Buyer's Guide to Full Disk Encryption
Don't let a lost or stolen laptop put your business at risk. Here's how to prevent a data breach by encrypting your organization's hard drives.
When a corporate laptop goes missing, do you worry about the risk of a data breach? There is good reason for concern: According to recent research by Symantec, 34 percent of data breaches are the result of lost or stolen devices such as laptops.
The good news is that this is a preventable issue. A Full Disk Encryption (FDE) solution can ensure that sensitive information isn't exposed in the event that one of your organization's laptops is lost or stolen.
How It Works
As the name suggests, FDE solutions work by encrypting a system's entire hard drive – including the operating system and all applications and data stored on it. When the system is started, the user is prompted for the encryption key, which enables the system to boot and run normally. As information is read from the disk, it is decrypted on the fly and stored in memory – and any information written to the disk is also encrypted on the fly. Without the encryption key, the data stored on the disk remains inaccessible to thieves and hackers.
FDE differs from File-Level Encryption (FLE) in that it secures all data stored on your hard drives automatically and transparently – including swap files and hidden files that may contain confidential data – without any user intervention. In contrast, FLE only protects specific files that are manually encrypted, and generally depends on the user to perform some action to ensure that files are encrypted before storage.
One drawback of FDE is that it does nothing to protect files "in motion." Once a file is sent via email or copied to a memory stick, it is no longer encrypted. For that reason, you may want to consider deploying FLE in conjunction with FDE, so that users have the option to manually encrypt files that need to be shared with others.
Most FDE products allow administrators to enable users to provide the encryption key for a system at the pre-boot stage in several ways:
- in the form of a password or passphrase;
- by inserting a USB drive containing the key;
- using a one-time password generating device such as an RSA token;
- using some biometric device such as a fingerprint reader (usually connected to a Trusted Platform Module which holds the actual encryption key.)
With many systems, administrators can also specify more than one authentication method, thereby creating a two factor authentication system.
Modern encryption algorithms, when implemented in a Federal Information Processing Standard (FIPS) 140 compliant manner, make it impractical – effectively impossible – for anyone to decrypt data on a drive using FDE without the key. That means that if a user loses or forgets their passphrase, the data on the encrypted drive will be permanently inaccessible unless the encryption part of the FDE product works with a key management system which enables key retrieval – either through a self service system or via a help desk.
FDE systems involve some processor (and therefore power) overhead to carry out the on-the-fly encryption and decryption, and the impact of this depends on the amount of disk I/O that individual applications demand. For users carrying out typical email and office productivity activities, the performance impact is unlikely to be noticeable – but it can be significant for very data-intensive activities such as video processing, unless the computer's main processor and the FDE product both support Intel's AES-NI instructions for hardware accelerated encryption and decryption.
Vulnerability to Attack
No security system is 100 percent secure, and FDE systems can be vulnerable to various attacks including:
- Accessing the encryption key. When users store a USB drive containing the encryption key along with a computer, accessing the encryption key becomes trivial for a thief. Users can also be fooled into revealing their password through social engineering.
- Theft of the laptop while it is running. FDE only protects data when the computer is turned off. That means that if a laptop is stolen while it is running but unattended (or while the user is distracted) the data will be fully accessible to the thief.
- Advanced in-memory techniques. FDE systems require that the encryption keys are held in memory while the system is running. Since the contents of DRAM chips persists for a period of seconds to minutes after a system is shut down, (and this time period can be extended by chilling the DRAM with canned air), it is possible to cut the power to a laptop that has been left unattended and boot it from a memory stick or CD into another operating system and read (and save) the contents of the DRAM. The key can then be extracted from this data and used in a subsequent attack.
It's also worth noting that some software applications place information on the main drive's boot sector, and this can get overwritten by FDE systems, causing them to stop working.
Overview of Leading Full Disk Encryption Products
Key things to look for when evaluating a FDE purchase are:
- Operating system support
- Authentication methods
- Key management systems and recovery options
- FIPS-140 compliant encryption modules
- Support for Intel AES-NI instructions
Here's an overview of some of the leading FDE vendors:
Check Point Full Disk Encryption. Check Point's FDE product works with Windows, Linux, and OS X. Multi-factor authentication options, such as certificate-based Smartcards and dynamic tokens, are supported.
The FDE system can be centrally managed by Check Point's Endpoint Policy Management Software Blade, enabling central policy administration, enforcement, and logging from a single console. Remote password change and one-time login remote help options are available for users who may have forgotten their passwords or lost access tokens.
McAfee Endpoint Encryption. Available for Windows and OS X, McAfee's Endpoint Encryption product provides full-disk encryption with support for AES-NI hardware acceleration.
McAfee ePolicy Orchestrator (ePO) management infrastructure provides centralized deployment, management, shared policy administration, password recovery, monitoring, reporting, auditing, and proof of protection. Access control includes two- and three-factor, pre-boot authentication.
Microsoft BitLocker Drive Encryption. BitLocker is included in the Ultimate and Enterprise versions of Windows 7, but not in the lower end versions. Once BitLocker is turned on, all files saved to the internal hard drive are encrypted automatically. It can also be used to encrypt external storage devices such as USB drives, using a feature called BitLocker To Go.
BitLocker can use an enterprise's existing Active Directory Domain Services (AD DS) infrastructure to remotely store recovery keys. The system provides a wizard for setup and management, as well as extensibility and manageability through a Windows Management Instrumentation (WMI) interface with scripting support. BitLocker also has a recovery console integrated into the early boot process to enable the user or helpdesk personnel to regain access to a locked computer.
Sophos SafeGuard Enterprise. Sophos's FDE product is available for Windows and OS X, and supports AES-NI instructions. It supports pre-boot user authentication with a password, token, smartcard, biometrics or key ring, as well as corporate Single Sign On (SSO) systems. Sophos' key management system provides recovery options for keys, data and forgotten passwords.
Symantec PGP Whole Disk Encryption. Available for Windows, OS X, and Linux systems, Symantec's PGP Whole Disk Encryption supports AES-NI instructions in all three operating systems when available. Users can authenticate using smart card, Trusted Platform Module (TPM), or passphrase.
Protected systems can be centrally managed by Symantec's PGP Universal Server – simplifying deployment, policy creation, key management, and reporting. Passphrase and machine recovery options include local self-recovery with question and answer authentication, and one-time-use tokens.
TrueCrypt. This free, open-source full disk encryption software is available for Windows, OS X, and Linux. It also supports AES-NI instructions.
TrueCrypt's main benefit is that it is free, which may be appealing to owners of very small businesses. However, it includes no key management system, so if a passphrase gets forgotten then there is no way to decrypt and access a drive. This shortcoming makes it unsuitable for use in anything but very small implementations.
WinMagic SecureDoc Disk Encryption. WinMagic's software provides FDE for Windows, OS X, and Linux. Pre-boot authentication is carried out using password, tokens, smartcards, biometrics and SSO systems.
SecureDoc is available in a standalone version, or as part of a centrally-managed whole disk encryption solution deployed from SecureDoc Enterprise Server (SES). SES provides a console that enables the configuration of users, groups, and profiles as well as key management, with integration with Active Directory.
Key management with SecureDoc is achieved using an encrypted database to store/escrow all keys for encrypted endpoints managed by SES. In the event of lost tokens or forgotten passwords, self-help and/or helpdesk-based challenge-response options enable password recovery.
Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.