Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
Morning Matthieu,
Thanks for your quick feedback much appreciated ! ^_^
Indeed, the FDE solution depends on your motherboard's technology and can't be implement on any standard motherboard. :o)
Thanks a lot for your help on this.
Thomas NGUYEN VAN
----- Original Message -----
From: "Mathieu Simon" <Mathieu.Simon@koeniz-lerbermatt.ch>
To: "Thomas Nguyen Van" <t.nguyenvan@jumper.ie>, debian-security@lists.debian.org
Sent: Monday, January 24, 2011 9:45:59 AM GMT +01:00 Amsterdam / Berlin / Bern / Rome / Stockholm / Vienna
Subject: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
Hi Thomas
Actually I do have a Thinkpad with an FDE SSD from Toshiba with a similar concept as I was able to understand it.
I've looked over the doc and Seagate offers 2 ways how to access the drive: Either by software driver
(which is OS dependent) or use BIOS integration which is then OS-independent.
Second way is exactly how Lenovo integrated the FDE disk on my laptop: The key is generated using the BIOS
and can be protected by a password, by default it seems to be just an empty key, but data is transparently
encrypted on the disk.
So when you change the password, Lenovo warns you about this, a new encryption key is generated. Which
results in the fact that you can't access the already-present data on the disk anymore since they were encrypted with
the previous key.
This solution is OS agnostic but highly dependent on the hardware manufacturer and as it was already written:
When the board is bricked you lose your data unless you were able to backup the key, which is not
always possible. Non-FDE SSD wasn't available in the size I wanted it from Lenovo at the time I bought it.
Maybe check out this: http://www.thinkwiki.org/wiki/Full_Disk_Encryption_%28FDE%29
- Mathieu
Reply to: