October 24, 2008 – 02:43
As you may now, I usually use a HP Compaq business notebook (the 15” 8510p to be exact). For the last 9 months I have been using this model for both work and personal usage and it’s my weapon of choice when needing a mobile powerhouse without breaking my back. Performance is great (you can get better these days, I got one of the last pre-Penryn models) and overall it’s a reliable and sturdy device.
So last week I was going over some security principles and decided that file-based encryption wasn’t enough for my mobile system. I decided to look at drive encryption and for my scenario I had 2 very good and supported choices:
- Windows Vista Bitlocker
I run Windows Vista Ultimate x64 so using Bitlocker would be a viable option for me
- HP Protecttools Drive Encryption
The official business-level encryption solution provided by the OEM, HP, itself.
At first I wanted to use Bitlocker and I used the Bitlocker preparation Vista Ultimate Extra to prepare my harddrive for Bitlocker usage. The tool however refused to use my harddrive as it didn’t understood some of the partitions located on the drive (yes, even I have a dualboot to Linux, don’t like it tough) and it refused my harddrive.
Too bad and I decided to use the OEM-supported solution HP ProtectTools Drive Encryption. I figured as HP is a large and good company (who has always given me great tech support here in the Netherlands), there would be no recovery issues in the event something should go horribly wrong.
And boy did things go wrong…
Earlier this month I turned on Drive Encryption in the software (which is buggy, doesn’t autolaunch the admin tool as Administrator in Windows Vista with UAC turned on, crap HP software). It took about 2 hours to encrypt my drive and it installed a little on-the-fly decryption app in the bootloader. All was working great and performance was still very good. I backed up a recovery key to 2 different USB sticks (just in case). It also asked me whether I wanted to use the online recovery service. As the service does nothing but store your decryption key for a ridiculous amount of money / year, I declined and used the USB-only solution.
Exactly one week ago, Thursday afternoon, I was prepping a demo I was going to give the following day @ 9AM. At around 15:00, I was done with my notebook and switched it to standby. Sometime later I had to change some boot arguments of the Windows Vista bootloader and used a few applications to reflect the changes needed (who I’m guessing rewrote the Vista bootloader, nothing fancy). All was good and I rebooted to test my changes and I noticed it didn’t load the HP decryption software (usually asking me for my password) and it just gave me a flashing cursor.
I rebooted again .. same. I booted a recovery dvd with a few partition manager applications on it. Double checked whether Vista partition was the active one. It of course was. I booted the Vista DVD and try to use auto fix. It couldn’t find my Windows drive (which is explainable as it is encrypted).
The HP system relies on the bootloader software to be present in order to decrypt the harddrive. Messing with the bootloader (which a normal OS installation next to you current OS would also do), seems to wipe away the HP software. Ok great.. now I have a locked drive.
Next up .. recovery.. I had my decryption key but no means to use it as the recovery option was a part of the bootloader decryption software. I quickly visited the HP.com support site in search of a recovery solution for the encrypted harddrive. No luck. Googled on the product name and found nothing usefull.
I quickly rang up HP Netherlands as it was about a hour before lines closing. Quickly got a pro (no level-1/level-2 filtering here, GREAT!) and explained the situation. However unfortunately due to some issues with the phone systems when using T-Mobile as a provider, I got disconnected. This happened a number of times and I quickly switched to landlines (after being on hold and being disconnected 3x). Ultimately had an employee working with me on how to resolve the issue. No luck. I explained my level of expertise on Windows Vista and systems overall and we both gave great ideas on how to possibly resolve the issue (recover the drive or reinstall the bootloader software). He looked in the central database and had no luck. It was over closing time and they had to cut the call short (which I understand). I asked them whether HP USA could help me further as they are 24/7. The Dutch support line said no as they use the same internal support KB.
I was getting late and quickly went to the shops to grab some food before they all closed. Some cooking later, I was looking at the software being used by HP for the encryption. HP ProtectTools uses a branded version of Safeboot (www.safeboot.com, now owned by McAfee). I again searched the internet but didn’t find a lot of useful stuff. One forum post noted the name (which I can’t say according to HP) of a recovery solution used by enterprises.
