[BBLISA] whole disk encryption
Edward Ned Harvey
bblisa4 at nedharvey.com
Wed Aug 25 10:07:45 EDT 2010
> From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On
> Behalf Of John Orthoefer
>
> This is where the "hook" is for FDE drives. So it is encrypted if you
> have a self encrypting drive. But if you don't have an encrypting
> drive. It's up to the BIOS to enforce the password.
Either I'm misunderstanding you, or I have to simply respond: "No, no, no."
In all my Dell Latitude and Precision laptops, for the last approx 5-6
years, the following options are available in BIOS, and I just never
bothered reading them. Please read them. Particularly the "admin" and
"HDD" passwords are interesting:
*** Admin Password
Restricts changes to BIOS
Restricts boot devices
Prohibits change of password or asset tags
If admin password is set before system password or HDD password, then admin
password allows you to delete the system or HDD password. For this reason,
you cannot set an admin password if a system password or HDD password is
already set.
*** System Password
When this password is set, it requires the password be entered when the
system is powered on (including when restarting from StandBy.)
*** Internal HDD Password
When an HDD password is set, it travels with the hard disk, so the disk is
protected even if it is placed into another computer. You must enter the
password for a protected HDD whenever the drive is powered on (including
when restarting from StandBy.) If you do not enter the correct password,
the HDD will simply not function. It will remain in this state until the
system is powered off and powered on again, and the correct password is
entered.
*** TPM Security
When enabled, the BIOS will turn on the TPM during POST so that it can be
used by the operating system.
> This is where the "hook" is for FDE drives. So it is encrypted if you
> have a self encrypting drive. But if you don't have an encrypting
> drive. It's up to the BIOS to enforce the password.
The point that I'm taking from above is: If a HDD password is set, then the
drive will simply refuse to work, unless the BIOS has the capability of
understanding that the drive has a password, and you're able to provide the
correct password. It is NOT up to the BIOS to enforce the password. The
HDD itself enforces the password. It's up to the BIOS to humbly talk to the
HDD in a nice and kind voice, hat in hand, "Please, HDD, will you work with
me? The user says the password is ..."
I presume the HDD pass is stored on the HDD circuit board. In which case,
you could forcibly unlock the drive (possibly) by replacing the circuit
board. Or by disassembling in a clean room.
> As far as nothing to do about it. Turns out Dell can generate a
> OTP/Key based off the "serial number" presented at boot up.
What you talkin' 'bout Willis?
More information about the bblisa
mailing list