Full disk encryption
From Wikipedia, the free encyclopedia
Full disk encryption (or whole disk encryption) is a kind of disk encryption software or hardware which encrypts every bit of data that goes on a disk. The term "full disk encryption" is often used to signify that everything on a disk including the operating system is encrypted. There are also programs capable of encrypting an entire disk fully but cannot directly encrypt the system partition or boot partition of the operating system (e.g. TrueCrypt, which can fully encrypt, for example, an entire secondary hard disk).
Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of full disk encryption:
- Everything including the swap space and the temporary files are encrypted. Encrypting these files is important, as they can reveal important confidential data.
- With full disk encryption, the decision of which files to encrypt is not left up to users.
- Support for pre-boot authentication.
- Immediate data destruction, as simply destroying the cryptography keys renders the contained data useless. However, if security towards future attacks is a concern, file wiping or physical destruction is advised.
Contents |
[edit] The boot key problem
Full disk encryption for the boot disk has the issue that you have to decrypt the blocks where the operating system is stored before you boot the OS - meaning that the key has to be available before there is a user interface to ask for a password. This also means that an attacker may be able to use the same mechanism to recover the key, rendering the encryption software useless.
Solutions include:
- Using a TPM to do decryption, making the key inaccessible to normal software
- Using a dongle to store the key, assuming that the user will not allow the dongle to be stolen with the laptop
- Using a boot-time driver that can ask for a password from the user
- Using a network interchange to recover the key, for instance as part of a PXE boot
- Store the key in an obscure place and hope for the best
All these possibilities have varying degrees of security, but all are better than an unencrypted disk.
[edit] Full disk encryption vs. filesystem-level encryption
Full disk encryption does not replace (file or directory encryption) in all situations. Disk encryption is sometimes used in conjunction with filesystem-level encryption , resulting in a more secure implementation. Since disk encryption uses the same key for encrypting the whole volume, all data are decryptable when the system runs. If an attacker gains access to the computer at run-time, he has access to all files. Conventional file and folder encryption instead allows different keys for different portion of disk, and thus an attacker cannot extract information from still-encrypted files and folders.
Unlike full disk encryption, filesystem-level encryption does not typically encrypt filesystem metadata, such as the directory structure, file names, modification timestamps or sizes.
[edit] Full disk encryption and Trusted Platform Module
Trusted Platform Module is a hardware chip embedded on the motherboard that can be used to authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication. It can be used to verify that the system seeking the access is the expected system.
A limited number of full disk encryption solutions have support for Trusted Platform Module (TPM). These implementations can wrap the decryption key using the TPM, thus tying the HDD to a particular device. If the HDD is removed from that particular device and placed in another, the decryption process will fail even if the attacker has the decryption password or token.
[edit] Implementations
There are multiple tools available in the market that allow for full disk encryption. However they vary greatly. They are divided into two main categories – hardware based and software based. The hardware based full disk encryption solutions are considerably faster than the software based solutions, and usually produce no overhead for the CPU or the HDD. The software based solutions, while inexpensive, create considerable overhead for the CPU depending on the type of encryption used.
A limited number of full disk encryption solutions also support TPM to tie to encrypted data to a particular platform. While the solutions that ship with HP and Dell laptops do not provide TPM enabled full disk encryption, Secude’s Secure Notebook, a software product, and Seagate Technology’s Momentus FDE.2 HDD, a hardware solution, provide TPM enabled full disk encryption.
Microsoft Windows Vista will include a form of full disk encryption by the name of BitLocker Drive Encryption. It can utilize TPM. However Windows Vista native TPM key recovery capabilities are limited.
US based Wave Systems Corp., a maker of a range of trusted computing solutions, incl. comprehensive TPM key management server solutions, announced an agreement with Dell on December 8th to market a plug-in for the Seagate FDE drive that handles TPM key management and recovery and is interoperable with all TPMs.
[edit] Password/data recovery mechanism
Secure and safe recovery mechanism is essential to the large-scale deployment of the any FDE solutions in an enterprise. The solution must provide an easy but secure way to recover passwords (most importantly data) in case the user leaves the company without notice or forgets the password.
[edit] Challenge/response password recovery mechanism
Challenge/Response password recovery mechanism allows the password to be recovered in a secure manner. It is offered by a limited number of FDE solutions.
Some benefits of challenge/response password recovery:
- No need for the user to carry a disc with recovery encryption key.
- No secret data is exchanged during the recovery process.
- No information can be sniffed.
- Does not require a network connection. i.e. it works for users that are at a remote location.
