FDE (Full Disk Encryption) Hard Drive
We talk a lot about data security nowadays. From time to time we hear people lose their computers and the value of the lost data exceeds the value of the hardware by several orders of magnitude. Yes we all know we can encrypt data. But the encryption solutions available so far have always required a trade. Be more secure used to mean put more work into what you were doing. Set up some encryption software. Remember to encrypt files. Be careful where you store your encryption keys. And do not lose them. But do not keep them together with your data. And so on...
Windows NT introduced encrypted file system a while ago. But it was never perfect. The encryption keys were stored on the same disk drive as the protected data. Not a good solution at all, as in case the drive was stolen, the thieves could recover the keys and decrypt the data. And not many people went to the extremes of storing keys on a separate device, like an USB dongle. And even if the dongle was used, the keys were leaving it temporarily, as most of the encryption algorithms were run by the main CPU, so the key had to be extracted from the dongle to the main memory. And in many cases that was just enough to make the entire protection very vulnerable. As in this case: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html.
Of course there are more secure ways to handle encryption - do not let the keys leave the security dongle, just let the dongle encrypt your data. Yes, fine, but in this case the data has to be passed to the security device, encrypted there and passed back. Slooooowwww..... Hard drives are already the slowest components of modern computers, so why slow things down even more?
Then Windows Vista came along with its BitLocker encryption engine. BitLocker is clever, as it relies on the TPM (Trusted Platform Module) - the security chip on the motherboard. TPM is engineered to securely generate and store encryption keys. They are released from the TPM as needed, but as the encryption is again handled by the main processor, the key has to leave the secure TPM module. To be honest, when I got my new laptop two months ago, I was tempted to try the Vista BitLocker feature. Until I learned it was not available in Vista Business and I really was not in mood to do any upgrades to the OS I was having hard time falling in love with. The only thing I did was checking the number of BitLocker - related bugs in the Microsoft Knowledge Base. The list was long. With scary titles signaling potential data loss or recovery problems. No thank you. And of course, as BitLocker is an OS - level solution, using it degrades performance (who would want that?).
At 2007 Telecosm I spent a few hours at the bar with Steven Sprague. Steven is the CEO of Wave Systems (http://www.wave.com/). Wave is the leader in security applications and a company behind the entire TPM concept. While I am not a big fan of TPM itself (at least not for all the applications), I was really interested in the FDE drives, Wave made together with Seagate (the so called Seagate Momentus FDE). FDE drive - in short - is a disk drive with security processor on board, encrypting the data on the fly. Steven explained to me the FDE did not require any special support from the OS. The drive is fully autonomous. All it needs is a BIOS supporting ATA Security commands. The security chip on the drive generates a unique AES key to encrypt all data. When the drive is not locked, the key is always released by the security processor and data is transparently encrypted on writes and decrypted on reads. Hence it works just like normal drive, you can write / read anything to it. The only difference is, what is actually written to the drive platters, is AES-encrypted. When you lock the drive (by setting a password in BIOS), the password you set is a wrapper for the key. The security chip on the drive releases the key only when you enter the right password at boot time. Easy and transparent. Buy an FDE drive, install whatever you need on it (the OS and your programs and data) and when you are happy, just set the BIOS password. The data has already been encrypted, and by setting the password you are taking control of the encryption key.
Today the FDE drives are the most secure option to protect your data on a hard drive. And they are the least troublesome option at the same time. From the user's perspective, the overhead is very low - just to enter a password at boot time. No extra software, installation, maintenance, special partitioning needed... Almost plug and play. Plus there is one extra benefit. When you want to wipe the drive, instead of reformatting it, just drop the encryption key. The data left on the drive will be just a noise from that point.
I upgraded my Thinkpad to FDE drive last week. Instead of Seagate I went for the Hitachi 7K200. The Hitachi drive is based on the same concept, yet is more spacious and faster than the Seagate (7200 vs 5400 RPM). The upgrade was a piece of cake by means of the Acronis Migrate Easy 7.0. The entire migration process took less that 3 hours. And now my data is secure. One day every drive will be an FDE drive...
