Laptop security: Apple vs. [Insert name here]

[vinay_ys]

Choose a disk that supports Full Disk Encrpytion. Lenovo has this - http://www.lenovo.com/support/fde. This way the encryption/decryption is done by the chip inside HDD and there is no OS security issue that can compromise the data or performance hit on the main cpu. Don't forget to set the HDD password in the BIOS. Everytime system boots, it should ask you for the disk password as first step. If it does not ask the password, then you have not set it up right.

On the Linux OS itself, follow good personal security practices - use strong password, use 2FA (see FIDO devices like YubiKey), disable unnecessary services, install software downloaded from trusted, well-reviewed sources only etc. If you did the HDD encryption above, there is no need to do filesystem encryption again in Linux.

[hackuser]

> Choose a disk that supports Full Disk Encrpytion ... This way the encryption/decryption is done by the chip inside HDD and there is no OS security issue that can compromise the data or performance hit on the main cpu.

The parent is referring to Self Encrypting Drives (SED), AFAICT. I looked into them a little recently, but I'm not an expert. Consider the following only a starting point:

Beware that not every SED tech is equally secure; some are easily bypassed. The industry standard, and the one I would depend on, is Opal. It usually requires tools in the OS to activate, but I would be surprised if those tools weren't available for major Linux distros.

https://www.trustedcomputinggroup.org/storage-work-group-sto...

Microsoft provides something called eDrive, which AFAICT (I looked at it briefly) integrates Windows Bitlocker with SEDs.

> Lenovo has this

SED tech is a feature of the hdd/ssd, not the computer vendor. The BIOS has to integrate with the SED but I think that is standard, at least in business-class computers (but double-check before you buy!).