[de_dave]

I use the standard hardware encryption of my SSD (a Samsung 830 in my 2012-era Dell XPS 13), which requires I enter the passphrase when I turn my machine on.

Advantages:

  - OS neutral
  - Seemingly as fast as running 'unencrypted' 
    (I assume performance is identical, the only
    difference being the passphrase is stored in
    my head rather than the BIOS)

Disadvantages:

  - Limited to an 8-char (!) ASCII passphrase
  - I've no idea how secure it really is
  - Can't audit the algorithm (not that I have
    the technical ability to)

[d33]

That sounds like an annoyance, not encryption to me.

[centizen]

It's the 8-char password that I find absurd - that would take about 2 hours to brute force max.

[jkot]

I think hdd will wipe itself after N incorrect attempts.

[dmd]

So you copy the drive first.

[jcrawfordor]

Encryption is done in drive hardware, so copying the drive is possible via hardware attacks but would be a pretty involved lab operation. Would definitely take longer and require more sophistication than many in-practice crypto exploits.

[de_dave]

Allegedly it's 256-bit AES and would take thousands of years to brute force. (Allegedly, because of course there's no way for me to easily verify!)

[wepple]

a 256-bit AES key might take eternity, but if it's derived directly from 8-char ASCII the search space is tiny. Somewhat does depend on how it's actually implemented in hardware, however.

[DanBC]

Hopefully not like this: http://www.h-online.com/security/features/Enclosed-but-not-e...

That drive claimed 128 bit AES, but they botched it.

[bb88]

Or even better, the key is determined randomly, and the 8 char password decrypts the key.

[JaRail]

The 8 char password does not decrypt the key; it unlocks/retrieves it. The drive will only allow a fixed number of attempts. Once past the 10 or whatever allowed attempts, an attacker needs to brute force the full encryption key. It should be a very similar scheme to what you get with a modern smartphone, such as a new iPhone. (Not one of the older iphones the FBI cracked recently, a new one with a Secure Enclave.)

[eeZi]

On Thinkpads at least it can be much longer.

[eeZi]

It does actually encrypt your data, and if it's correctly implemented, it's fine. Those drives sell for a few years now and not a single exploit is known.

For most people this is more than enough.

[de_dave]

You're correct, it's not going to stop someone who knows exactly what they're doing and has the time/patience/tools to brute force. But it is enough to stop casual thieves from stealing more than just hardware, which is (fortunately) my main concern.

[popey456963]

Generally as you increase security you will lose usability and vice versa. It's about weighing the advantages against the disadvantages.

[_RPM]

It reminds me of how I set a boot password in the BIOS on my HP laptop. I now have forgot the admin password in order to remove that "feature". I have no idea how I can fix it. The laptop is bricked. I can't install Linux on it because it is set not to boot from USB or CD/ROM

[witty_username]

> I have no idea how I can fix it.

Just disconnect the CMOS batteries; you can find tutorials online. Or you can take it to a computer shop, it should be a simple fix.

[_RPM]

Where are those located?

[witty_username]

The grey coin-sized CMOS battery is alongside the motherboard.

I suggest you look at the many guides and videos, just search "removing BIOS password".

[_RPM]

That will work for sure? I'd have to really start taking things apart.

[besselheim]

I had the same issue with a second hand HP laptop. However, I could still log in as administrator on the Windows install, enabling me to dump the flash memory used to store the BIOS firmware and configuration, which included the password hash. Some reverse engineering later, and I was able to brute force the hash successfully. So that could be an option if the password is not stored in battery-backed memory, and you have a bit of time on your hands to get stuck into the BIOS internals.

[DanBC]

What's the model number of the laptop?

[_RPM]

Not exactly sure because I don't have the laptop on me. Do you have model specific advice I should know about?