disk platters is always encrypted using an encryption key located in the drive. When you have no hard drive passwords, the encryption key itself is unencrypted and the drive is able to correctly decrypt the data from the platters. When you set hard drive passwords, the encryption key is encrypted using your hard drive passwords. This result in that the drive on its own no longer can decrypt the information on the platters (since the encryption key is scrambled). When you provide the correct hard drive password, the encryption key is properly decrypted and can then properly decrypt the data on the platters.

I am not sure regarding the BIOS password. My guess is that since BIOS passwords usually can be hacked very easily, they do not want users to use that function. If a user would set the same BIOS and hard drive password, then by obtaining the BIOS password the hard drive security would be compromised.

 

I have a T60. Installing brand new Hitachi 7K320 HD. Want to use the hardware encryption feature.

I just used my recovery disks on the new drive, but I forgot to enable any type of drive password or hardware encryption in the bios before I did the recovery.

If you're correct about the encryption always being on, does that mean I don't have to start over again and re-use the recovery disks again? I just need to set the passwords per the instructions from Hitachi?

Also, my next step is to do a full pc restore using the Vista Business utility (I had created a complete PC backup before putting in the new drive).

That recovery process shouldn't be a problem, should it, since it has nothing to do with the bios?

I'm hoping the T60 has a bios that supports the needed features. Hitachi's instructions say something about Freeze Lock. I don't see that, but I see something esle that looks close.

By the way, just out of curiousity, does anybody use the Security Chip feature in the T60, to encrypt data on the HD? How does that compare to Hitachi's built in encryption? (I'm assuming the built-in will be better).

 

Yes, you just need to set the passwords per the instructions from Hitachi. Please note that with the previous generation of drives (7K200), you needed to specifically have the models with BDE, in order to utilize encryption (I have no idea how the 7K230 model encryption offering looks). Also, there was actually no practical way for an end-user to determine whether the data on the Hitachi drive really was encrypted or not (or if it just was a regular ATA-lock in effect), since after entering the correct ATA-lock password the encryption/decryption is fully transparent.

On a slight side note: A couple of weeks ago I thought I had forgotten the correct password and I was unable to unlock the drive (my 7K200 with BDE). Somewhere on Hitachi's website, I found a link to a program that was supposed to be able to re-purpose an encrypted BDE disk by issuing a command to the drive where the original encryption key would be wiped and replaced with a new one. This would render all information on the hard drive lost for all practical purposes (as the original encryption key would be permanently gone) but on the other hand it would "unlock" the drive for new use by the forgetful user.

I downloaded the program but was never able to use it. My Thinkpad would simply not boot past password prompt at BIOS post and if I put the drive in the Ultrabay (using a drive adapter), it would not appear at all in Windwos and thus I was unable to run the utility to erase the encryption key and repurpose the drive.

Had I been able to perform the repurposing of the drive, I would have taken it as some sort of confirmation that the drive in question was a BDE capable model. However, since I was unable to do so, I would need to trust Hitachi and Lenovo that everything was working as advertised.

You should be fine. I know that some drive image / re-imaging utilities that operate in their own "dos" or other "pre-install environment" have had problems detecting hard drives (e.g. Acronis True Image 9) if the SATA configuration in the BIOS was set to AHCI. However, setting the SATA configuration to compatibility/IDE would resolve that issue.

I believe that the freeze lock feature is used so that malware or an evil hacker are not able to issue ATA commands to the hard drive during runtime, that would set an ATA-lock password (assuming that no password is set to begin with) without you knowing it. If they were able to do so it would render your hard drive unusable the next time you turn on the computer (since you would not know the password).

I have not used the TPM-solution. I believe that Seagate's FDE disks rely on the TPM and Vistas Bitlocker as well. Hitachi's solution is in theory immune to the "cold boot attack", which in theory compromises all software based full disk encryption products.

 

Thanks jketzetera.

I'll tell you, right now the PC restore feature is starting to drive me crazy.

With the recovery discs I created when the machine was new, I can only do a recovery to the original factory installation.

Ok, so I do a full product recovery to the "as shipped from factory" condition. But even once that's done, I'm not able to do a complete PC restore (I want to use the image I recently saved on an external drive using the Vista business complete PC backup utility).

It says to do a full PC restore, you must do it from a Vista installation CD. But I never got a Vista OS installation CD. Is there a way to create one?

So how the heck do I do a complete restore on this thing?

 

https://windowshelp.microsoft.com/Windows/en-US/Help/0448354e-aeb6-4953-8be1-74cde71e85811033.mspx

 

jketzetera, thanks for the suggestion. That link got my hopes up, but it didn't work. Using F8 during startup brings up some new options (such as different safe modes), but no option to repeair.

I've moved this issue to a new thread, under Windows OS and Software. If you have any other suggestion, could you please help me there? THANKS !

http://forum.notebookreview.com/showthread.php?t=294140