Most organisations appreciate the added layer of security that encrypting data at rest provides. Sensitive data,...
such as financial data, source code, internal communications and customer and employee information, needs to be properly protected. However, implementing a cost-effective and non-intrusive file encryption solution is no easy task.
I know many system administrators have concerns over system performance degradation, and thus user acceptance, of encrypting active data -- that is, data in day-to-day use. Implementation certainly used to be a problem, but improved processing power and new products have lessened the impact of encryption and decryption processes. This leaves implementation costs as the main barrier for adoption. Thankfully in the marketplace for IT security, there is nearly always a good selection of open source tools to consider.
I particularly like TrueCrypt, an on-the-fly, open source disk encryption tool that automatically encrypts or decrypts data without user intervention as it is loaded or saved. The free tool is also easy for users and administrators to manage.
TrueCrypt has been around since 2004 and has now matured to version 6.2a. It runs on Windows, Mac OS X and Linux, and supports the use of security tokens and smart cards. Virtual TrueCrypt volumes are OS independent, allowing you to use a TrueCrypt volume, such as an encrypted USB thumb drive, on any computer on which you can run the program.
There is also a portable mode that allows you to extract files from a pre-encrypted package or run TrueCrypt from a "traveler disk." The arrangement makes it ideal not only for providing disk encryption for desktops and laptops but also for transporting sensitive files to client meetings.
Once you've downloaded and installed TrueCrypt, the beginners guide and online documentation make it easy to get up and running. Files can be copied to and from a TrueCrypt volume just like any normal disk. Parallelization (the use of all processors in parallel) and pipelining (asynchronous processing) allow data to be read and written as fast as if the drive were not encrypted.
You can share the contents of a TrueCrypt volume by mounting it on a file server, but you will need to protect the data as it travels over the network, using SSL or VPN, for example.
I especially like TrueCrypt's ability to encrypt an entire system drive, providing pre-boot authentication. Since Windows uses a lot of temporary files, such as swap, hibernation and log files, system encryption ensures that these bits of data are always encrypted, even when power is suddenly cut off. You can also create an encrypted volume inside another one. Because the free space of the encrypted volume is filled with random data, it is impossible to prove whether there is a hidden volume residing inside it or not. You can even boot to a Windows operating system that is hidden in an encrypted volume.
The online help covers various problems associated with trying to secure digitally stored data and explains how best to use TrueCrypt to cope with them. This is certainly worth a read as it covers some important, if extreme, situations.
Although TrueCrypt never saves any decrypted data to a disk, it does not encrypt data held in RAM. Most programs will not clear the memory area where they store unencrypted data loaded from a TrueCrypt volume, which means that unencrypted data, including unencrypted encryption keys, may remain in RAM until the computer is turned off. And because of a technique called dynamic random access memory (DRAM) remanence, this data may even be retrievable for some time after a machine is shut down.
DRAM remanence is not unique to TrueCrypt, but its candour in the documentation shows that TrueCrypt is a serious, no-nonsense product whose authors take data security very seriously. The user interface could use a makeover, but that's just me being picky. The algorithms used in TrueCrypt are AES-256, Serpent and Twofish, and it complies with the following standards, specifications and recommendations:
- PKCS #5 v2.0
- PKCS #11 v2.20
- FIPS 197
- FIPS 198
- FIPS 180-2
- ISO/IEC 10118-3:2004
If you haven't yet implemented data encryption within your organisation, TrueCrypt could well be a good option to look at. Any encryption product you choose will require secure and efficient encryption key management, but this free tool leaves you with enough time and budget to implement a suitable system.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.