Full disk encryption
From Wikipedia, the free encyclopedia
Full disk encryption (or whole disk encryption) is a kind of disk encryption software or hardware which encrypts every bit of data that goes on a disk. The term "full disk encryption" is often used to signify that everything on a disk including the operating system is encrypted. There are also programs capable of encrypting an entire disk fully but cannot directly encrypt the system partition or boot partition of the operating system (e.g. TrueCrypt, which can fully encrypt, for example, an entire secondary hard disk).
Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of full disk encryption:
- Everything including the swap space and the temporary files are encrypted. Encrypting these files is important, as they can reveal important confidential data.
- With full disk encryption, the decision of which files to encrypt is not left up to users.
- Support for pre-boot authentication.
- Immediate data destruction, as simply destroying the cryptography keys renders the contained data useless. However, if security towards future attacks is a concern, file wiping or physical destruction is advised.
Contents |
[edit] The boot key problem
Full disk encryption for the boot disk has the issue that you have to decrypt the blocks where the operating system is stored before you boot the OS - meaning that the key has to be available before there is a user interface to ask for a password. This also means that an attacker may be able to use the same mechanism to recover the key, rendering the encryption software useless.
Solutions include:
- Using a TPM to do decryption, making the key inaccessible to normal software
- Using a dongle to store the key, assuming that the user will not allow the dongle to be stolen with the laptop
- Using a boot-time driver that can ask for a password from the user
- Using a network interchange to recover the key, for instance as part of a PXE boot
- Store the key in an obscure place and hope for the best
All these possibilities have varying degrees of security, but all are better than an unencrypted disk.
[edit] Full disk encryption vs. filesystem-level encryption
Full disk encryption does not replace filesystem-level encryption (file or directory encryption) in all situations. Because full disk encryption uses the same key for encrypting the whole disk, all data is decryptable for the operating system when it is powered on. If an attacker has physical access to the computer and it does not have any hardware protection, they can circumvent the encryption. Filesystem-level encryption, however, typically allows the use of different keys to encrypt different files, and thus an attacker cannot discover the key when the files are not in use. For this reason, full disk encryption is sometimes used in conjunction with filesystem-level encryption.
Unlike full disk encryption, filesystem-level encryption does not typically encrypt filesystem metadata, such as the directory structure, file names, modification timestamps or sizes.
[edit] Full disk encryption and Trusted Platform Module
Trusted Platform Module is a hardware chip embedded on the motherboard that can be used to authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication. It can be used to verify that the system seeking the access is the expected system.
A limited number of full disk encryption solutions have support for Trusted Platform Module (TPM). These implementations can wrap the decryption key using the TPM, thus tying the HDD to a particular device. If the HDD is removed from that particular device and placed in another, the decryption process will fail even if the attacker has the decryption password or token.
[edit] Implementations
There are multiple tools available in the market that allow for full disk encryption. However they vary greatly. They are divided into two main categories – hardware based and software based. The hardware based full disk encryption solutions are considerably faster than the software based solutions, and usually produce no overhead for the CPU or the HDD. The software based solutions, while inexpensive, create considerable overhead for the CPU depending on the type of encryption used.
A limited number of full disk encryption solutions also support TPM to tie to encrypted data to a particular platform. While the solutions that ship with HP and Dell laptops do not provide TPM enabled full disk encryption, Secude’s Secure Notebook, a software product, and Seagate Technology’s Momentus FDE.2 HDD, a hardware solution, provide TPM enabled full disk encryption.
Microsoft Windows Vista will include a form of full disk encryption by the name of BitLocker Drive Encryption. It can utilize TPM. However key recovery capabilities are limited.
Wave Systems, a maker of a range of trusted computing solutions, announced an agreement with Dell on December 8th to market a plug-in for the Seagate FDE drive that handles TPM key management and recovery and is interoperable with all TPMs.
[edit] Password/data recovery mechanism
Secure and safe recovery mechanism is essential to the large-scale deployment of the any FDE solutions in an enterprise. The solution must provide an easy but secure way to recover passwords (most importantly data) in case the user leaves the company without notice or forgets the password.
[edit] Challenge/response password recovery mechanism
Challenge/Response password recovery mechanism allows the password to be recovered in a secure manner. It is offered by a limited number of FDE solutions.
Some benefits of challenge/response password recovery:
- No need for the user to carry a disc with recovery encryption key.
- No secret data is exchanged during the recovery process.
- No information can be sniffed.
- Does not require a network connection. i.e. it works for users that are at a remote location.
