Monday, May 4, 2009

How to Upgrade a Thinkpad T60 with a Full Disk Encryption (FDE) Hard Drive and Fedora

I recently upgraded my Lenovo Thinkpad T60 with a Full Disk Encryption (FDE) hard drive, a Seagate Momentus 7200 FDE.  The Momentus 7200 FDE provides encryption directly built into the hard drive: all data written to the hard drive is automatically encrypted with a key that is generated by and stored directly in the hard drive itself and cannot be retrieved.  FDE is probably the easiest and most transparent way to protect your data in case you happen to lose or have your laptop stolen.     

I boot multiple operating systems on my laptop, and I wanted a form of encryption that was secure but would also allow me to create symbolic links between different partitions and operating systems.  So, for example, both Fedora 10 and Red Hat Enterprise Linux 5 support encrypted disks via software.  But, using a FDE hard drive allows me to ensure that the entire hard drive is encrypted, while still enabling me to access transparently the different operating system partitions from each other.

I also was running out of space on my existing hard drive and wanted a solution which would allow me to migrate all of my data from my old hard drive to my new hard drive easily.  Using FDE enables that without requiring re-installation of any software in the process.

For more information on FDE with Thinkpads, see Lenovo's FAQ.

Here's how I upgraded to FDE:

Preparation Steps

  1. Backup your data in case anything goes wrong!
  2. Purchase a Seagate Momentus 7200 FDE hard drive.  Make sure its capacity is at least as large as your existing hard drive
  3. Purchase a 2.5" SATA hard disk enclosure with a USB 2.0 interface.  This should cost around $15-30 and will enable you to transfer information from your old hard drive to your new hard drive.  Amazon or your local compute store should sell a lot of these
  4. Download Fedora and create a Fedora Live CD/USB.  You will boot into this to copy data from your old hard drive to your new hard drive
Installation and Migration Steps
  1. Remove your old hard drive from your laptop.  If you have a Lenovo Thinkpad T60, you can follow Lenovo's instructions for how to do this
  2. Install your new Seagate Momentus 7200 FDE hard drive into your computer
  3. Install your old hard drive into the hard disk enclosure.  Don't plug your USB hard drive enclosure into your laptop yet
  4. Insert your Fedora Live CD/USB into your laptop and boot into Fedora. 
  5. Login into Fedora and open a terminal window.  In the terminal, type  "su -" to become the root user
  6. Type "fdisk -l" and note how your new hard drive is mapped as a device.  For example, on my system, this is /dev/sda
  7. Plug your the USB hard drive enclosure into your laptop.  Fedora should automatically recognize and mount your old hard drive
  8. Type "fdisk -l." Both hard drives should now appear.  Note how your old hard drive is mapped as a device.  For example, on my system, it is /dev/sdb
  9. Directly copy all the contents of your old hard drive to your new hard drive by executing: dd if=[your old hard drive device] of=[your new hard drive device].  For example, on my system, I did dd if=/dev/sdb of=/dev/sda.  This process will likely take several hours
  10. Once your copying is done, reboot your laptop.  Make sure to remove your Fedora LiveCD/USB.  You can also unplug your USB hard drive enclosure
  11. Verify that you can boot into your laptop and that your operating system(s) and data are intact on your new FDE hard drive
Final Security Steps
Now that your laptop has a FDE hard drive installed, you need to finish securing it by configuring your BIOS to require a password for accessing your hard drive:
  1. Reboot your laptop and enter your BIOS settings menu.  On a T60, you can do this by hitting the Blue ThinkVantage button immediately and then entering your BIOS settings
  2. Go to the security settings section and enable requiring a user password for accessing your hard drive.  Type in a new user password and make sure to remember it.  From now on, when you turn on your computer, you'll have to enter this password before you can boot into your hard drive or access data on it
  3. Save your settings and reboot your laptop
  4. Attach your USB hard drive enclosure and delete all your old, unsecure information from your old hard drive
Congratulations!  You now have a fully secure, encrypted hard drive with all your data and operating system(s) on it!

Optional: Using Your Extra Space
If your FDE hard drive is bigger than your old hard drive, you will have empty space that you can use.  You have a variety of options available to you, from creating a new partition to extending existing partitions with this space.  If you use Fedora or Red Hat Enterprise Linux, you can use the graphical tool, GParted, to help with this.

If you happen to use LVM, GParted doesn't work with LVM yet.  In that case, you can read the Red Hat Magazine article, Tips and tricks: What is the procedure to resize an LVM2 logical volume and the ext2 or ext3 filesystem?, for how to increase the size of an LVM partition.  Note that the end of the article discusses using the command, ext2online.  That command has since been replaced by resize2fs.


John said...

Hi Bryan, enjoyed your story. But it's unclear from the steps - your hd was encrypted before you copied it? Or you encrypted your new hd during this process? (i.e. setting a password in BIOS causes your hd to encrypt?) Or your new hd is not currently encrypted? Thanks again.

Bryan Che said...

My old hard drive was unencrypted. My new hard drive was an FDE hard drive. As I mentioned in the first paragraph, FDE hard drives automatically encrypt everything that is written to them with a key that the hard drive generates and maintains. This is secure because they key is not retrievable from the hard drive itself. So, as soon as you copy data from your old hard drive to your new FDE hard drive, the FDE hard drive automatically encrypts it.

Encrypting the FDE hard drive means that if someone else were to take the hard drive out of your laptop and try to mount it somewhere else, he wouldn't be able to access the data. Setting the password in the BIOS prevents someone from booting into your computer and accessing your data via the operating system.

Unknown said...

Hi Bryan,
Does your process copies Thinkpad Recovery Partition as well, So that, In case I have to rebuild the Windows XP, I can access my Lenovo rescue partition and Rebuild the Operating System.

I appreciate your response.

Unknown said...

And so i wouldDiablo III items likely address Your local supermarket much like Acme, irrespective of WalMart's dimensions. The watch is very which being employed by the us govenment won't make a visible tendency. Possibly the same can be true for additional consumers (age.h., talk about govts). My spouse and i explored a related theme in a 2007Buy RS Gold article from the Harvard Legislation & Plan Critique: