Ce site est optimisé pour être consulté depuis un navigateur moderne dans lequel JavaScript est activé.

Data protection on HDD: trying to sort out relevant technologies

ayi

<t>I'm trying to understand how I can protect data from being used if a computer or a hard drive disk is stolen. 
 
I'm looking for reasonable protection against non authorized access to private data (passwords, license numbers, credit card numbers), I'm not protecting industrial secrets and I'm not looking for protection against guys in labs removing platters and using forensic tools. I need something that don't require the physical presence of a device like an USB key, except for recovery purpose when the credentials have been lost. I need to protect the OS partition and other partitions and/or drives with user data. 
 
Educated advices that I can use in practical are welcome.

Do I need encryption, HDD lock, or both?
If encryption: hard or soft?
How to setup the solution in a LGA 1155 + Windows 7 context?
Available for all types of partitions, including GPT / large size partitions.
How to check the hardware compliance? (BIOS/EFI, drive, motherboard...)
Assuming thief has physical access to the machine, can bypass the normal boot process, can reinstall BIOS and OS, can read the HDD on another machine, etc. 
 
Thanks. 
 
Things I have looked at before asking... 
 
I see that there are different technologies available, some are stand alone, others require some collaboration from the computer (e.g. from the motherboard). I'm looking for something that can be used with a "sandy bridge" motherboard (socket LGA 1155.) not yet purchased.
SED, self disk encryption: I don't need the encryption or the secure erase, but if this can help locking the disk, then ok.
Software encryption: same than SED, I don't like the idea to slow data I/O or to make things complex with additional layers. I don't assess clearly what will be the implication of software encryption: volume size reporting, type of partition, disk imaging, OS updates, third parties applications, etc.
ATA Security (controller locking/unlocking the HDD operations through key mechanisms), seems ok for my use. Is there any weakness I should know? Which motherboard / OS would support this feature? How to select a compliant HDD? Does that require a BIOS/EFI extension for entering the HDD key?
Pre boot authentication to unlock the HDD: what is the benefit compared to ATA Security lock? As this modify the boot process, is that compatible with Windows 7?
BitLocker: LGA 1155 motherboards with TPM are not available I think. Some have support for TPM 1.2 hardware (they have a TPM header), but a deep search on the internet shows that TPM daughterboards cannot be purchased, even if (very few) sites like claim they have some in stock. What is the matter with TPM add-on availability?. BitLocker may be used without TPM, but not for the OS partition it seems. Everybody says you can use BL with an USB key in place of TPM, but what the benefit of having a USB key left one day in the USB port after computer startup, and stolen with the drive? 
 
(Please do not try to guess the solution, or explain TPM is evil or has been cracked.)</t>

ayi

<t>After a thorough search, here are my conclusions: 
 
Do I need encryption, HDD lock, or both? 
 
HDD security is enough to prevent from accessing data. It is a HDD feature, the password in not stored by the motherboard, and cannot be compromised or bypassed. there are companies that can recover the password in some conditions, but a thief won't use them, this is a threat only for those who have Defense classified informations on their computers. Those who have only porn files and spam mails are protected. 
 
Encryption can be provided by the HDD too (self encryption) or by external software like TrueCypt or Bitlocker, or PGP. HDD self encryption is no more a protection after the HDD has been unlocked, the others are, but their require the user to do something each time the computer is started (password or USB key). 
 
My choice is to go with HDD password only, no encryption. 
 
How to setup the solution in a LGA 1155 + Windows 7 context? 
How to check the hardware compliance? (BIOS/EFI, drive, motherboard...) 
 
Unfortunately, I've not found any Desktop motherboard with a BIOS/EFI that support HDD password. Dell supports but you have to buy their assembled computers. IBM supports too, but no separate motherboard can be bought. Only Laptops seem to come with ATA Security support. It seems there is something wrong with the BIOS manufacturers who are reluctant to provide a free solution to their customers. Does another company selling encryption solutions pay for BIOS to be shipped with poor protection features? 
 
This limitation puts a stop to my quest. 
Drive compliance is easy to check on the manufacturer site. Nearly all drives support ATA Security.</t>