Assess your software- and hardware-based full disk encryption options

Peter Wood

Friday 13 February 2009 03:56

Full disk encryption is expected to be the top security technology to be tested or adopted this year, what are the challenges and benefits likely to be?

There are still plenty of people who believe that a strong Windows password will protect the contents of their laptop, writes Peter Wood, chief of operations at First Base Technologies and member of the ISACA conference committee. However, the truth is that anyone with physical access to your laptop can also have full and unrestricted access to your data, unless you have encrypted the hard disk.

Full disk encryption (FDE), as the term implies, encrypts everything on your laptop, including the operating system. If this solution is implemented correctly, it makes the task of unauthorised access extremely difficult. There are two categories of FDE - hardware-based and software-based.

Hardware-based FDE is faster and potentially more secure, since the hard drive's firmware includes the software for pre-boot authentication. The user must provide a password, a biometric signature or a token before the drive is unlocked and the operating system starts. Apart from the inevitable user mistakes of poor-quality passwords or leaving the token with the laptop, this presents a very secure solution. The downside is that it requires the additional cost of a specialised hard drive such as the Seagate Momentus.

Software-based FDE has the benefit of being able to use existing laptop hardware, whilst still providing a good level of security. Products such as PGP Whole Disk Encryption or TrueCrypt use a small, highly-secure operating system to authenticate the user before permitting the usual boot sequence to start.

A number of attacks against software-based FDE exist, all of which rely on either a weak configuration or user ignorance. A common mistake is to integrate the encryption system with the conventional Windows logon, in order to offer the user a single password to access their machine. The problem with this configuration is that while the hard drive is protected when the machine is turned off, once powered up it will boot Windows and relies on conventional Windows security to protect the data. There are several serious attack vectors that make this a dangerous choice.

Pre-boot authentication, by contrast, provides the opportunity for user authentication before Windows starts or any data is unlocked. When coupled with a strong passphrase or two-factor authentication (such as a token or fingerprint reader) this method is very secure. It is possible to retrieve the encryption keys if the laptop is left in sleep mode, however, so users must be instructed to power down their machines when leaving them unattended. Alternatively, the use of two-factor authentication should mitigate this attack.

Finally, any FDE strategy must ensure a secure method for data retrieval in the event of a user leaving the organisation or forgetting their password. Typically one-time recovery passphrases are provided for enterprise deployments, whilst challenge-response systems are used for smaller organisations.