Why Not Use Full Disk Encryption on Laptops?

Saqib Ali asks: "According to the 2006 Security Breaches Matrix, a large number of the data leaks were caused due to stolen/missing laptops. Mobile devices will be stolen or lost, but one way to easily mitigate the harm is to use Full Disk Encryption (FDE) on all mobile devices. So, why don't we encrypt all our HDDs?" "Cost, and performance impact are the usual arguments.

Analysis shows that the access time increases by 56%-85% after FDE. As HDDs fills up the fragmentation increases and so will the file access time. With FDE, the swap file (system's virtual memory) gets encrypted as well. This will impact the system's performance noticeably when the virtual memory is being used more often.

Encryption key & password management blues follow. What happens when the user forgets his/her new FDE password? How to manage the encryption key backup files? Who has possession of the backups of the encryption keys? What about when the users quits and does not hand over the password / encryption keys? Who can access the system and its encrypted files? How frequently does the password need to be changed? How to prevent the user from writing the passwords down? Using hardware token (RSA Token, smartcard etc) can alleviate many of the password management issues. But these hardware tokens are costly!

Cost for Full Disk Encryption solutions ranges from $0-$300.

Is it not worth using Full Disk Encryption on mobile devices after all the data leaks we have seen in the last few years?"

OSX Makes it Easy

[Above]

System Preferences -> Security. Click "turn on file vault". A few minutes later, you're done.

Also check "Use secure virtual memory" (aka encrypt swap) on the same tab.

Now swap and your home directory (so all important data) is encrypted. The OS and applications are not. As a result performance degredation is minimal.

In the business enviornment the business can set a recovery password in case the user forgets, dies, whatever. The user's login password is the only password they need.

Free. Easy to use, you do nothing. Minimal performance impact. So the real reason most people aren't doing it? They are stuck with Windows bloatware or are ignorant.

This makes no sense

[sheldon]

What do you mean "Why don't we use full disk encryption?"

The company I work for(financial services) has been using this for over a year now. Not just on laptops, but also all desktops in the company.

It's the encrypting file system

and it has been around since Win 2000.

It's not really "full disk" encryption, as it applies to a single file or folder.

See http://www.microsoft.com/technet/prodtechnol/winxp pro/deploy/cryptfs.mspx for more

Re:Vista feature

[Adam9]

That would be BitLocker.

Some data and personal perspective on that point.

[Junta]

This post written from a laptop with a LUKS-root filesystem. I catted a 280 MB file into dev null, it took 17.8 seconds. I copied that file to a filesystem on the exact same drive, umounted the filesystem, remounted it, and tested that, it took 12.5 seconds Top showed the crypt activity as taking about 50% of my cpu in the first case, my Pentium M at the time of measurement clocked only up to 800 MHz to accommodate the load. This test was repeated a few times with a small degree of variation.

Anyway, those metrics are actually more different than I would have expected. I was hoping to demonstrate that the difference isn't that much, but objectively it is disk io performance hit. In general use I don't notice it. I already had a crappy hard drive that was dog slow, and in the end adding encryption made it... still a crappy hard drive that is dog slow, and the extra slowness I didn't even bother perceiving until I tried to measure it. I used this laptop for a few weeks with no encryption, and on the next install did encryption from the get go on everything from /, and didn't notice a problem at all.

eCryptfs

[omnirealm]

A new addition to the 2.6.19 Linux kernel, eCryptfs, addresses many of these problems:

http://ecryptfs.sf.net/

eCryptfs is an actual filesystem operating at the VFS layer of the Linux kernel. It stacks on top of other filesystems like ext3 and encrypts files one at a time, with each file getting its own key.

Who cares about encrypting libc or the x.org libraries? People want to encrypt their financial, medical, and other such data. eCryptfs makes it easy to encrypt only what users want to encrypt.

Some ways that eCryptfs deals with the issues raised:

What happens when the user forgets his/her new FDE password?

The best answer is, ``You're screwed.'' That is the way it should be; without the secret, nobody -- not even you -- can get to the data.

Now, out here in reality, things can't be quite that convenient. Try telling the CEO that his third-quarter reports are lost forever. The next-best thing is intelligent key escrow. I tend to recommend (m,n)-threshold sharing, wherein a certain number of people in a group need to collude (say, 3 out of 5 people in the company) in order to reconstruct the secret value.

eCryptfs userspace tools have a pluggable key management infrastructure, and thus it can keep the secret value in any token device for which a module exists. These hardware devices do not need to be expensive. In fact, Thinkpads come with TPM chips built-in, and a TPM key module already exists for eCryptfs:

http://trousers.sourceforge.net/tpm_keyring2/quick start.html

How to manage the encryption key backup files?> Who has possession of the backups of the encryption keys? What about when the users quits and does not hand over the password / encryption keys?

