Setting up full disk encryption on Lenovo ThinkPad Carbon X1

My client has a Lenovo Thinkpad Carbon X1 Type 20BS-CT01WW running Windows 7 Pro 64 bit.  The CPU is an Intel i7-5600U with 8GB of RAM. The C drive is a 500GB Samsung MZHPV512HGL-000L1 SSD.

The data must be HIPAA compliant. Is full disk encryption the best way to protect the data with the least loss of computing power?    

In the bios there is
1. Supervisor password.
2. Power on password.
3. If I go into Hard Disk1 Password I can select user and master passwords.

What passwords should I set and how difficult should the passwords be?  I want to protect the data without making it too difficult for the client to use his new laptop.  Can the passwords all be the same?  I need a step by step procedure for setting the laptop up.
Thanks,
Alan
Alan SilvermanOwnerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
If you are in control of the laptop (so no workers or friends can use it), then I think Power ON password is really good protection. If the machine is off, no one but you can start it. If the machine is lost, it is useless. And once started, there is no performance penalty. This is what I do and my machine and contents are safe.

Encryption works, of course. I just do not see a need.
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
You NEED encryption in my opinion.  HIPAA is a VAGUE thing that doesn't specify exactly what you must do, but DOES hold the IT personnel AND the medical provider JOINTLY LIABLE.  

If I want to steal whatever patient data is on that drive, I might just yank it from the machine and slave it to another system.  If that still required the hard drive password, I'd send it to data recovery.  Relatively expensive, but if it's not encrypted, I get EVERYTHING.

I would suggest upgrading the laptop to Windows 8.1 and use bitlocker if it has a TPM.  If not, I'd suggest looking into third party disk encryption products - there are several on the market.  As IT for a company with PHI, I wouldn't want any valid accusations against me that I didn't do all that was potentially reasonable to protect someone's PHI.
1
McKnifeCommented:
Researching that model (you did a typo, it seems to be MZHPU512HCGL-000L1, right?), it does now seem to provide self-encryption and would need software encryption. Either bitlocker (after upgrading to 8.1, see LeeW), or stay with win7 and take ciphershed, veracrypt or diskcryptor.
Having no encryption is no option in a secured environment. In fact, it is the very base of any secured system.
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

Alan SilvermanOwnerAuthor Commented:
McKnife, thanks for correcting me on the model number.  You're right.  It’s MZHPU512HCGL-000L1

Actually John, Lee and McKnife, I was looking for specific answers to the questions I posed (see above).

If I can trust full disk hardware encryption that’s clearly the best way to go.  Better than screwing around with software and encrypting individual files and directories.  My client must have encryption, otherwise someone could just take the hard drive out of the laptop and make it a slave and grab the data, even if those files have been deleted. The data is still there so it must be encrypted.  

So,
1. Can I trust this hardware encryption if I set it up right. (I'm pretty sure the answer is yes).
2.  which passwords do I set and can I use the same password for all of them, since remembering passwords is a pain, especially for someone who’s not comfortable with computers?  By the way, I’m pretty sure from my reading that we want both a User and Master password set.

Thanks,
Alan
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
It appears you're having trouble understanding my point without it clearly associating to the questions you've asked.  Thus:

The data must be HIPAA compliant. Is full disk encryption the best way to protect the data with the least loss of computing power?    

You NEED encryption in my opinion.  HIPAA is a VAGUE thing that doesn't specify exactly what you must do, but DOES hold the IT personnel AND the medical provider JOINTLY LIABLE.  

If I want to steal whatever patient data is on that drive, I might just yank it from the machine and slave it to another system.  If that still required the hard drive password, I'd send it to data recovery.  Relatively expensive, but if it's not encrypted, I get EVERYTHING.

I would suggest upgrading the laptop to Windows 8.1 and use bitlocker if it has a TPM.  If not, I'd suggest looking into third party disk encryption products - there are several on the market.  As IT for a company with PHI, I wouldn't want any valid accusations against me that I didn't do all that was potentially reasonable to protect someone's PHI.

In the bios there is
1. Supervisor password.
2. Power on password.
3. If I go into Hard Disk1 Password I can select user and master passwords.

What passwords should I set and how difficult should the passwords be?  I want to protect the data without making it too difficult for the client to use his new laptop.  Can the passwords all be the same?  


Because I said you need encryption, the above is irrelevant since it does NOT provide full disk encryption. If the password for the hard drive is at the controller level and not actually on the hard drive then pulling the drive means data is accessible.  And even if it is on the hard drive, data recovery companies may still be able to recover it.  Otherwise, you're not protecting data by ensuring someone can't change settings.  If there's a TPM and you encrypt with BitLocker or use another third party program, then the data is protected.  Passwords to settings don't do anything but annoy someone.  (And no, you can't turn off the TPM and access the data - it's been encrypted.  You can use a recovery key but that's it).
0
McKnifeCommented:
LeeW is right, that password is no encryption password.
I wrote before (but did a typo): "MZHPU512HCGL-000L1... does not seem to provide self-encryption and would need software encryption". So again: no hardware encryption possible with that device.
0
Alan SilvermanOwnerAuthor Commented:
I saw that hard drive password in the bios and I was hoping that would provide encryption. Unfortunately going to 8.1 is not an option.  The customer hates Windows 8 with a passion. So third party software it is.
Thanks,
Alan
0
McKnifeCommented:
In less than 2 months, win10 is out, a free upgrade for you. So bitlocker will be an option, soon.
0
JohnBusiness Consultant (Owner)Commented:
Windows 8.1 works fine and can be made to look and work like Windows 7. No reason to avoid it.

