[BBLISA] Looking for FDE single system windows 8
John Orthoefer
jco at direwolf.com
Mon Jan 26 09:57:52 EST 2015
Basically as long as you use WinTel Hardware you are okay AppleTel hardware doesn’t work.
The way it works, in a nutshell is PC BIOS probes the SATA drives. If the “boot drive” says “Hi, I’m here but locked.” The BIOS prompts for a password, the password is passed to the drive to unlock and decrypt the Drive Key. The drive is pretty much set up with some block encryptor (AES-256, I think) just before the write head. So the drive is always “Encrypted” it’s just if the controller board on the drive has access to the decrypted key.
There are Linux utilities for doing things like “regenerating the key” which causes the disk to be “erased” (the Key Material and the Password used to encrypt the drive are different.) Yes it doesn’t prevent someone from intercepting the password between the keyboard and the drive (The assumption is the path from the keyboard though the BIOS and out the SATA port are all secure.) But if that is your worry. you need a better solution than OPAL or even S/W encryption.
You also need to make sure the person at least hibernates the machine, at least the Dell systems, if you hibernate, the drive “locks” and the BIOS will reprompt you to unlock the drive to resume. Better is to power down the machine while it is outside of your control.
Does that make sense?
johno
> On Jan 23, 2015, at 4:34 PM, Daniel Feenberg <feenberg at nber.org> wrote:
>
>
>
>
> On Fri, 23 Jan 2015, John Orthoefer wrote:
>
>> I’ve been getting OPAL Self encrypting drives. Since we support so many OSes finding a solution that works for everything has been hard. But OPAL on any standard PC hardware should just work.
>
> Can you say something about how the self-encrypted system appears to users? When do they enter the password? What software asks for the password? Is it an alternate boot loader? You mention that any standard PC hardware should work, but sometimes I have seen it said that the BIOS must support encryption - is that false or an alternative arrangement? How is the password established? Is there a Windows program that one runs to turn on encryption and establish the key? Is there a similar Linux program? Can a drive move from Windows to Linux without losing the data?
>
> The vendor literature is long on the benefits, but short description.
>
> Daniel Feenberg
> NBER
More information about the bblisa
mailing list