Print
login Account
Search

Full Disk Encryption Hard Disk Drive Frequently Asked Questions

www.lenovo.com/support/fde

 

What is Full Disk Encryption (FDE)?
FDE is a method for encrypting hard drives in such a way that all data on the drive is always encrypted, without the use of third party encryption solutions.

How do I enable encryption?
There is no need to enable encryption. FDE drives always encrypt data on the disk. No initial set up is required. In fact, it is not possible to disable encryption on an FDE hard drive.

What encryption algorithm is used, and what is the key strength?
FDE drives use 128- bit AES encryption.

Can I back-up the encryption keys?
No, there is no way to back-up the encryption keys. There is no way to even know what key is being used to encrypt the drive. The key is generated by and maintained by the drive itself and cannot be retrieved.

Can I move an encrypted drive to another ThinkPad and still access the data?
Yes. The encryption key is not system specific. Since the key is maintained by the drive, it is possible to move the drive to another system still access the data.

If the key is on the drive, how do I prevent would-be thieves from stealing the data off my drive?
To completely protect your data, it is absolutely vital that a hard drive password be set. This can be a user password or both a user and master password. The hard drive password prevents unauthorized users from booting the drive and accessing your data, while full disk encryption prevents more sophisticated attacks, such as attempting to retrieve data directly from the drive's platters.

Can the encryption key be changed?
The encryption key can be regenerated within the BIOS, however, doing so will make all data inaccessible, effectively wiping the drive. To generate a new key, use the option listed under Security -> Disk Encryption HDD in the system BIOS.

I don't see that option in my ThinkPad's BIOS. Why not?
There are two reasons the Disk Encryption menu will not appear in the BIOS: 1. The drive in the system is not an FDE hard drive 2. The menu option has not been enabled Since the BIOS menu is dynamic, the Disk Encryption menu will not be displayed if an FDE drive is not present. However, if your system does have an FDE drive, but the menu still does not appear, the menu option must be enabled using the following utility.

BIOS Setup Menu Extension Utility for the Resetting the Cryptographic Key

Which ThinkPad notebooks can use FDE drives?
Any ThinkPad notebook that uses Serial ATA (SATA) hard drives can use an FDE drive; however, the FDE menu enable utility is only supported on some systems. Refer to the BIOS Setup Menu Extension Utility download page for a list of supported system

Will changing the Master or User hard drive password change the FDE key?
No. The hard drive passwords have no effect on the encryption key. The passwords can safely be changed without risking loss of data.

Can a user accessing the BIOS with the User password regenerate the encryption key?
Only if a Master password has not been set. If only a User password has been set, this password can be used to access the BIOS and regenerate the FDE key. However, if both a User and Master password have been set, the Master password is required to regenerate the key.

For enterprises, it is recommended the administrators set both User and Master passwords to avoid accidental destruction of data by end users.

 

Additional product information
Lenovo Support: Hard Drives: Reference Guide - A list of notebook hard drives, including hard disk drives (HDD's) and solid state drives (SSD's) that support FDE.
www.lenovo.com/accessoriesguide - Information on options, including the Option Compatibility Matrix (OCM)
Personal Systems Reference (PSREF) - Comprehensive information on the features and technical specifications of Lenovo products.

  • #Alias ID#:MIGR-69621
  • #Document ID#:HT002240
  • #Last Updated# :2014-06-23 7:10:46 PM
  • #Copyright#