"Hard Disk Password" in Thinkpad BIOS

Question

ThinkPads have a "Hard Disk Password" hard drive protection system, see image below.

I have read BIOS Hard Drive Password Security? but a few things are still unclear to me. Is this sytem:

• a simple lock that can be easily bypassed if I move the HDD/SSD to another computer?

• something linked to an internal-disk encryption system? If so, what happens if I move the disk to another computer that does not have this BIOS option?

• something linked to TPM?

• something else?

TL;DR: Does enabling this Hard Disk1 Password change the state of the disk itself, i.e. a few byes will be modified on the disk (either in boot partition or internal-disk settings), or will this let the drive totally unchanged and only modify the local computer BIOS settings?

Answer 1

Following @John's answer, I did a few tests, and here are the results.

First set a "Hard Disk1 Password" on HDD1 of ThinkPad A, and take the disk out (in my case a Samsung SSD).

1. Put it in ThinkPad B, as internal hard drive

   • the password is asked on ThinkPad B startup, so this confirms that the password protection is written somewhere on the disk and not only in ThinkPad A's BIOS

   • if we don't enter the correct password, no boot is possible (it's not possible to bypass this and continue the boot with the other internal HDD)

2. Put it in ThinkPad B, in the "HDD caddy" tray, hotplug-style, after Windows startup: the disk is not available, it does not even appear in the partitions of diskmgmt.msc; the blocking seems to be low-level

3. Connect it to ThinkPad B, as a USB external drive, with a USB-SATA cable, after Windows startup: same than 2.

4. Connect it to ThinkPad B, as a USB external drive, with a USB-SATA cable, before boot: the boot of ThinkPad B is slowed down / nearly crashing (?)

5. Connect it to another PC than a ThinkPad (e.g. a PC with a BIOS that does not support HDD Password), as internal drive, before boot:

   • The disk is visible in the devices (example: from BIOS boot menu)

   • lsblk shows /dev/sdb 931 GB, but no partition is detected (no /dev/sdb1, /dev/dsb2, etc.)

6. Connect it to another PC than a ThinkPad, as USB drive (with a USB-SATA cable): no partition visible

7. Connect it to ThinkPad B internally, enter the password, go to BIOS and remove the password. Then connect it to ThinkPad A: the password is well removed, as expected.

So it looks like a good protection technique, not easily bypassable.

---

PS:

• I still haven't found the name of this protection technique, is it a normalized standard? available by all HDD/SDD manufacturers or not? As it is a HDD-feature understood by both the HDD manufacturers and the ThinkPad BIOS, it surely has a precise name and specifications. Comments about this welcome!

• Update: The password can be disabled from another non-Thinkpad computer. See:

  • https://blog.georgovassilis.com/2018/04/23/unlocking-a-password-protected-hard-disk/
  • https://forum.hddguru.com/viewtopic.php?f=1&t=32046
  • https://jbeekman.nl/blog/2015/03/lenovo-thinkpad-hdd-password/
  • and above all: Implementation of Lenovo ThinkPad HDD password algorithm . I just tested it, it works (NB: I spent some time making it work, and here is the thing: if your keyboard is not in QWERTY, you have to translate your password as if you were writing it on a QWERTY keyboard!)

Answer 2

The ThinkPad HD password is not linked to TPM as noted earlier.

However the HD password is stored on the drive.

It is not easily defeated. If you move the drive to another computer, you will need the HD password to access the drive.

Removing the BIOS password (if one) does not change the above statement.

I have been using the Lenovo HD Password for years and two laptops here have that function enabled. I also have the BIOS user password set to the same value. No one but me can start my computers (even with a bootable USB Key).