Hi, I am pretty new to Linux.
I have a new laptop with Win11 installed and, feel free to call me paranoid (I can take it), but I would like to remove all trace of Windows from the machine. My decision to stop using Windows (many years ago) and more recently Mac OSX as well, means I really don’t like to pay for a machine and have any windows elements left installed.
So whats the best approach to installing Fedora? If I format the hard drive, will that remove this boot/recovery stuff? Or is it 100% safe to leave installed? (From a privacy perspective more than a security one.)
Maybe an additional question. I always formatted my drives encrypted (on Mac). I’d like to ensure my hard drive is encrypted so if someone removed it they can’t access my data. What’s the best way to approach this before I dive in and install Fedora?
Thanks
PS Am I right in thinking a BIOS password will add to my device’s security?
I just went into BIOS and see quite a few options which confuse me somewhat. Pic below.
Should I set passwords for these top 3 options?
Seems more secure if I do
Yes, but that would mean the device could only be unlocked/booted/configured by someone who knows the password(s). It is entirely up to you but doing so would mean that you could not even sell or gift the machine without first providing the password or wiping it out. Setting the bios passwords essentially makes the system a brick to someone who does not have the password (assuming the password is reasonably secure).
As far as installing fedora and removing all traces of windows.
When installing simply select the option to recover all space on the destination drive and install. Set the drive encryption to your needs.
The bios password is for system security and the drive password is for data security.
I don’t mind it being a brick, that gives me comfort
yes it would be a secure password, and I’d understand the need for not losing/forgetting it. So sounds worthwhile. I am just not sure what it actually secures, if it doens’t protect my user account/data at all, maybe it’s unnecessary for me. I had the feeling that if you protect user account/hard drive, a BIOS which is easily accessible can provide another means of access to data/user accounts. If not, maybe I dont need it.
What do people generally employ use of BIOS passwords for exactly? Knowing that might help me decide.
PS in my screenshot, is the “Administrator Password” their wording for what we’d call BIOS Password?
I see it says : “Set Hard Disk Password” and “Set Master and User passwords for Hard Disk 1”.
What is this? I don’t understand. If I let Fedora do full disk encryption, wouldn’t this be moot? Not that I understand how BIOS can secure a hard drive with a password!
I don’t suppose there is some sort of article or guide on fairly basic level security enhancements for Fedora, for noobs (or not, I can do what I am capable of and leave the rest!)
Hello @joeyjonnson ,
The BIOS Password is for the BIOS only. It will (if enabled) likely limit what you can change without entering it to unlock the BIOS. So you would only have to enter this password for BIOS activity by you or someone with physical access. All of that info should be explained by the mfg (Lenovo I note). The BIOS HDD/SSD security password is no doubt for bitlocker (Windows thingy) I would think, unless Lenovo has it’s own security mechanism for this. This too should be fully explained by the mfg. documents.
As for Fedora, there is device securing through LUKS for the storage device, and using the secure boot feature of UEFI will result in a system that would look for the OS to have it’s keys enrolled with the hardware TPM2 device on the laptop, before letting it boot (just like Windows does). With LUKS configured for your drive, whoever boots it, whether installed in your laptop or connected to another PC, would need the LUKS password to gain access to your device and data.
[Edit]: Besides this really looks like a OEM Windows setup thing so I am pretty convinced then that the Admin Password is for your OS admin and User Password for OS User (Windows of course) and the Hard Disk 1 Password is for Bitlocker.
So, out of the options shown in my screenshot, are ANY of them the “Bios password”? Is it the “Administrator Password” I am seeking to prevent BIOS access?
Also, I assumed BIOS password would need to be entered EVERY Time the machine is powered on, which was putting me off as my wife/kids will occasionally use it. If it will only prompt for Bios Password when actually accessing the BIOS menu, that will be fine and I may as well add it.
The screen you showed is for the Lenovo setup of the OS sold with it. The BIOS password would be found in the BIOS, which you must interrupt boot up to get at. Please refer to the doc’s Lenovo provides.
Ooh, thanks! I wondered why it wasn’t blue, just thought stuff must have moved on since last time i looked at a BIOS screen (years ago!)
I’ll get there eventually, fashionably late as usual
The screen you showed is for the Lenovo setup of the OS sold with it. The BIOS password would be found in the BIOS, which you must interrupt boot up to get at. Please refer to the doc’s Lenovo provides.
No, that’s definitely the BIOS setup, BIOS setup screens just look a lot more stylized than they used to.
Should I set passwords for these top 3 options?
Seems more secure if I do
I generally recommend against BIOS/Startup passwords, they can usually be bypassed somewhat easily by any actual bad actor with a hardware flasher, they only really serve to brick the laptop if/when you eventually forget the password, and make it a pain to unbrick. The only benefit I can think of for a BIOS/Startup password is making things slightly more annoying for someone who might want to steal a device, wipe it, and re-sell it; but these people are not generally going to check for a BIOS/Startup password before stealing it. If privacy is what you want, full-disk encryption through the OS is the way to go; if theft prevention is what you want, if theft mitigation is what you want, open up the back and shove a GPS tracker (e.g. AirTag) in there somewhere.
No
I am saying that this is at the hardware level and has to be entered with first power on. Bios has at least 2 passwords. One for entering bios setup and one for booting. Either or both may be entered and serve different purposes. If either is set it is separate from the password used for encrypting the drive.
Setting the boot password means it is required before the boot even starts.
Setting the bios setup password means that password is required to even enter the bios setup screens and if lost NO changes may be made to previous settings,
The drive encryption and OS security is in addition to the hardware security.
Thanks, very useful and thanks for clarification of BIOS, I did interrupt boot to get at that screen.
You make a good point, in that it won’t prevent a theft as nobody would check first. Theft isn’t an issue I am too concerned about, more security of my data, and since OS/full disk encryption takes care of that I guess I can go without any BIOS/Boot passwords.
Thanks Jeff. I see, so there’s two, one for adjusting BIOS and one for starting up the machine. I wouldn’t bother with the startup one, but I thought BIOS one could be handy to prevent people booting off a USB. But I like to do that sometimes (but I’d know the password!).
I suppose my trouble is in my lack of understanding of how and WHETHER a bad actor could ‘use’ BIOS setup to get to my DATA (which is secured by encryption and a strong password). If not, i have no use for BIOS password (I don’t care if someone stole my machine if they could wipe the OS, just so long as my data can’t be accessed).
I will have a think, but probably don’t have any benefit to either.
(PS If I were to use a BIOS password, it would be the same as I’d use for login to OS (complex password), not sure if that’s bad ‘opsec’, other than in theory (i.e. ‘never use a password twice’, which is a good principle but in this instance don’t think it would matter)
