Slashdot Mirror
Why Not Use Full Disk Encryption on Laptops?
Saqib Ali asks: "According to the 2006 Security Breaches Matrix, a large number of the data leaks were caused due to stolen/missing laptops. Mobile devices will be stolen or lost, but one way to easily mitigate the harm is to use Full Disk Encryption (FDE) on all mobile devices. So, why don't we encrypt all our HDDs?"
"Cost, and performance impact are the usual arguments.
Analysis shows that the access time increases by 56%-85% after FDE. As HDDs fills up the fragmentation increases and so will the file access time. With FDE, the swap file (system's virtual memory) gets encrypted as well. This will impact the system's performance noticeably when the virtual memory is being used more often.
Encryption key & password management blues follow. What happens when the user forgets his/her new FDE password? How to manage the encryption key backup files? Who has possession of the backups of the encryption keys? What about when the users quits and does not hand over the password / encryption keys? Who can access the system and its encrypted files? How frequently does the password need to be changed? How to prevent the user from writing the passwords down? Using hardware token (RSA Token, smartcard etc) can alleviate many of the password management issues. But these hardware tokens are costly!
Cost for Full Disk Encryption solutions ranges from $0-$300.
Is it not worth using Full Disk Encryption on mobile devices after all the data leaks we have seen in the last few years?"
Analysis shows that the access time increases by 56%-85% after FDE. As HDDs fills up the fragmentation increases and so will the file access time. With FDE, the swap file (system's virtual memory) gets encrypted as well. This will impact the system's performance noticeably when the virtual memory is being used more often.
Encryption key & password management blues follow. What happens when the user forgets his/her new FDE password? How to manage the encryption key backup files? Who has possession of the backups of the encryption keys? What about when the users quits and does not hand over the password / encryption keys? Who can access the system and its encrypted files? How frequently does the password need to be changed? How to prevent the user from writing the passwords down? Using hardware token (RSA Token, smartcard etc) can alleviate many of the password management issues. But these hardware tokens are costly!
Cost for Full Disk Encryption solutions ranges from $0-$300.
Is it not worth using Full Disk Encryption on mobile devices after all the data leaks we have seen in the last few years?"
If the summary answers its own questions why even bother posting comments? Except to be a smart-ass (like me).
Philosophy.
Really, we all know that people will forget/lose the password. Or they'll write it down and leave it in the laptop case.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Doesn't Vista have a built-in feature for full disk (or all but system files) encryption? Can't you even just check off the 'encrypt' option on the properties sheet for your my docs folder (even on XP) ... or your entire user profile (to cover outlook OST etc, though that is already encrypted I believe, or can be configured to be in outlook).
Most of the key management problems have actually been solved. PGP disk for a long time had the ability to encrypt using multiple keys, fraction keys (eg. 3 out of 5 must have their keys to open), key expiration, etc.
The real problem is convenience. People don't like to use secure passphrases each time they turn on their computer. How many people actually used the BIOS password feature? An easier thing would be to use some identification based (USB fob, fingerprint scanner) access, but the acceptance rate of those are very small.
Unless security is important to them personally, people just don't care. (checking under my keyboard for the root password for all the machines at work)
Will the War in Iraq get better or worse in 2007? Vote here
It's simple, really: We're too busy caring about when one politician calls another politician a "dog" to worry about real things like the environment or information security.
http://outcampaign.org/
I for one, do use full encryption... Suits me just fine...
But then again, I use linux. Encryption is actually pretty simple under it for people who actually know how to admin a Linux system.
At one time, I even ran Win2k under VMware from an image on the encrypted disk. Which means the *ENTIRE* win2k "partition" was encrypted -- something that I understand to be impossible when run natively.
The real reasons why most don't do it?
1) Ignorance -- it is not a built-in feature in Windows
2) Hassle -- overtasked IT professionals aren't going to incur extra liability for encrypting a disk, handling lost passwods, etc. (It would be really bad to forget the password)
3) Performance -- Encrypted disks aren't good for high I/O apps... Fortunately, most apps aren't!
I sleep much better, knowing that my data is safe even if I loose possession of it. I have no qualms about storing tax returns, financial records, etc on my laptop.
Though I'm not very crypto-savvy, there's one thing that I've learned from hard experience about mobile devices and hard drives: they have a very short life span.
Anything with moving parts is bound to break, and if you move it about it'll just break all the faster.
So can't it be a serious problem if your data is encrypted and bytes get knocked out here and there?
Also, mobile devices are usually much slower than stationary ones and will only get slower if it has to apply complex algorithms to all data that goes in and out. And that would probably also put a real big penalty on your battery life.
