Disk encryption

Disk encryption refers to the encrypt an entire hard drive or individual partitions to prevent unauthorized access to sensitive data.

Methods

A hard drive encryption can be performed for the entire hard drive or individual partitions. However, the data required for booting must be available unencrypted on the hard disk or decrypted by a special boot manager. To use the data -authorize the user is performed ( pre-boot authentication ), which takes place mostly by means of a password. Alternatively or in addition, the hardware-assisted authentication using the security token or smart card is possible.

Encryption can be carried out or supported by the hardware (such as TPM or hard drives with special firmware). Metaphorically speaking, encryption is like the door of a house. The door may for example be made of wood or steel. Transferred to the mobile hard drives that would mean that, for example, a simple XOR function or an encryption using the Advanced Encryption Standard (AES ) can be used with different key lengths and block modes. The choice of an appropriate encryption decide on the best way to achieve a high level of data security. For the highest standards of data security, the Federal Office for Security in Information Technology encryption in XTS- AES mode is recommended.

Of attack

Attackers who want to spy on an encrypted hard drive, usually attempt to gain the password in various ways.

The following methods can be used:

  • Restore the password from the paging file on disk ( only possible with partially encrypted disks)
  • Spying the password using a Trojan that logs keyboard input
  • Reading out the main memory through DMA ( for example, by Firewire)
  • Reading out the main memory by the utilization of physical properties of the DRAM
  • Guessing a weak password by a dictionary or brute -force attack
  • Bypassing the encryption mechanism through the exploitation of vulnerabilities
  • Obtaining the password through social engineering
  • Infect the master boot record by a bootkit

Another weak point of the disk encryption is that it provides no protection when the computer is booted and connected to a network. It can then be accessed over the network or locally on the computer to the hard drive contents in principle, the latter can be complicated by the use of a becoming active screen saver that requires a password when it terminates. A hard disk encryption, protecting only against loss or theft, but not in operation. The use of a hard disk encryption is therefore in such cases (eg for the protection of a file server ) is only of limited use. Also, a hard disk encryption is not suitable to ensure workgroup -wide access to encrypted data. Here recommend alternatives such as file and folder encryption.

Software

Programs for the disk encryption is available for almost every operating system. Some of these are already integrated. So has Windows since Windows 2000 Encrypted File System EFS for NTFS drives, which can be used for the encryption of directories and files. It is in Microsoft Windows 2000 ( all server and Professional versions ), XP (Professional ), Server 2003 and 2003 R2, Windows Vista (Business, Ultimate) and integrated Windows 7. Since Vista BitLocker in addition the program from Microsoft, which is integrated only in certain editions of Windows Vista or Windows 7 and Windows Server 2008 exists. While EFS encrypted at the level of individual users and are not suitable for encrypting the operating system itself, BitLocker is independent of the particular user is also able to encrypt the operating system itself, this is either a key in a TPM chip or an external key used in the form of a USB memory.

Under Linux Loop AES and dm -crypt are widespread, Mac OS X brings with FileVault.

For other operating systems ( such as OS / 2) exist programs for full disk encryption.

Also there are several, partly interoperable solutions for transparent encryption of virtual drives on the basis of container files for encryption of non- system partitions, or for a file by file transparent encryption within an operating system.

In addition to these encryption programs, some that allow operating system-wide use and there are free software. To enable CrossCrypt and FreeOTFE to use encrypted Linux partitions under Windows. TrueCrypt uses its own method, which is supported under Linux, Windows and Mac OS X. DiskCryptor is another free software that is limited to the Windows operating system.

Various add-on software provides the ability to encrypt data on the integration of device drivers. For the user, the use of encryption is transparent when a single sign-on will be used.

Other proprietary programs are

  • PGP Whole Disk Encryption, PGP Corporation offers the encryption of any partitions under Windows, encryption of hard disks on Mac OS X on there since version 9.9 also including the system disk. Encrypted removable media can be exchanged between the two operating systems.
  • SafeGuard Easy and SafeGuard Enterprise are proprietary software products for partition wise encryption of hard disks, floppy disks, and removable media.
  • SafeBoot Device Encryption SafeBoot also offers a proprietary hard drive encryption on Windows, but depends even more strongly against SafeGuard Easy to centrally administered networks.
  • BestCrypt Volume Encryption from Jetico offers a SafeGuard Easy similar functionality but with less functionality.
  • Pointsec for PC and Pointsec for Linux Checkpoint enables a complete hard disk encryption for Windows and Linux.
  • DriveCrypt Plus Pack SecurStar can also encrypt Windows Disk partition basis.
  • Encrypt disk for BitLocker IDpendant offers the pre-boot authentication for Microsoft BitLocker Full smart card and token support
  • Free CompuSec of CE -Infosys always encrypts the entire hard drive, is available for free and supports both Windows and a few versions of Suse (Linux) and Redhat (Linux) operating system.
  • FinallySecure of Secude AG. Secude has a hybrid hard disk encryption fourth generation offered the first provider that works both hardware such as software -based. In this case, strong authentication is supported (eg smart cards) and pre-boot authentication.
  • DriveLock Center Tools. DriveLock offers centralized management and is integrated into the Microsoft Active Directory and therefore to implement quickly. Also, a strong authentication (RSA tokens, smart card) and pre-boot authentication with single sign -on is.
  • SecureDoc from WinMagic. SecureDoc ™ - Full - Disk Encryption is compatible with Microsoft Windows 7, Vista, XP and 2000 as well as MacOS and Linux. Additionally, SecureDoc offers PBConnex a network connection already in the pre-boot phase.

Disadvantages

An encrypted disk or partition requires for each read operation, a decryption. For small, frequently used files, which are kept in memory, which is not a problem for large files, however, loss of performance of up to 50 % can be the result.

With newer processors with AES - NI extension of this problem no longer occurs, so that even SSD drives can thereby be fully utilized.

Hardware

The encryption according to the different encryption methods (XOR, AES & Co ) can also be performed by encryption modules. These come in external storage media ( USB sticks, USB hard drives ) are used. The hardware must have here in accordance with an encryption module. With a current high-performance module you can encrypt the data in near real time ( eg, 256 -bit AES). Performance losses are hardly felt in top models. The hardware-based encryption at the same time increases the safety.

Hardware security module Security-Token Swap file Trojan horse (computing) Social engineering (security) Encrypting File System BitLocker Drive Encryption Transparency (human–computer interaction) Digital container format AES instruction set
332605
de