Storage

Coming soon: Full-disk encryption for all

A lot has been written about full-disk encryption and its positive impact on reducing data theft. However, for a variety of reasons -- cost, negative performance hits -- many organizations have yet to adopt the technology. Further, full-disk encryption is not yet widely adopted in the data center. All that is about to change. Read on to learn about what's coming for full-disk encryption.

Last month, the Trusted Computing Group (TCG), a not-for-profit organization that promotes open standards for hardware-enabled security technologies, released final specifications detailing the standards by which all hard drives will have the capability built-in to enforce encryption at the hardware level. Of course, not all data breaches are the result of lost or stolen hardware, but by including an encryption option right in the actual storage device, organizations can completely close one possible avenue of entry when it comes to loss of sensitive information. Now, if one of your executives is on a business trip and loses his laptop while traveling, worries about possible information loss can go away.

The specifications developed by the team of hard drive manufacturers operate at a level that does not impact overall system performance. Today's most common encryption methods operate between the operating system and the hardware, imposing performance benefits that can sometimes be noticeable.

There are a total of four standards covering various storage elements. From the specification documents themselves:

  • TCG Storage Work Group Security Subsystem Class: Opal. The Opal SSC is an implementation profile for Storage Devices built to: 1) Protect the confidentiality of stored user data against unauthorized access once it leaves the owner's control (involving a power cycle and subsequent deauthentication); 2) Enable interoperability between multiple SD vendors. Think individual computers.
  • TCG Storage Work Group Security Subsystem Class: Enterprise. This specification is an implementation profile for trusted storage devices commonly deployed within Enterprise-class systems. It provides storage device implementation requirements needed to guarantee interoperability between storage devices from different vendors. Enterprise-class systems often deploy a mix of cross-vendor storage devices and interoperability is therefore key, both for non-trusted and trusted storage devices. This specification defines a limited set of TCG Trusted Storage functionality that, combined with Full Disk Encryption (FDE), protects the confidentiality of user data at rest. Only a single threat scenario is addressed: removal of the storage device from its host system involving a power cycle of the storage device and subsequent unauthorized access to data stored on that device. This covers the enterprise space.
  • TCG Storage Interface Interactions Specification. This document defines for each interface: 1) Mapping of interface events to TCG resets; 2) Mapping of IF-SEND, IF-RECV; 3) Handling of common TPer errors; 4) Discovery of security capabilities; 5) Miscellaneous issues. In short, this is the communications portion of the standard - think IDE, SCSI, etc.
  • Trusted Computing Group Optical Storage Subgroup FAQ. Defines a set of encryption standards that can be applied to optical storage. Note that only optical storage is included in this particular document. Other removable storage types, such as flash and solid state drives and tape devices, are not covered.

The hard drive standards have been developed jointly by Fujitsu, Hitachi, Samsung, Seagate, Toshiba, and Western Digital so that there is deep interoperability between different vendors. I believe it's a matter of time before governments pass laws related to full-disk encryption, so these kinds of cooperative standards are welcome, as they will hopefully result in minimal consumer impact while providing maximum protection.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

15 comments
esalkin
esalkin

Just what we need. Washington and/or the EU telling us how are hard drives should work. By the time they are done the law will provide the following: A backdoor for the feds. A low "carbon footprint" standard. Corporate hiring requirements. A fee to compensate the recording industry. A VAT that will fund the committie chairman's pet project. And a requirement that some sort of encryption standard be added within a decade or longer if necessary.

esalkin
esalkin

Just what we need. Washington and/or the EU telling us how are hard drives should work. By the time they are done the law will provide the following: A backdoor for the feds. A low "carbon footprint" standard. Corporate hiring requirements. A fee to compensate the recording industry. A VAT that will fund the committie chairman's pet project. And a requirement that some sort of encryption standard be added within a decade or longer if necessary.

alexstern2004
alexstern2004

It,s excellent ! - The most desirable hardware innovation together with x64 Notebooks

dogknees
dogknees

We'll have home PC users losing their keys and looking themselves out of their PCs by the million. There's not likely to be a simple workaround if the encryption is mandated by law. Anybody want to start a key-escrow service?

