Full Disk Encryption: What It Can And Can't Do For Your Data

Protection depends on how implementation -- and user know-how
  • Pre-boot Attacks: Much has been made recently of attacks on whole-disk encrypted systems that revolve around the pre-boot environment, where much of the initial decrypting is done. That said, most of these attacks (such as the "Stoned" bootkit attack can only be implemented if the user can be tricked into running a malicious program as administrator -- much more difficult in a managed environment where the end user cannot do such things casually. Nothing, however, precludes such an attack from using an existing software defect to gain privilege elevation, so this should be considered a pervasive if distant threat.

  • In-memory Attacks: More difficult, but still theoretically feasible, is recovering the encryption keys from DRAM after the power has been cut . Some encryption systems have at least partial ameliorations for this -- for instance, BitLocker has a policy setting to force the clearing of system memory at restart, which reduces the possibility of a key being recovered from RAM. This should be considered an unlikely method of attack, but at the same time it's worth making use of any countermeasures that might help stave it off -- the biggest being retaining physical control of the encrypted unit at all times!

  • Unencrypted, "Stray" Data: An encrypted system drive doesn't mean other drives in the same system are also encrypted, and it doesn't mean removable drives attached to the system are encrypted by default. This is something best controlled by other system policies -- for instance, by forbidding the use of removable drives, and not allowing other partitions to be created on the same system.

  • Disk Failure: The threat of disk failure poses a whole raft of problems all its own. If an encrypted system disk fails, the data on it is most likely forfeit; data recovery tools need to read directly from the disk, and are generally not aware of on-disk encryption. The odds of this happening are generally low, but with a large enough pool of devices it's guaranteed to happen sooner or later -- so have an encrypted data-backup plan in place, too.

    Because system-disk encryption in software is still relatively new, it probably still has the flavor of something exotic and relatively untested. This isn't far from the truth, especially if you haven't given it a shakedown in your own organization due to questions about the implementation.

    However it's put to use, one key truth should always be in mind: disk encryption is not security. Or, rather, disk encryption is not the sum total of security for a system; it's one of many things that can enhance security. Full-disk encryption works best when it's part of a total protocol for the care and handling of a piece of hardware constantly on the go.

  • Editors' Choice
    Jai Vijayan, Contributing Writer, Dark Reading
    Kelly Jackson Higgins 2, Editor-in-Chief, Dark Reading