Full Disk Protection for Your System

February, 2010

Prepared by: Farhan Badshah

11417 Sunset Hills Road, Suite 228 Reston, VA – 20190 Tel: (703)-437-9451 Fax: (703) 437 -9452 http://www.electrosoft-inc.com

Full Protection for Your System Introduction • Potential to encrypt every bit of data On June 23, 2006, the Office of – this includes paging files and Management and Budget (OMB) temporary data files released a memorandum on the • Easy to use – does not require user’s Protection of Sensitive Agency discretion on what files need to be Information as guidance to provide encrypted safeguards to protect remote information • Support for pre-boot authentication – systems. Clay Johnson, the Deputy provides access control and prevents Director of OMB, made a unauthorized users from gaining recommendation on the protection of access to encrypted data these systems, stating: • Data can be wiped instantly – system is cleansed of data when the latter is “Encrypt all data on mobile no longer needed computers/devices which carry agency data unless the data is determined to be There are also concerns that arise when non-sensitive, in writing, by your Deputy dealing with FDE solutions because it Secretary or an individual he/she may encrypts the hard drive as a whole. A designate in writing.” problem that may arise with this solution is if an attacker can gain access at run- Today, mobile devices are becoming an time, then he has access to the entire integral part of many organizations’ hard drive. daily operations. These devices sometimes hold sensitive data and are To combat this issue, FDE has usually insufficiently secured from with features capable of encrypting not unauthorized access. only at the hard drive level, but at the file level. This is known as providing This brings us to the main question: encryption through Layering. What technology is available today to protect the information stored on mobile Layering devices? FDE can provide encryption at various The answer lies in Full Disk Encryption levels, either separately or (FDE). simultaneously. Layering can occur at the following levels: Full Disk Encryption • Disk partitions can be encrypted – an FDE, also known as “Whole Disk example of this is would be the C Encryption” utilizes hardware and/or Drive in the Windows Operating software components to encrypt stored System. data. • Specific files can be encrypted – If the hard drive is encrypted, and an FDE provides the following benefits: attacker gains access at the hard ______February 2010 2 Full Disk Encryption Protection for Your System drive level, the attacker will have to the hardware. go through another layer to access specific files that are encrypted. Below is an example of how TPM • Page files can be encrypted – page performs platform authentication: files (also known as swap space in Linux) reside on the hard drive and A laptop contains an internal hard function as additional Random drive which is encrypted using Access Memory (RAM). Windows Bit Locker and • The hibernation file can also be the hard drive becomes unique to encrypted – hibernation mode skips that particular machine. Since TPM the initial start up process and contains cryptographic keys, it also resumes back to the state of the stores the decryption key, thus tying system it was last in. With this file the hard drive to the chip. encrypted, users will receive a login TPM can verify that the hard drive prompt before they can access the in the laptop seeking access is the system. expected system. Therefore, if the hard drive was removed from the laptop and swapped into another machine, the hard drive would be Some FDE solutions leverage the use unable to decrypt because the TPM of a Trusted Platform Module is not present to authenticate that (TPM). A TPM is a processing chip device. embedded on the of mobile devices that can perform A major concern with TPM is that it cryptographic functions. can potentially be a single point of failure. Damage to the TPM can It also provides capabilities such as prevent recovery of the encrypted remote attestation. Remote data on the hard drive, especially if attestation creates a hash key the decryption key is stored in the summary for software configuration. TPM. The hash summary key is decided by the program encrypting the data. Hardware and Software Tools Doing this allows third party vendors and other FDE solutions to verify FDE can come in the form of a that the software has not been hardware solution, a software changed. solution, or a combination of hardware and software. Additionally, TPM is capable of performing platform authentication Since 2006, many of the new laptop (e.g. Microsoft Windows Bit Locker) machines have shipped with a built- and can be used to store the in TPM chip on the motherboard. In encryption and decryption keys in future, there are plans to deploy built-in TPM chips in other mobile

