barefoot cybersecurity

security… mobility… cloud… technology… whatever…

Leave a comment

The Basics for Hard Disk Encryption

So you realise you (or your staff) are walking about with all that confidential company data on a laptop drive. OK, so it’s password protected but that will not prevent an attacker from booting the system from a thumb drive or removing the hard disk to access it from another system. Without some kind of hard disk encryption that data is easily readable to anyone with access to the drive.

There are three basic solutions to protect the confidentiality of a hard disk’s contents. Here’s a brief overview of these options.

1. Software based file/folder/partition encryption

One simple approach is to specify a directory or partition on your disk to write any sensitive data. Using software based encryption any data written to this location will be encrypted “on the fly”. Permission to access this data (through authentication) is typically provided using a password (maybe your Windows login).

One benefit to this approach is that your operating system can remain on an unencrypted disk location which maintains performance and avoids complications associated with OS maintenance and patching. However, you are reliant on the user writing their data to this secure location. Often a disk can be partitioned and the user instructed to store all their classified information there but habits dictate that email attachments still end up on the desktop and vulnerable. Open-source tools like Truecrypt are frequently employed to freely provide this kind of functionality although without commercial support.

Safend provide a unique solution for Windows that automatically encrypts user generated content whilst avoiding system and program files which goes someway to solving this.

2. Software based full disk encryption

With full disk encryption, pretty much everything on the drive is encrypted meaning that the choice is no longer the users’ to make. However, the performance and maintenance issues mentioned above now come into consideration.  Also the boot loader remains unencrypted (note I said pretty much everything) to allow the key to be available for the password authentication process, and this remains vulnerable to attack.

To protect these keys further, one can use the Trusted Platform Module (TPM) which is standard on today’s PCs. The TPM is a secure hardware device (or chip) on the motherboard which will enforce the drive can only be read by that specific system. Generally speaking hardware based security offers more protection than software.

Microsoft now includes their BitLocker encryption on Enterprise and Ultimate editions of Windows 7 and in Pro and Enterprise editions of Windows 8 which can be used in conjunction with a TPM.

Other leading enterprise solutions are available from the likes of McAfee, Sophos and CheckPoint.

3. Hardware based full disk encryption

Hard disk security has evolved further, pushed security deeper into the hardware layer with the new generation of self-encrypting drives (SED).

With SEDs the encryption key is embedded in the drive controller itself. Authentication takes place as the drive is powered on with a BIOS password which can also become a single sign-on to the domain. Therefore from the moment the drive starts, all data is encrypted on the way in and decrypted on the way out. No performance issue and no software based authentication.

It is not possible to access the stored key without physical destruction of the drive and the data cannot be read without the encryption key.

Wave Systems and Seagate pioneered SEDs to support the OPAL standard developed by the Trusted Computing Group (TCG) and today Hitachi, Samsung, and Toshiba all produce OPAL compliant drives.

At the time of writing, SEDs can be purchased for as little as $20 more than the equivalent specification non-encrypting drive.