It boils down to one thing: You have to select a cost-effective level of paranoia. It would make your life infinitely complex to secure yourself against every possible scenario. How important is the secrecy of your data?
Is the juice worth the squeeze?
Besides, how many laptops would then have the password for FDE engraved into them, or with a nice post-it note on them? And what would this password be? Their mother's name? Their birthday? Their dog's name? The street they live on? Users are notorious for using horrendously uncomplicated passwords.
on the other hand, if someone were to use say MdLg25GvNtUp35
Then yea, it would be effective. Brute forcing that would take what, 50 years?
Of course if the password must rotate every so often, then users will be CONSTANTLY requesting resets (as someone mentioned a moment ago I believe), which will drive up help-desk costs and also drive productivity down.
The BEST solution is to EDUCATE the user, and have strict IA policies in place. Period.
Full Disk Encryption gives you the access overhead that comes with encryption/decryption for every access to the hard disk. Why not just encrypt the sensitive data if you want to avoid leaks of the sensitive data?
Plus, a lot of the recent newsworthy leaks would be avoided or minimized by using encrypted access to sensitive databases via an application on the laptop, rather than people copying large databases of sensitive data to their laptop to take it home and work on it, and then losing the laptop.
... short of physically taking the harddrive out and reading it or booting from a CD ...
its not hard to do either
Web Design
So how is an on the road sales guy supposed to work? I would say in most cases ANY employees email inbox is considered confidential by default. In fact most of the stuff many on the road guys will have on their laptops IS confidential, and they NEED those laptops in order to do business. I dont think there is an excuse these days. We have plenty of CPU power available so doing the encryption/decryption in realtime shouldnt be that bad. I mean where I work everyone has a company laptop, and everyone is going to have confidential info on there. Theres no way to avoid that.
Technophile
keep it off of portable devices. We grappled with this problem at the bank where I used to work. We opted for Citrix/Remote Desktop inside a VPN tunnel secured via RSA token and accessed via Verizon wireless broadband cards. This kept all non-public information off of laptops, securely stored in our datacenter.
-ted
The point is that whoever ends up with the computer can't access your hard drive and retrieve confidential data.
If someone steals the laptop and can't access the data, all you lost was the laptop, your access to it, and your modifications of the contents (you do have it backed up at the office, don't you)?
If someone steals the laptop and the data is available, you've lost the laptop and your access to it. But you might be able to retrieve your modifications of the contents when they are posted across the Internet for all to see.
Of course, that confidential information may make it into the hands of someone who can use it so you may also lose thye contents of your bank account, find your credit cards charged up, serious damage to your company's image to the public, possibly several millions of dollars in lawsuits, the wages of the people it takes to deal with the situation, etc.
It is, or at least, it should be, a no-brainer if you have any kind of confidential information at all.
Do you understand what's being discussed here? It's NOT how to keep your laptop from being stolen. It's how to protect its contents in case it IS stolen. Not trying to prevent theft -- trying to make sure your data doesn't fall into the wrong hands.
In a number of contexts, loss of data is a more serious concern than loss of confidentiality. For the vast majority of self-generated data on my hard drive, I would be seriously inconvenienced by the loss of the data, but would not at all mind the data becoming public. For a significantly smaller amount of data, I would seriously mind the data becoming public, but I would more mind losing the data. Only a very small fraction of data on my computer is such that I would mind the data becoming public more than I would losing it.
In such a context, given that FDE makes data recovery harder and more time-consuming, it can make sense to encrypt only that tiny fraction of data where one would more mind its becoming public than one's losing it. In other contexts, it will be different.
There is absolutely no need to encrypt the main hard drive. What? You afraid of someone stealing C:\WINNT?
The simply solution is to use USB disks/keys with encryption and stick all sensitive data on those. You can get 4 Gb solid-state and larger if you use something like an iPod. How many people really need > 4 Gb of secure data available off-net? The vast majority would be fine with fast USB 2.0 memory sticks.
Key escrow solves the "I lost my password" as well as employees that leave without telling their boss/replacement the passwords.
For super-secure stuff, make them call home first to check a CRL and validate they still have permission.
For those that don't like the USB stick solution, then partition hard drives and just don't encrypt C:\.
Charles
Learning HOW to think is more important than learning WHAT to think.
Anyway why encrypt everything when it is the data (and not all of it) that you want to encrypt?
Because you can not trust your system to never write this data on another location on the disk.
With USB flash drives up to 4GB, and 100GB+ USB hard drives that will fit in a pocket, why not just keep it on your person (encrypted if necessary)?
