> Paul a écrit :
>> Another example is Truecrypt.
>> No scheme is prefect, but the FDE has some advantages in
>> terms of encrypting everything. The software based schemes
>> have a few more exposures than the hardware based ones.
> Thanks you very much,
> FDE seems to be interresting.
> However, do you know examples of hardware that can manage FDE ?
> I can't find motherboard or hard disks that is supposed to support
> Bitlocker or FDE.
I'm still finding this stuff confusing. The last time I
read a few docs, I couldn't understand the full scheme. And
I still can't see the scheme in complete detail.
They refer to some initial password and "warm booting" here.
They also mention a 130MB "preboot" area on the drive, which
is not encrypted. I'd never heard of that before, and that
is a departure from the concept of Full Disk Encryption. http://seagate.custkb.com/seagate/cr...p?DocId=206011
Having a 130MB "preboot" area, makes it sound a bit more
similar to BitLocker. Except compared to BitLocker, the
decrypting of C: is done at hardware speed, inside the drive
controller. That reduces performance penalties on the OS.
There is a claim, that Windows 7 installs on two partitions,
so that the small "SYSTEM RESERVED" partition which boots
the computer, can remain unencrypted, while the main C:
partition is encrypted with BitLocker. This preboot area
sounds like a similar concept. http://seagate.custkb.com/seagate/cr...983&Hilite=#15
It's a fun subject. http://www.computerworld.com/s/artic...omputer_drives
"Coming soon: Full-disk encryption for all computer drives
Drive makers settle on a single encryption standard"
With regard to BitLocker, it has several means to enter information
to cause the information to be decrypted. One means, uses a TPM
module on the motherboard. But because not every motherboard
has TPM, there are other methods that can be used as well. Perhaps
a USB pen drive has the password, you plug it in, and BitLocker is
In any case, what I'm reading above about FDE, doesn't seem
self consistent. The existence of a 130MB "preboot" area,
implies a design which doesn't need a BIOS password step.
Simply execute code in the "preboot" area, and prompt the
user for the password in there. Doing the password at
the BIOS level though, relies on the security by obscurity
of BIOS code, as it's harder to snoop a password which is
being entered at the BIOS level. Otherwise, they could
have the password entry stage in the preboot code. But
if a person inserted a keylogger into the preboot code,
then you could snoop the password. If the password has
to be entered in the BIOS followed by the warm boot,
that's secure as long as the BIOS flash chip is not compromised.
Maybe devices like this, get rid of the preboot area.
"PMC Delivers SAS/SATA Controller-Based Encryption Solutions" http://money.msn.com/business-news/a...24&ID=14425700 http://www.plxtech.com/download/file/1157
"OXUFS946DSE Dual SATA RAID Controller with Encryption" http://www.plxtech.com/download/file/1157
So devices like that, if available, would allow the usage
of ordinary hard drives, with the encryption engine on
the SATA controller card.
It's amazing how much this stuff has changed, since the
last time I read about it.