Full Hard Disk Encryption

Agenda

What Why Where When Who can do it How

What is encryption

In cryptography, encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is

encrypted information (in

What is FDE

Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. The term "full disk encryption" (or whole disk encryption) is often used to signify that everything on a disk is encrypted, including the programs that can encrypt bootable operating system partitions Disk encryption prevents unauthorized access to data storage.--source: wikipedia

Why Disk/file Encryption ?

Because (there are infinite reasons to do it): Its last line of defense in case

everything else fails information is more important than

anything else nowadays of security,privacy, confidentiality and

integrity

Where can we use FDE/encryption ?

Everywhere !!!

When ?

* Its never too late.* When you feel its time !* when you start taking security seriously !!!

Who can do it ?

How ?

Open source to the rescue ! Easy to use (those pointy clicky

things, dont know what ? ), GUI's No major performance hits

Here comes interesting stuff

Various types of encryption for different levels.

–

–

Disk controller level–

–

Volume level–

–

Disk block level–

–

Filesystem level–

–

Directory level–

–

File level–

–

Row and column level (for

databases)

Encryption tools (continued)

The biggest weakness with encryption tools is not the algorithm, but how encryption keys are managed.

–

–

Some tools allow only one passphrase, forcing groups of staff to share it, which can result in it being divulged.

–

–

Some tools store the passphrase in a weak manner, allowing for easy brute force cracking using rainbow tables or dictionaries.

–

–

Some tools may be poorly designed

and leave sensitive information out of the

Disk controller encryption

Pros

As the encryption is done in hardware, little to no performance loss is encountered.

A secure erase and repurposing of the drive can be done in milliseconds by wiping and generating a new master encryption key.

Cons

Only select few drives have AES encryption on the drive controller level.

Key management is an issue with some drives, as they only may have one password that would have to be shared

among staff.

Disk/Volume encryption (BitLocker, PGP Whole Disk

Encryption)Pros

Generally excellent key management depending on utility.

Recovery of data by IT staff is doable. BitLocker can store recovery keys in Active Directory, PGP can issue disk recovery tokens.

Encrypts everything on the disk, OS, data, and

all. This protects against

Cons Most are commercially licensed. Malicious software that manages

to get superuser access can pull the master decryption keys from memory and set them aside for later use by an attacker.

May have performance issues if used on volumes with high read/write throughput.

May render data unrecoverable if used with RAID, depending on program.

Only protects if the machine is powered off or volumes are

unmounted.

Filesystem encryption (EncFS, FileVault)

Pros

Able to resize filesystems without having to copy data or decrypt files.

Backup programs can store the encrypted data.

Users can have their own encrypted directories, protected

against a root/admin

Cons

Sensitive data, if stored outside the protected filesystems can be left unprotected.

None have any enterprise level recovery abilities. EncFS only has one passphrase, FileVault can offer a recovery passphrase, but that isn’t scalable.

Directory/file level (EFS)

Pros

Excellent recoverability.

Multiple users can have access to groups of encrypted files.

Cons

Confidential information can leak, if stored outside the EFS protected directory.

Unless a backup program uses special semantics to back EFS protected files up, the backup will fail.

Row/Column level for databases

Pros

Encryption is independent of the system.

Resistant to compromise even if superuser privileges are obtained by unauthorized entities.

Most new DBMS programs support this.

Cons

Key management is an issue. Where does the app keep its authorization credentials?

Recovery of encrypted data is iffish, depends on the database program.

Sometimes hard to

sync up encrypted

Hardware assisted encryption (cryptographic tokens)

Pros

Protects against brute force password guessing by either disabling access after a number of password guesses, or adding a significant delay between entries.

Allows a machine to boot unattended while providing hard disk protection (Bitlocker).

Cons Hardware is sometimes hard

to find. For example, its hard to find machines with an onboard TPM/security chip.

Different drivers required for different cards. There is no real standard for cryptographic token I/O, other than APDU.

Hardware can fail, locking legitimate users out.

Demo !!!

1. True Crypt2. Encfs3. Luks/cryptsetup

Thanks