We only want a quiet place to finish working while God eats our brains.
--Bruce Sterling
You can only reclaim space from deleted files in file vault by logging out of the user account. This can be quite annoying.
re: Perfomance
99% users won't notice and I don't care if my user does experiance a slight performance hit if it enhances the security of my customers data (in our tests it was 5 to 10% on IO intensive operations)
re: Anyway why encrypt everything
Your laptop may contain confidential and public data. Your laptop should be secured to the highest classified data on your laptop. In addition - most users are lazy. If i have the choice (and I do) of encrypting the entire laptop or just one or two directories and "trust" that the user will do the right thing - I will encrypt the entire laptop. It eliminates my need to trust that user. And for users who write their password and paste it on the laptop - our solution is simple - we fire em.
re: hassle
I don't get this point at all. Its easier just to enforce whole disk encryption than rely on the user to make sure the data is encrypted.
You are doing your boss a disfavor if this how you approve solving a security problem.
The reason to encrypt the whole drive as opposed to the writable sections is simply convenience - if you've got hardware assistance, it's probably designed to encrypt the whole disk using some crypto chip in the disk controller, and administratively simpler to use, and if you don't have that, it's probably easier to encrypt individual partitions or filesystems, or sometimes directories, rather than hack up some CPU-based driver that encrypts the whole disk.
From a performance standpoint, it's probably faster *not* to encrypt your program filesystems, and as far as encrypting swap goes, you took the big hit when you started to swap anyway, and rotational+seek latency is usually more of a limitation than overall throughput, so if this bothers you, but some more RAM. Encryption chips on the disk controller are probably faster than CPU software drivers, but not necessarily - your mileage is extremely variable.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
That's the question that needs to be answered... A security-minded entity (corporate, government, personal) has to ask that question and seriously look at the risk vs. reward of storing the data on a portable device. If the entity in question doesn't look at this perspective of the issue, they ultimately don't care about security in general or enforcing a data storage policy in particular.
When I do consulting work (especially with regards to security), I often compare putting sensitive data on a laptop to putting the company's main database directly accessible on the Internet and hoping that whoever attacks it can't exploit it or guess a username/password combination. That will usually scare a few people into thinking about what they are doing, and the others who think that it is alright probably deserve nothing less than getting hacked.
As for disk encryption, it works well IF it is transparent to the user and IF the overall security is indeed strengthened by such encryption, because a weak link like a poor password adds no actual security value where it is expected.
>> Yes, but this ignores one point. If you're encrypting your root filesystem, and you don't want to have to enter a password to simply boot the computer
WTF? You want security but you don't want to enter a password? You want to go swimming without getting wet?
Yes, but this ignores one point. If you're encrypting your root filesystem, and you don't want to have to enter a password to simply boot the computer (as opposed to logging in) then the system has to be able to decrypt the boot record, and all the OS system files to boot the OS to the login prompt (thus not having to enter a password twice, or give a single password to multiple users of the computer, or allow multiple passwords to decrypt the volume).
Using only encrypted filesystems, then the decryption keys for the public areas have to be available unencrypted, because you need to be able to boot enough of the OS to be able to read the filesystem and decode everything.
I'm not sure which part you are confusing. Are you suggesting using FS level encryption for a volume's boot record, or do you not understand that volume level encryption is below the FS level encryption?
Let me try to shed light in both directions...
You wouldn't or shouldn't use a filesystem level encryption in this instance. File System level protection is not a viable choice for volume protection, it is only viable for select files or folders on the volume.
This is why for example NTFS's encryption (Filesystem level) is not meant to encrypt the entire volume, and why Vista's Bitlocker IS DESIGNED to encrypt the Volume. (I know these are MS analogies, but go look up NTFS encryption and then lookup BitLocker.) They give a good pro and con of each concept.
Trying to protect a volume with FS level encryption won't work without a two key stategy, pre-user authorization and user authorization. In contrast, bitlocker being below the FS, has a single integrated key concept, but yet lies underneath the FS for the volume. This allows the volume to boot, yet leaves it encrypted even while showing the Windows Login Screen.
What you suggest is not possible as it is circular in reasoning. If you want the to encrypt the boot record, then you want to encrypt the volume and not just the file system on the volume.
There is no way to encrypt a boot record at the FS level without needing a key or password to access it. So you are right that the volume key would have to be issued prior to boot, and why FS level encryption is not a good option for an entire volume.
I don't think I disagree with you, but I disagree that a FS encryption concept is securely viable for boot record/volume level encryption.
Does this make sense?