i recently bought an intel 520 series drive which has advertised support for hardware disk encryption based on the ata security feature set. thinkpads have long had support for issuing ata security feature set commands during boot in order to lock and unlock these drives. this means that you end up with transparent full disk encryption based on a password entered at the bios, which is pretty great. i’ve been doing this for a while with an intel 320 series drive.
turns out that there is some weird incompatibility between intel’s 520 series drives and lenovo’s bios, however. the bios is unable to set the drive password. lenovo blames intel, intel blames lenovo. typical mess. that’s not what this post is about.
the obvious solution to the issue of the bios being unable to set the drive password is to use hdparm to do this (from a livecd or so).
that idea isn’t working out so well.
it turns out that thinkpads use some proprietary hashing algorithm for passwords that you enter into the bios that makes them incompatible with just about everything else. after quite a lot of googling, i find that this incompatibility exists between thinkpads and hdparm, thinkpads and other laptops, between different models of thinkpads (t60 was a strange one, apparently), between thinkpads and themselves if you change certain bios options (something about “use passphrase”), and (as reported by one poor soul) a thinkpad and itself if you upgrade the firmware.
take note: if you are using an ata password with a thinkpad bios and you value your data then you should not assume the data on your drive will be accessible if your machine dies (unless you have an exact duplicate of the machine). backups.
one other thing that i notice is that the passwords entered into the bios of (at least my) thinkpad t420 are case insensitive. this suggests to me that at least *some* form of mangling is in use. i tried the obvious idea of using an all-lowered or all-capsed password to hdparm; it didn’t work.
my question for the lazyweb: does anyone know what algorithm/hash a t420 would be using to turn the password i type into its bios into an ata command? the ata security feature set doesn’t say much about the exact format of passwords other than that they are a 16 word (32 byte) field. for reference, hdparm appears to be using a direct memcpy() and padding with nul bytes up to 32 characters.
This is the same argument some people say about hardware RAID vs. (OpenSource) software RAID… I can see their point.
I don’t know about the algorithm but my understanding its that when the ThinkPad firmware has an paraphrase option it has a TPM module so the passphrase is used to access a generated key inside it, and when you use a passphrase to protect the hard drive it becomes unreadable on other computer
I investigated that a bit for old Dell Latitudes: http://thaeial.blogspot.com/2013/01/locking-and-unlocking-hdd-with-dell.html. Newer latitudes use the raw password similar to hdparm.
The case-insensitive part hints at that the Lenovos also only use the scan-codes of the keys, and not the letters themselves.