All of these are addressed with something like (m,n)-threshold sharing:

http://en.wikipedia.org/wiki/Secret_sharing

Also, because eCryptfs encrypts on a per-file basis, an incremental backup utility can just access the encrypted files on the lower filesystem. All of the information needed to decrypt the files is right in the header of each file; all you need is the key.

Who can access the system and its encrypted files?

This is a semantic security problem that the tools should definitely address. eCryptfs, in its current form, provides fairly flexible key management options, but the design goals of eCryptfs are much more ambitious, and they seek to address these sorts of issues:

http://ecryptfs.sourceforge.net/ecryptfs.pdf

How frequently does the password need to be changed?

Ideally, one would use eCryptfs in public key mode, so that is largely a non-issue. The secret can remain locked in a TPM chip, and the key can be escrowed.

How to prevent the user from writing the passwords down?

There is nothing wrong with writing passwords down, as long as the paper on which the passwords are written is stored in a location that can be made at least as secure as is necessary to protect the data that the passwords are protecting. In any event, the secret value can depend on a password *and* something else, like a file. The OpenSSL key module can be used in that way.

Using hardware token (RSA Token, smartcard etc) can alleviate many of the password management issues. But these hardware tokens are costly!

Not really; many laptops shipped today have TPM chips built-in.

Oh, yeah, and all of eCryptfs -- both the kernel and userspace components -- are GPL. Give it a try.

Not a good defense

[Junta]

All the fingerprint and user authentication in the world is a poor defense against someone ripping out the drive, which is easy if the laptop is stolen. That's why it is generally a larger issue on laptops than desktops. Desktops tied to your desk at work have whatever physical security the company has invested in protecting it, leaving it open only to the possiblity of remote attackers (well, within reason, the physical security can be bypassed, but assume a perfect company for discussion). The whole threat of a laptop is physical security breaches, otherwise the discussion wouldn't be laptop-centered. As to not putting confidential stuff on laptops, it is a good idea, but that is a policy rooted in trusting the user to always be vigilant about the confidentiality of the data set they are working, trusting their judgment, and expecting them not to take convenient short cuts at 5pm on a Friday so they can get it done on the weekend without staying late or looking bad on Monday. I use full disk encryption so I don't have to even think about it. I'm fairly sure I have nothing on my laptop remotely of interest to anyone, but I never have to think too hard about it.

FDE is in use in my workplace

[jahurska]

I work as a SW consultant for the mobile sector and all laptops in our firm have encrypted hard drives. The system is so that username and password is asked right when the laptop is booted kinda like bios password and after windows is loaded it automatically logins you to windows with those credentials. It's easy to use, no need to remember any additional passwords and also added benefit is that the administrators can login into it with their credentials if a user forgets his password.

The performance hit is real and noticeable though, but mostly affects hard drive related tasks, so that does not hinder my working too much.

Also all firms that I have been dealing with use encrypted laptops, so in my perspective the FDE is pretty widely used already :).

PGP Whole Disk Encryption

[Simon+Garlick]

http://forums.pgpsupport.com/viewforum.php?f=54&si d=749efb5b59855bac7e1a06eda016e4a9

If you need a reason why people aren't encrypting their disks, visit the PGP Whole Disk Encryption forum and take your pick.

Re:Oh yea, I can hear it now.

[bluephone]

The fingerprint door lock also opened with what was essentially a photocopy of the fingerprint too. A lot easier to store in your wallet and slip by security with than a gelatin finger. :)

Trade off...

[Junta]

The traditional method dm-crypt and cryptoloop used was basically what you say, a hash of the password was used to encrypt the entire disk. Of course, no one ever devised a way to change the password in place, and even if they did, it would require all data on the disk to be re-encrypted. The key used to actually encrypt the data would likely be cryptographically weaker to crack, in theory. If you ever ever write down the password (I don't but some do) and then lose the paper, you can never be sure about the security of your data again short of re-encrypting the whole thing. I think this is probably the single thing people not researching it thoroughly misunderstand, if the technology you see is definitely encryption of a large data set, and you can essentially instantly change the password protecting it, the key used to encrypt the actual data is certainly not the password itself, as it requires a huge amount of effort to change the key on large amounts of encryted data.