husserl
husserl

There are of course chicken and egg problems here, but keeping passwords in an Oubliette seems to be one avenue worth considering. Tranglos Software supply a free one, and Mirek Wojtowicz supplies the very free "PINs",which uses blowfish encryption (his is standalone, can be run from a USB stick, doesn't need to be installed). Of course it is a password to be remembered and changed. In the case of Mirek's PINs it has a few very useful features, including the ability to generate complex passwords of user specified length, character type and so on. The programme is only 413 Kb and doesn't seem to demand much of the CPU. That leaves the USB stick problem. Having recently been unable to find mine, imagining all sorts of problems, I have considered drive encryption for the USB stick. Chicken, egg. (Shrug)

Ed-M
Ed-M

We've been using a customised, corporate implementation of Utimaco's SafeGuard Easy for years. The challenge/response tools make lost or forgotten user logins easily solvable. This also enables us to automatically enforce minimum passphrase quality requirements. However, due to poor compatibility with Vista, we are shifting to TrueCrypt for new users. We have the advantage of being able to force TrueCrypt users to encrypt AND send us a copy of their key (for future lost login support) because they can't have their new email account and other services enabled until they do. We have a global non-networked constituency, so we must rely on spot checks or other means to make sure remote users are complying with our HD encryption requirements. If they aren't, we disable their email account, forcing them to contact us to find out why and then explain to us why they aren't encrypted. If you're serious about corporate data security, and want to have a way to enforce consistent and universal compliance to both implementation and standards, at some point you have to get a little draconian and withhold certain desirable but non-mission-critical services until users are in compliance.

The Scummy One
The Scummy One

will have the ability to be encrypted at a HW level, that does not mean that everyone will be encrypted. Basically, it adds the ability, however it may go unused. That said, I am currently on a team looking to encrypt our entire department, full disk encryption. Running tests now (out of Beta, and onto pilot) -- so far, so good. still running into things that need to be taken care of before going live though.

vindasel
vindasel

I use Truecrypt to encrypt a 160GB drive to store my personal files- financial records and a few work related files. So far, nothing nasty has happened to it. I hope it stays that way. Although I have the backup of the data in a physically separate location, I am not too keen on going head to head with Truecrypt to get my data back.

dogknees
dogknees

There would still be lots of people who wouldn't realise the consequence of losing their keys. Most only have one PC, if they're locked out of it, then they can't access the net, and they can't run anything locally because they're locked out. People love the thought of encryption and security, but don't realise the costs and dangers involved in using it.

dogknees
dogknees

I was referring to home users. It' relatively easy in a corporate environment, but your average user will think, "mmm, encryption, that sounds like a good idea,...., damn encryption ate all my photos!". Someboy save me!!

Michael Jay
Michael Jay

Our company is going with Pointsec, on all pc's both desktop and laptop. Seems to work well with only a slight slowdown in performance.

husserl
husserl

Yes, and I continually wrestle with the problem of security from this angle and many others. In point of fact, the hold that a certain exploit has over users, by encrypting their data and holding it to ransom, is predicated on this phenomenon. Suffice to say that I am going to experiment with encryption on one relatively unimportant machine. Whether to have merely a container or a whole drive encrypted is one of the questions that I am tackling. FWIW, I had not lost the USB stick I mentioned. It was safely stowed in an area with a secure perimeter and an intrusion alarm, controlled by only me. I needed this scare.

The Scummy One
The Scummy One

now, will the average joe use it, or lose their data? ?:| It still appears that it must be turned on, so my guess is that many people will not do it :( One reason I like BitLocker is that it does the full disk, and is active before the HDD can be accessed (and before Win loads), yet I still have plenty of ways to access the data, swap the drive into other machines, etc. once I provide the recovery key. However, it is a brick if I dont have it.

The Scummy One
The Scummy One

seems to be what is available for us. Other than that EFS for XP. However with EFS, we wont be doing full disk encryption. With BitLocker we can put the key on a server for the helpdesk to access if needed. Only a few problems. The main one is that systems here are slow (I know, I mention it often), so sometimes -- well a little more than sometimes perhaps -- people just press the power button and hold it to shutdown. Well, with Vista, if you do this, it wants to run the boot problem manager (whateverthehellitiscalled). Anyway, when it runs Bitocker needs the full recovery key to boot :0 I guess people will learn when their system seems hung -- wait anyway :0 Edit: Anyway, I like BitLocker -- I havent noticed any slowdowns at all (out of the normal) :)

Editor's Picks