Implementing FDE

I have a t400s, but win 7 pro doesn't include bitlocker, so I would like to find a FDE solution, preferably hardware. Recommendations? How do I go about doing this.

EDIT: the hard drive is an intel g2 80gb ssd, and i never installed any of the thinkpad/intel TPM drivers. I presume I would have to do that.

How does the HDD password fit in to this? I don't have one set.

I don't have a supervisor password, and the "Security Chip" option in the bios is set to disabled. I set an HDD password (the same as my power on password) and after it asks me for the power on password , the prompt for the HDD password comes up real quick but then it beeps in approval and continues booting as if I had already entered it. Does it do this because I set the passwords to be the same or??

As I'm figuring this out I realized I needed a drive that supported FDE if I wanted hardware based FDE. Seeing as how it's a relatively fast system and it's an SSD, I don't think I'll take much of a performance hit with software FDE. What do other ThinkPadders use for software based FDE?

 

Intel G3 SSDs are supposed to come with FDE, otherwise there are a bunch of seagate drives.
For software FDE I'm using luks+lvm, without noticeable performance impact, but of course that's on linux...

 

Bitlocker works great but you mention you don't have the right Win7.

Truecrypt is a free software encryption that is probably your only free way forward.

Or as you know, getting a new drive with hardware FDE is the other way.

 

After looking around it seems there are no 1.8" SSD's with FDE. And TrueCrypt recommends not encrypting the entire volume of SSD's with wear leveling, which is what I intended to do.

Is there another way to accomplish what I'm going for here?

I don't want my SSD accessible from my computer without a password - I think I read the Hard Drive password disables the SATA controller, thus disallowing ANY drive currently in the laptop to be booted. If that's the case then that area is covered.

However I also want my drive protected if it is removed from my laptop and accessed from another notebook/desktop. I do not want it to be able to be accessed in another laptop with out a password as well. Furthermore, the data being encrypted would be good as well. Any chance of this happening with just an SSD?

EDIT: I have been playing around with the supervisor/power on/HDD passwords, to figure out their behavior and thought I would post here, as there are lots of conflicting threads on here.

I left the HDP enabled the whole time, and it will ask for it each time on boot, weather you are going into the BIOS or just booting normally.

If you enable the POP, it will ask for it when you enter the BIOS and BOOT normally.

If you enable all 3... you can enter the bios with the POP/HDP, but with bios lock enabled you won't be able to change anything. If you enter the supervisor password obviously it ill let you in with the ability to make bios changes.

Strangely enough, if you just want to boot normally and have all 3 enabled, you can enter either the supervisor password or pop on the first password prompt and then just the HDP prompt after. Why it does this, I do not know.

Lenovo is stupid for using the same icons for POP and Supervisor password. It didn't used to be like that. I'm sure that has something to do with causing me to think that you can enter the POP or supervisor password when just simply booting when all 3 are enabled.

Note I had the pop and hdd password as the same, so that I don't have to put in 2 passwords on normal boot.

Anyhow, a supervisor password and hdd password seem sufficient. I don't get the point of the POP password now. You can't make changes to the BIOS with out the supervisor password, and you can't boot with out the HDD password.. why throw the POP in there? I suppose it's more for the machine than the data? Even with a new hard drive installed and the supervisor password disabled.. the machine would be rendered useless with out the POP.

 

Note that a HDD password is not very good protection - they can be removed easily by placing the drive in another machine and running some software.

You are correct: if you were to put a new drive in your PC it wouldn't prompt for the drive password and as you are not going in the BIOS, the supervisor password either. Hence the point of the POP.

 

You can apparently pick up 1.8" drives with FDE:

http://www.samsung.com/global/system/business/semiconductor/family/2010/1/1/ssd_datasheet_200906.pdf

Lenovo sold this one MMDPE56G8DXP-0VB (Lenovo P/N 45N7958)

This model appears EOL but you might pick them up.

 

I think you can also upgrade your OS if you pay mcrosoft. That way you could install the proper bitlocker.
Renee

 

I just used TC and encrypted the whole drive minus hidden partitions/mbr etc. Seems to be working fine. Didn't benchmark but if it's not noticeably slower to me I don't really care. The Intel SSD Toolbox seems to be working.. I don't know if TRIM commands are reaching the drive or not though. But I'll have a new one before this thing dies.