Disk Encryption 101

Encryption is one of the basic ways by which organizations and individuals can help to protect their information and that of their clients. Modern encryption algorithms make it impossible for someone to read the data without access to the secret key. As a result, the breach of encrypted data is not considered reportable under regulations like HIPAA.

Lost and stolen devices represent a significant threat to organizational cybersecurity. In fact, 45% of data breaches in the healthcare field are caused by lost or stolen devices. Any steps that organizations can take, like full-disk encryption, can help to reduce or eliminate the threat of these kinds of breaches.

What is disk encryption?

Encryption algorithms are designed to take data and a secret key as output and produce an obfuscated form of the data that cannot be read without access to the decryption key. For disk encryption, symmetric encryption algorithms are used, meaning that the encryption key and decryption key are the same.

The details of how the encryption key is stored and protected varies based on implementation. One option is to use a Trusted Platform Module (TPM) to store the secret key. Another is to require a password from the user upon boot; the password decrypts the key used to encrypt the disk. The final option is to store the encryption key on a USB drive and require it on boot.

When full-disk encryption is enabled on a computer, every file in the operating system is encrypted using the master encryption key. As a result, someone with access to the computer in a powered-off state cannot read any data on the disk, making it secure against data breaches caused by a lost or stolen device.

Once the user has authenticated to the machine and allowed the encryption key to be released, the computer stores this key in memory while running and uses it for decryption of files as needed. Disk encryption provides no benefit when the computer is running, since the key can be stolen from memory. This makes it important to power off computers (rather than put them to sleep) when not in use.

Why do I need disk encryption?

Disk encryption provides protection against a variety of different attacks that are enabled by physical access to a device. Even without knowledge of the user’s password, an attacker with access to the drive can view and edit the files on it.

An attacker with physical access to a computer also has the potential to bypass traditional authentication and gain access to its files and functionality. Without some form of secure boot or disk encryption, an attacker with a Linux distribution loaded onto a disk or thumb drive can create themselves an administrator account in a matter of moments. Since laptops are designed to be brought out of the office and can easily be lost or stolen, this represents a significant threat to organizational security.

Devices that are discarded are also a treasure trove of data for unscrupulous purchasers. A Rapid7 researcher purchased 85 devices (for about $600) and found that a grand total of two had actually been wiped before being discarded. Automated searches of the data stored on the devices revealed email addresses, dates of birth, Social Security numbers, credit card numbers, driver’s license numbers and passport numbers. Three of the devices used disk encryption but the rest were vulnerable to attack.

By implementing full-disk encryption on your personal and business devices, you protect yourself and your organization from a variety of different threats. An attacker with physical access to the machine can bypass traditional authentication mechanisms, but that provides no benefit if the disk itself is encrypted.

Common disk encryption providers

There are several full disk encryption providers available. However, both Windows and Mac have built-in support for full-disk encryption. Apple’s FileVault and Bitlocker on Windows provide comprehensive protection to the data on your devices while maintaining device usability and convenience.

Apple FileVault

FileVault is the default disk encryption provider on Apple and is available on OS X versions starting with Lion. FileVault uses the account’s password to protect the decryption password and requires users to log into their account in order to access the machine. For more information on how to activate FileVault, visit Apple’s FileVault page.

Windows Bitlocker

Microsoft defines two different types of disk encryption for Windows 10: device encryption and standard Bitlocker encryption. The device encryption option is not available on all devices, but it still uses Bitlocker under the hood.

The main differences between device encryption and standard Bitlocker encryption are that device encryption provides pre-provisioned Bitlocker encryption and uses single sign-on (SSO) when getting encryption keys from the TPM. This use of SSO is designed to protect against cold boot attacks, where an attacker reads decryption keys from a device’s memory after shutdown. For more information on activating Bitlocker, see here.

Installing full-disk encryption

Enabling full-disk encryption is always a good idea from a security perspective; however, it’s important to do it properly. The primary benefit of full-disk encryption is that no one can access the files stored on the machine if they don’t know the secret key. The primary downside of full-disk encryption is that no one can access the files stored on the machine if they don’t know the secret key — including you. If you forget your password (either account password for a TPM or preboot password for password-based) or lose your USB key for decryption, you may not be able to access your encrypted files.

Both Microsoft’s Bitlocker and Apple’s FileVault offer options for recovering from a lost password. On Bitlocker, it’s possible to store recovery information on an Active Directory server and FileVault can back up keys to Apple iCloud. You also can create a local copy of the recovery key that can be used if your traditional method is unavailable. It’s important to properly protect this recovery key, since it can enable an attacker to bypass your disk encryption by going through the recovery procedures.

Protecting your files and machine

There have been an embarrassing number of data breaches caused by lost or stolen laptops and mobile devices. Since these devices often store or have access to extremely sensitive information and are routinely allowed to leave the organization’s premises, it’s necessary to properly protect the data that they contain.

Full-disk encryption solutions are built into both Windows and Mac, making it easy to protect the data stored on personal and business computers alike. When taking advantage of these services, though, it’s important to balance usability and security. While an easy-to-remember password or storing a recovery key in an accessible place may seem convenient, it can also negate all of the advantages provided by the disk encryption software. Choose a strong password for disk encryption and store a copy of the recovery key in a safe place or on cloud storage protected by a strong password and strong recovery questions.

 

Sources

  1. 7 Shocking Statistics That Prove Just How Important Laptop Security Is, Techspective
  2. Buy One Device, Get Data Free: Private Information Remains on Donated Tech, Rapid7
  3. Use FileVault to encrypt the startup disk on your Mac, Apple Support
  4. Turn on device encryption, Windows Support
  5. Overview of BitLocker Device Encryption in Windows 10, Windows IT Pro Center