0

I am just booting my new X1 for the first time, and went into the bios to set a bios password. I discovered a slew of security settings:

  1. Supervisor password
  2. Lock UEFI BIOS Settings (enabled/disabled)
  3. Password at Unattended Boot (enabled/disabled)
  4. Password at Restart (enabled/disabled)
  5. Password at Boot Device List (enabled/disabled)
  6. Password Count Exceeded Erro (enabled/disabled)
  7. Set Minimum Length (integer)
  8. Power-On Password
  9. Hard Disk1 Password (text field, need to choose "User" or "User+Master")

So - I have the option of typing 3 distinct bios passwords (not including the OS password), and enabling or disabling it at various points in the boot cycle.

What's a good, secure setup to use that's still convenient? Why do I need 3 distinct BIOS passwords? Which of the checkpoints should be put on enabled ?

Also - I intend to enable full disk encryption using Bitlocker. Does it make some of these options reduntant?

ripper234
  • 1,126
  • 1
  • 8
  • 11
  • 2
    If someone steals your laptop, they can simply remove the hard drive to get at your data. So, if your purpose is to protect your personal data from theft, then full disk encryption is the only thing that's going to work. And, it's good to remember that such encryption only protects the data when the machine is off... Once the machine is running, the data on the drive are available for theft and/or compromise. – RubberStamp Jan 07 '19 at 01:49

1 Answers1

1

BIOS passwords just deter the lowest possible attack vector: someone without any technical knowledge booting your laptop/from an external drive. If you do not have BitLocker in place, an attacker could then access data on your drives and affect the whole (Confidentiality, Integrity, Availability) CIA-triad. But even if you set a BIOS password, this would not hinder a more "advanced" attacker from simply removing your non-encrypted drive and plugging it into their own machine, again affecting the whole CIA-triad.

So to sum it up: BIOS passwords are easy to set up, so you might as well. Even if it's just to "protect" your device from someone who's technically completely unsavvy trying to boot from it.

Additionally, you definitely should use Full Disk Encryption to protect your local data from technically more advanced threats. Just make sure to use an adequately long and complex password. And keep in mind what @RubberStamp wrote in his comment: FDE only protects your data if your drive is not powered on. So power off* your machine whenever you're not using it/it is not in your direct line of sight.

EDIT: * Sleep seems to be an issue with BitLocker, according to this answer, hibernate seems to be ok according to this comment.

SeeYouInDisneyland
  • 1,428
  • 9
  • 20
  • I assume FDE does work on hibernate/sleep ... but perhaps that assumption is false...? – ripper234 Jan 08 '19 at 19:54
  • Sleep seems to be an issue with BitLocker, according to [this answer](https://security.stackexchange.com/a/135297/184205), hibernate seems to be ok according to [this comment](https://security.stackexchange.com/questions/135284/does-hibernate-feature-pose-any-security-threat#comment251959_135286) – SeeYouInDisneyland Jan 09 '19 at 08:18