In the LUKS scheme the key material used for the very large data set will probably be more cryptographically sound. With a large data set, cryptographically weak keys could more likely be crackable than strong keys, in a large number of the type of attacks historically seen in cryptography. A small data set (data comprised only of the actual key) is generally more resistant to data analysis attacks, so a somewhat weaker password hash based key may be less exposed in that context. If you ever think a malicious user has had opportunity to get your password (the most likely thing in general for an attacker to get), you can change the password and the old key slot be shredded such that the knowledge obtained becomes useless. Sure, the 'master password' being compromised would mean the disk is irrevocably compromised, but that would be the case in the classical strategy anyway, since changing the password isn't feasible. Now if you want to actually re-encrypt data in the way a password change would require in the previous example, you can always reformat with a different key (or re-encrypt in place if implementation allowed), and have the same degree of 'changing the master password' as you put it.

Keep in mind the 'master password' (or rather the actual key) in this context is probably a random 256 bit value. To achieve a comparable level of randomness, a password consisting of typable characters would have to be about 40 characters long consisting of completely random keypresses. If a person is ever in a position to actually get that master key value, you've already lost the data because before they can get to that key they have to:
-Get root privilges while the volume is mounted to get dmsetup table output, but if it's mounted they could just grab the data anyway.
-Get low-level physical access to your hardware to begin to crack the LUKS header of the partition or the content itself. If they are in a position to do so, they could/would image your entire volume and return your drive. In which case no matter what you do to the copy you got back (re-encrypt, change password, whatever), they can continue whatever crypto-analysis they want on their image of the data as it was when they first took it. You may be able to protect newly written data, but whatever risk of breaking the encryption on existing data is permanently there once imaging is possible.
-Get low-level access to your system and somewhere along the chain insert something to dump the key material to them once available. Again, once this is in play, it's already over no matter what you do, if they can dump that table, they can dump the data directly. In this case, let's assume one of those keyboard bugs slashdot had an article a while back was discovered by you in your system. Knowing that your passphrase is potentially compromised, with the key not based directly on the password, but just encrypted by the password, you can re-encrypt the key once the bug is removed and shred the old slot, and their keylog data becomes useless for the purposes of defeating your filesystem encryption. If the master key is essentially whatever you typed, you are significantly more hosed.

Re:Because it's a pain on Linux

[tftp]

I have a laptop here which had a failure of the +5V power supply. The input was +16V (one of IBM Thinkpads), and when applied to a 5V-rated circuits it fried /everything/ in the notebook. I tested the drive - it's dead like a doornail.

There are several ways to encrypt the data on the HDD, and everything depends on how it is done. If you used a 3rd party s/w with a key that is generated from your passphrase then you are good. Just use the same s/w on the replacement computer, and it ought to recognize the drive.

Unfortunately, MS encrypted folders use a key that is uniquely generated for your account, and once you lose the account (on the dead computer) you can't decrypt anything. There are ways to add corporate keys to the system, so that in a company setting it's possible to recover the data; however this is /way/ beyond abilities of a typical user.

Finally, if the TCA is used then the TCA engine and the HDD controller can negotiate crypto keys, and the HDD can encrypt and decrypt data as it writes or reads the platters. This method is very secure because it ties several identities together (the TCA core, the internal HDD key data, the user's password, the account's GUID etc.) and I don't think it's worth trying to break. The good news is that I don't know of any computers today that can do this; maybe Vista will offer this.

Re:Some data and personal perspective on that poin

[lky]

For anyone that wants to experiment with Debian, DM-Crypt and Luks, check out the howtos and/or the USB installer at http://feraga.com./

I've been running lately from a USB Flash Drive (1GB) with everything but /boot encrypted for over a year and haven't had a issue. I'm sure its a little slower but dont notice it much.

This also allows you to leave a full installation with no private or incriminating data on the hard drive so if they ask to see the laptop......just let them.

Re:Because it's a pain on Linux

[TheRaven64]

There are ways to add corporate keys to the system, so that in a company setting it's possible to recover the data; however this is /way/ beyond abilities of a typical user.

Actually, it's trivial to export the keys so you can decrypt the files from a different machine. The problem is that this functionality is not mentioned the first time you encrypt a folder, so you only find out about it when you lose days.