[BBLISA] Looking for FDE single system windows 8

Daniel Feenberg feenberg at nber.org
Mon Jan 26 14:45:03 EST 2015



On Mon, 26 Jan 2015, John Orthoefer wrote:

>
> Basically as long as you use WinTel Hardware you are okay AppleTel 
> hardware doesn’t work.

>
> The way it works, in a nutshell is PC BIOS probes the SATA drives.  If 
> the “boot drive” says “Hi, I’m here but locked.” The BIOS prompts for a 
> password, the password is passed to the drive to unlock and decrypt the 
> Drive Key.  The drive is pretty much set up with some block encryptor 
> (AES-256, I think) just before the write head.  So the drive is always 
> “Encrypted” it’s just if the controller board on the drive has access to 
> the decrypted key.

Many website say that only a few Wintel motherboards support SED. Let me 
Many websites say that most laptops and few desktops support SED. be 
clear- you are saying that those websites are wrong? Some say that all 
motherboards support an ATA password, but that it is not effective.  I 
can't tell if they mean that "the ATA password doesn't set the encryption 
password" or "the ATA password doesn't protect against keyloggers". Any 
opinion on that?

Many websites say that special software is required to "manage" SED 
drives, but I can't tell if they mean such software is required for a 
single isolated computer, or is necessary for centralized support.

Many websites say that the drive supplies a special MBR on power-up that 
prompts for the password, but I haven't found any indication of how an SED 
password would be set without the special software mentioned above.

I have to say that I have learned nothing useful in several hours of 
study. I guess what I would really like to know, is

1) Will any recent random MB purchased at Micro Center allow me to
    turn on and use encryption on an SED drive.

2) Will I need additional software or is the additional software a
    substitute for an advanced MB.

Seems like those are basic questions, but no answers.

daniel feenberg

>
> There are Linux utilities for doing things like “regenerating the key” 
> which causes the disk to be “erased” (the Key Material and the Password 
> used to encrypt the drive are different.)  Yes it doesn’t prevent 
> someone from intercepting the password between the keyboard and the 
> drive (The assumption is the path from the keyboard though the BIOS and 
> out the SATA port are all secure.)  But if that is your worry. you need 
> a better solution than OPAL or even S/W encryption.
>
> You also need to make sure the person at least hibernates the machine, 
> at least the Dell systems, if you hibernate, the drive “locks” and the 
> BIOS will reprompt you to unlock the drive to resume.  Better is to 
> power down the machine while it is outside of your control.
>
> Does that make sense?
>
> johno
>
>
>> On Jan 23, 2015, at 4:34 PM, Daniel Feenberg <feenberg at nber.org> wrote:
>>
>>
>>
>>
>> On Fri, 23 Jan 2015, John Orthoefer wrote:
>>
>>> I’ve been getting OPAL Self encrypting drives.  Since we support so many OSes finding a solution that works for everything has been hard.  But OPAL on any standard PC hardware should just work.
>>
>> Can you say something about how the self-encrypted system appears to users? When do they enter the password? What software asks for the password? Is it an alternate boot loader? You mention that any standard PC hardware should work, but sometimes I have seen it said that the BIOS must support encryption - is that false or an alternative arrangement? How is the password established? Is there a Windows program that one runs to turn on encryption and establish the key? Is there a similar Linux program? Can a drive move from Windows to Linux without losing the data?
>>
>> The vendor literature is long on the benefits, but short description.
>>
>> Daniel Feenberg
>> NBER
>
>


More information about the bblisa mailing list