"Hard Disk Password" in Thinkpad BIOS

bios hard-drive encryption thinkpad

Solution 1:

The ThinkPad HD password is not linked to TPM as noted earlier.

However the HD password is stored on the drive.

It is not easily defeated. If you move the drive to another computer, you will need the HD password to access the drive.

Removing the BIOS password (if one) does not change the above statement.

I have been using the Lenovo HD Password for years and two laptops here have that function enabled. I also have the BIOS user password set to the same value. No one but me can start my computers (even with a bootable USB Key).

Solution 2:

Following @John's answer, I did a few tests, and here are the results.

First set a "Hard Disk1 Password" on HDD1 of ThinkPad A, and take the disk out (in my case a Samsung SSD).

  1. Put it in ThinkPad B, as internal hard drive

    • the password is asked on ThinkPad B startup, so this confirms that the password protection is written somewhere on the disk and not only in ThinkPad A's BIOS

    • if we don't enter the correct password, no boot is possible (it's not possible to bypass this and continue the boot with the other internal HDD)

  2. Put it in ThinkPad B, in the "HDD caddy" tray, hotplug-style, after Windows startup: the disk is not available, it does not even appear in the partitions of diskmgmt.msc; the blocking seems to be low-level

  3. Connect it to ThinkPad B, as a USB external drive, with a USB-SATA cable, after Windows startup: same than 2.

  4. Connect it to ThinkPad B, as a USB external drive, with a USB-SATA cable, before boot: the boot of ThinkPad B is slowed down / nearly crashing (?)

  5. Connect it to another PC than a ThinkPad (e.g. a PC with a BIOS that does not support HDD Password), as internal drive, before boot:

    • The disk is visible in the devices (example: from BIOS boot menu)

    • lsblk shows /dev/sdb 931 GB, but no partition is detected (no /dev/sdb1, /dev/dsb2, etc.)

  6. Connect it to another PC than a ThinkPad, as USB drive (with a USB-SATA cable): no partition visible

  7. Connect it to ThinkPad B internally, enter the password, go to BIOS and remove the password. Then connect it to ThinkPad A: the password is well removed, as expected.

So it looks like a good protection technique, not easily bypassable.

PS:

  • I still haven't found the name of this protection technique, is it a normalized standard? available by all HDD/SDD manufacturers or not? As it is a HDD-feature understood by both the HDD manufacturers and the ThinkPad BIOS, it surely has a precise name and specifications. Comments about this welcome!

  • Update: The password can be disabled from another non-Thinkpad computer. See:

    • https://blog.georgovassilis.com/2018/04/23/unlocking-a-password-protected-hard-disk/
    • https://forum.hddguru.com/viewtopic.php?f=1&t=32046
    • https://jbeekman.nl/blog/2015/03/lenovo-thinkpad-hdd-password/
    • and above all: Implementation of Lenovo ThinkPad HDD password algorithm . I just tested it, it works (NB: I spent some time making it work, and here is the thing: if your keyboard is not in QWERTY, you have to translate your password as if you were writing it on a QWERTY keyboard!)

Related

Windows 7 - Change Region and Language settings using a script
Do I need UEFI enabled in BIOS for a 4TB external, non-boot disk?
How to setup disk-encryption with Ubuntu?
How do you quickly remove underscores from folder names?
Is Instant Viewer only available for Microsoft mice?
Powershell one-liner to show process on same line as port using netstat issue
Two-finger scrolling with Ubuntu 9.10 (Samsung NC10)
Installing a Windows O.S from another Windows System
How to connect a smart router to a dumb DSL modem?
Where does Windows Vista store registry data on the hard drive?
Disable S.M.A.R.T. in Windows 7?
Virtualbox: Raw linux partition not booting