http://www.experts-exchange.com/articles/16620/Ways-to-improve-Windows-8.html
0
Alan SilvermanOwnerAuthor Commented:
McKnife,
I try to give new releases some time before applying them.  This served me well with Vista and Windows 8.  
John,
If this customer hadn't told me he almost threw his windows 8 machine out a second floor window, that might be an option. I've been putting Classic Shell on customers systems from the very beginning of Windows 8.  I still prefer Windows 7 though.  He tried True Crypt too, and won't hear of that.  I've got second thoughts about the True Crypt interface. I was a programmer and debugger at IBM. I always thought software engineers were clueless as to what the average user experiences and that's the great tragedy of the PC.
I think it will have to be some other kind of software.  I am a bit ticked at Lenovo though.  This machine cost my customer more than $2,000.  It should have hardware encryption. But then he didn't ask me to consult when he bought it.
Gotta make due with what you've got.
Thanks,
Al
0
McKnifeCommented:
You know what: you make it kind of hard :)

Not adopting Win10 too soon - ok with that.
Not liking win8.x - ok, too.
Not liking truecrypt because of usabilty -  Why? The user does not encrypt, he will never even see the presence of TC. He will simply enter his password to start his fully encrypted machine.
0
Alan SilvermanOwnerAuthor Commented:
McKnife,

You know what: you make it kind of hard :)

True.  But my customer base makes it hard on me.  Most of them got to computers late in life.  I'm not a Mac guy so I don't know if Macs would serve them better.  At their age change is not easy, any change, so I'm not going to push them into Linux or Macs.  But it is still true after all these years:  If cars were PCs you would have to be a mechanic to drive one.  Plus, (with a view to Windows 8) General Motors could decide to put the steering wheel in the back seat on your next model, just for the fun of it.

True Crypt?   Maybe I'll take another look at that. Failing that, any suggestions on other encryption software I should look into?

Lee W.  I appreciate your help.  Concerning your quote,  

It appears you're having trouble understanding my point without it clearly associating to the questions you've asked.  

I’ve been studying human communication for decades. After I began working in Assembler Language code I started listening to people talk at parties and other public places, the actual words people speak. I realized then that most of what passes for human communication is really non sequiturs.  Few people actually listen to what other people say. We hear a few words and then begin to free associate.

Because computers demand precision (input this parameter exactly this way) I put great effort into my questions. The idea being to get people to respond, point by point, to precisely the questions I ask. For the most part this has been a futile waste of my time.  It doesn’t matter how clear my questions are, people respond with their automatic riffs.  

Recently this has seemed to happen more and more often at Expert’s Exchange.  I’m a polite person and greatly appreciate whatever help people give me. Though I pay for premium service, it isn’t much and most of you are unpaid volunteers. But lately with many questions I’ve asked, the individual who responded could not possibly have actually read what I wrote.  Given the Turing Test,  I can’t even be sure I was communicating with another human being.

That’s not true of this question and the individual experts here. I have communicated with all of you many times. I understand how truly knowledgeable you are and am appreciative of all the help you give me.  
Thanks,
Al
0
McKnifeCommented:
"any suggestions on other encryption software I should look into?" - sure. Look at disk cryptor or veracrypt, both are free, too. You could also buy an upgrade to win7 ultimate (no new installation needed but an upgrade installation), then you could keep win7 but use Bitlocker.

"Few people actually listen to what other people say. We hear a few words and then begin to free associate." - I have a huge forum experience and I think the same way - it is really astounding.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Alan SilvermanOwnerAuthor Commented:
You could also buy an upgrade to win7 ultimate (no new installation needed but an upgrade installation), then you could keep win7 but use Bitlocker.

that is a great suggestion.  I will look into it.  but I'm also going to put Win10 on two of my test machines and play with it and play with true crypt too.
Thanks,
Al
0
McKnifeCommented:
Ok. Be aware, that win8.x and win10 by default use GPT partition tables (not MBR) and UEFI (if the mainboard allows it). Consequence: if you would like to use anything else than bitlocker (which supports GPT), you will either need to find something with GPT support or stay away from GPT installations (or stay with win7 forever). Because truecrypt and many others are still not willing to cooperate with GPT.
0
Natty GregIn Theory (IT)Commented:
You can use software encryption and you find no lag in performance
0
Alan SilvermanOwnerAuthor Commented:
McKnife,
I generally go with MBR whenever I can.  Any reason to use GPT and UEFI rather than MBR?
Thanks,
Al
0
Lee W, MVPTechnology and Business Process AdvisorCommented:
GPT is required for drives larger than 2 TB if you want to access all the useable space.  UEFI is more secure than BIOS.
0
McKnifeCommented:
MBR partitions cannot exceed 2 TB, but drives larger than can be used by mbr formatting with multiple partitions.

Inform yourself about secure boot. sb is something you would want for encryption security.
0
Alan SilvermanOwnerAuthor Commented:
thanks to everyone for all your help. you've made my customer happy and that makes me happy.
al
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Laptops Notebooks

From novice to tech pro — start learning today.