PS. A couple of good links if you would like to dig a little deeper into the FDE subject:
http://www.wwpi.com/index.php?option=com_content&task=view&id=2943&Itemid=44
http://www.wwpi.com/index.php?option=com_content&task=view&id=2669&Itemid=129
http://security-basics.blogspot.com/2007/01/introduction-to-full-disk-encryption.html
Windows NT introduced encrypted file system a while ago. But it was never perfect. The encryption keys were stored on the same disk drive as the protected data. Not a good solution at all, as in case the drive was stolen, the thieves could recover the keys and decrypt the data. And not many people went to the extremes of storing keys on a separate device, like an USB dongle. And even if the dongle was used, the keys were leaving it temporarily, as most of the encryption algorithms were run by the main CPU, so the key had to be extracted from the dongle to the main memory. And in many cases that was just enough to make the entire protection very vulnerable. As in this case: http://blog.wired.com/27bstroke6/2008/02/researchers-dis.html.
Of course there are more secure ways to handle encryption - do not let the keys leave the security dongle, just let the dongle encrypt your data. Yes, fine, but in this case the data has to be passed to the security device, encrypted there and passed back. Slooooowwww..... Hard drives are already the slowest components of modern computers, so why slow things down even more?
Then Windows Vista came along with its BitLocker encryption engine. BitLocker is clever, as it relies on the TPM (Trusted Platform Module) - the security chip on the motherboard. TPM is engineered to securely generate and store encryption keys. They are released from the TPM as needed, but as the encryption is again handled by the main processor, the key has to leave the secure TPM module. To be honest, when I got my new laptop two months ago, I was tempted to try the Vista BitLocker feature. Until I learned it was not available in Vista Business and I really was not in mood to do any upgrades to the OS I was having hard time falling in love with. The only thing I did was checking the number of BitLocker - related bugs in the Microsoft Knowledge Base. The list was long. With scary titles signaling potential data loss or recovery problems. No thank you. And of course, as BitLocker is an OS - level solution, using it degrades performance (who would want that?).
At 2007 Telecosm I spent a few hours at the bar with Steven Sprague. Steven is the CEO of Wave Systems (http://www.wave.com/). Wave is the leader in security applications and a company behind the entire TPM concept. While I am not a big fan of TPM itself (at least not for all the applications), I was really interested in the FDE drives, Wave made together with Seagate (the so called Seagate Momentus FDE). FDE drive - in short - is a disk drive with security processor on board, encrypting the data on the fly. Steven explained to me the FDE did not require any special support from the OS. The drive is fully autonomous. All it needs is a BIOS supporting ATA Security commands. The security chip on the drive generates a unique AES key to encrypt all data. When the drive is not locked, the key is always released by the security processor and data is transparently encrypted on writes and decrypted on reads. Hence it works just like normal drive, you can write / read anything to it. The only difference is, what is actually written to the drive platters, is AES-encrypted. When you lock the drive (by setting a password in BIOS), the password you set is a wrapper for the key. The security chip on the drive releases the key only when you enter the right password at boot time. Easy and transparent. Buy an FDE drive, install whatever you need on it (the OS and your programs and data) and when you are happy, just set the BIOS password. The data has already been encrypted, and by setting the password you are taking control of the encryption key.
Today the FDE drives are the most secure option to protect your data on a hard drive. And they are the least troublesome option at the same time. From the user's perspective, the overhead is very low - just to enter a password at boot time. No extra software, installation, maintenance, special partitioning needed... Almost plug and play. Plus there is one extra benefit. When you want to wipe the drive, instead of reformatting it, just drop the encryption key. The data left on the drive will be just a noise from that point.
I upgraded my Thinkpad to FDE drive last week. Instead of Seagate I went for the Hitachi 7K200. The Hitachi drive is based on the same concept, yet is more spacious and faster than the Seagate (7200 vs 5400 RPM). The upgrade was a piece of cake by means of the Acronis Migrate Easy 7.0. The entire migration process took less that 3 hours. And now my data is secure. One day every drive will be an FDE drive...
PS. A couple of good links if you would like to dig a little deeper into the FDE subject:
http://www.wwpi.com/index.php?option=com_content&task=view&id=2943&Itemid=44
http://www.wwpi.com/index.php?option=com_content&task=view&id=2669&Itemid=129
http://security-basics.blogspot.com/2007/01/introduction-to-full-disk-encryption.html
Comments
Post a Comment