Windows is finally going to offer a native system for encrypting content on USB drives and other removable storage -- but the catch is you'll have to wait until Windows 7 and Windows Server 2008 R2 go gold in 2009 to use it.
Providing a means to protect the content on removable storage devices is an ongoing challenge, but one that becomes increasingly urgent every time another government department or large organisation misplaces a USB stick containing confidential data. Encrypting that data remains the most effective way of protecting portable storage devices, but getting that to work properly has generally required complex add-ons to be incorporated into existing operating environments.
If you're a Microsoft shop, however, relief is at hand, albeit at a distance. Windows 7, the Vista successor expected in mid-to-late 2008, can work in conjunction with Windows Server 2008 R2 (due in a similar timeframe) to provide OS-native support for encrypting external storage devices.
While the code is still being finalised (the current pre-beta M3 release can't handle SD or CF cards, for instance), the broad principles are now firmly set enough for you to place external storage encryption on your IT roadmap.
The approach is based on the BitLocker drive encryption technology introduced in Vista, though that has had to undergo substantial changes to deal with external devices. "BitLocker utilises the TPM [Trusted Platform Module, which resides on the processor] and measures early boot components ," BitLocker program manager Troy Funk explained in a presentation at Microsoft's recent WinHEC hardware engineering conference. "Every time you boot, the TPM is doing an integrity check with those early boot components to ensure they haven't been changed."
While effective in protecting individual machines, that approach can't be used with removable devices, which by definition will work on multiple PCs. "In Windows 7, we're adding a new recovery method, data recovery agents," Funk explained.
The data recovery agent approach uses a public key which is applied to a group of drives via group policy. To enable recovery, there's also a private key, held by the defined data recovery agent -- typically the central IT department -- which can unlock any drive which has been encrypted via the policy.
Encrypted data can be protected either by a passphrase or by a PC-connected smartcard. Group policy can be used to define the requirements for any particular installation, and recovery data is backed up as part of Active Directory. "We need to ensure there's a recovery mechanism," Funk said. "People are trusting that their data won't be messed up by encryption. The IT department or some other trusted party needs to be able to gain access to that drive."
If an encrypted drive is plugged into a unverified machine, it will likely appear as unformatted, Funk said. The degree of enforcement is likely to vary widely, he predicted. "Some organisations have very stringent requirements. Other enterprises are looking for something that makes it just a little more difficult."
"The killer scenario for BitLocker in Windows 7 is the ability to mandate encryption prior to enabling write access," Funk said. A newly-connected drive can be set to work only as read-only until it has been encrypted; users will be prompted to encrypt the first time the drive is inserted.
The initial encryption request is generally fairly fast, Funk said, though he conceded this might become more of a problem as capacities continue to increase. "It's not really an issue today because drives sizes haven't gotten that big, but they're getting bigger very quickly." For larger drives, a pause option allows the process to be halted if power access or network connectivity becomes a problem.