Via sources (I’m not allowed to say which ones according to HP) I got my hands on the decryption DVD. Great! Quickly inserted the disc and booted the system yet again. “Please enter daily 4 digit code”. Oh .. euh. 1234 .. nope. Tried some other numbers and couldn’t guess the number. I opted to cancel and the recovery app locked down. It had one other option “Activation via HP backup”. Hey! I have that. Inserted my USB stick and selected the file. “Valid”. Awesome! .. “Now please enter 4 digit daily code”. Arghh.
Looked up the support number for the Safeboot tool. The Dutch number was disconnected as McAfee had bought them. When trying the US number, I got connected to McAfee Enterprise support. I opted for Safeboot support. 1 minute waiting later, I had a tech person on the line. I explained my situation and stated I had the software. Just needed the key. The kind sir explained nicely to me they couldn’t give me the key without the proper SLAs. I understood however still lame the only thing holding me is a 4 digit code which the guy had displayed on his screen but couldn’t give me. I tried asking real real nice. Nope .. no go. He advised me to ring up HP USA.
So I did. Got disconnected 3 times whilst waiting (and having to pass the horrible voice-activated menu’s, what’s wrong with keyinput?) and had to wait another 15 minutes. Ultimately I got my tech person on the phone. Took about half an hour to explain the situation. Of course the ma’am couldn’t find anything in the KB either. I also explained my situation was urgent and I had to have the drive back before 9AM next morning. She would “look into it and do some research” while I would wait on hold (with the WORST waiting music EVER). I waited for up a to an hour. She was no help and couldn’t find anything. It took her over 90 minutes to realize with the Dutch guy did in 15 minutes. Ultimately she rang McAfee USA again and we had a little conference call (after I waited another 30 minutes whilst she was explaining the situation to McAfee). Ultimately I had the McAfee tech guy on the phone but again just like before, they couldn’t do anything for me.
I thanked them both and hang up (as waiting any longer or making a escalation ticket would be pointless and take way too long). Nearly 5 hours of calling, waiting and being disconnected, I was no further in my quest to unlock my harddrive.
Another desperate 15 minutes of Googling and ringing up 4 IT Pro’s out of their beds, I gave up. I decided the best thing to do, was to wipe the harddrive and install a clean image. As I was using special software for the demo the following day, I couldn’t just use a backup. I had to reinstall from scratch. Of course all my documents and vital information was backed up to external hdd, LAN share and trusty Sharepoint sites so that wasn’t a too big a problem. However I did took me another couple of hours to setup the demo software again from scratch. By the time I got in bed, it was nearly 4AM.
The following day I got up at 7AM and give my demo at 9AM using my cleanly installed software (which went great dispite the 3 hours of sleep). Stayed on location till 6PM. After that I went to a friends house for dinner. Fixed his internet and had a good time. By the time I was back in my bed, it was 3AM/4AM.
So basically HP is providing a encryption solution they cannot support or recover for you in case something should go wrong. There are no external decryption tools provided. If you are using HP ProtectTools Drive Encryption right now, I really suggest turning it off and migrating away from the solution. At the very least, find some way to backup your bootloader containing the decryption software.
As for the recovery service which SafeBoot is providing for HP.. It’s a yearly fee to store your (kinda useless) recovery key online and a support service (allowing you to ring the 2 McAfee persons I talked to earlier directly). I asked McAfee whether that would have saved me in my situation had I taken up the subscription. The short answer: No. They only provide you your key and provide support for resetting the password remotely. They don’t provide support when your bootloader committed suicide.
I’m never ever using full drive encryption software by HP again! Perhaps HP could have given me a better solution had I waited a couple of days so they could escalate the problem to other departments and McAfee. I didn’t have the luxury of time, and you might not too when things go wrong. Stay away from HP Drive Encryption solutions (or anything Safeboot related).
One small note: I heard that Safeboot supported the HP software directly via their own helpdesk line thus unloading complex support calls to the HP helpdesk. However McAfee bought Safeboot in 2007. The HP agreement still stands but support is limited to enterprise SLA holders only.