______February 2010 3 Full Disk Encryption Protection for Your System devices, such as cell-phones and these types of situations. For PDA’s. example, a user may have forgotten his or her recovery password or may The hardware tools are significantly have left the company. How can the faster and produce no overhead for data be recovered? the CPU and hard drive. These types of tools contain pre-boot When deploying FDE solutions on a authentication and a BIOS password large scale, the solution must provide for basic access control. an easy and secure way to recover encrypted data. For example, there Other examples of hardware FDE may be times when an employee tools include external hard drives leaves the company without notice or and flash drives with built-in forgets his or her password. In this encryption mechanisms. Hardware case, a challenge/response password based FDE solutions are more recovery mechanism allows the appropriate for smaller password to be recovered in a secure organizations. For example, manner. There are a few FDE implementing password recovery solutions that have this capability mechanisms is easier with smaller and using this recovery mechanism companies because of fewer costs can provide the following benefits: associated with help desk operatives. In these types of environments, the • Encryption keys are centrally user is responsible for protecting managed – does not require the their own data and not having to rely user to carry a disc with the on support. encryption key • Protection against disclosure of Software-based FDE solutions are sensitive data – during the more commonly used than hardware recovery process, sensitive data based tools. Enterprises and major is not revealed to help desk corporations tend to leverage the use personnel of software-based solutions since • Offline flexibility – a network they can be centrally-managed, connection is not required for provide more features, and offer recovery, as long as the user can flexibility with network integration. contact support via phone

Recovery Mechanisms Security Issues

Encrypting your hard drive data with FDE solutions provide greater the use of cryptographic keys is an security for your data, but there are essential security safeguard. But some known issues to be aware of. what if the decryption key is corrupted or lost? Password recovery Most FDE solutions are vulnerable mechanisms play a critical role in to a cold boot attack. This type of

______February 2010 4 Full Disk Encryption Protection for Your System attack occurs when encryption keys are stolen prior to into the . From an Success attacker’s perspective, here is how a cold boot attack would work: It is important for enterprises to place an emphasis on security in order to protect 1. The attacker would perform a their work and intellectual property, and soft- of the system. FDE solutions can help. Whether it is 2. The attacker would reconfigure hardware or a software solution, the boot device priority from the enterprises and small organizations must BIOS settings. determine what the right solution is for 3. As the system is starting up, the them and implement it effectively to attacker would insert a boot disk protect the data on their systems. With that runs an executable file to FDE, companies can easily manage and capture the decryption key. protect data. In addition, FDE is capable 4. After the executable file is of securing data on the hard drive as well finished running from the boot as the file system level. Other FDE disk, the attacker would then solutions include pre-boot authentication analyze the data and identify the and provides the capability of wiping out decryption key. data instantly without having to go 5. Once identified, the attacker through the troubles of physically would boot the system normally destroying the hard drive. Finally, FDE and use the decryption key to also provides an easy way to manage gain access to the system. password and data recovery

The counter-measure to this attack is to What steps are you taking to protect password protect the access to the BIOS your data? Does your organization settings of the system. This will prevent implement FDE? the attacker from changing the boot priority device, and more importantly, will decrease the chance of a cold boot References attack from occurring. [1]http://www.whitehouse.gov/omb/me GSA Approved Products moranda/fy2006/m06-16.pdf

The following are examples of [2]https://www.gsaadvantage.gov/advgs encryption products that provide FDE a/advantage/main/start_page.do solutions that are approved by the GSA: [3]http://www.reuters.com/article/pressR • Bit Armor Solutions elease/idUS123915+14-Oct- • GuardianEdge 2009+BW20091014 • CheckPoint (PointSec) • PGP ______February 2010 5 Full Disk Encryption Protection for Your System [4]http://var.immixgroup.com/contracts/ gsa70_pricing.cfm?client_id=110&contr act=GS-35F-0330J

[5]http://en.wikipedia.org/wiki/Full_disk _encryption

[6]http://en.wikipedia.org/wiki/Trusted_ Platform_Module

[7] http://www.microsoft.com/windows/win dows-vista/features/bitlocker.aspx

[8] http://www.guardianedge.com/

[9] http://www.pgp.com/

[10] http://www.checkpoint.com/products/dat asecurity/pc/

______February 2010 6