This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."
Download it now to read this article plus other related content.
However, a computer savvy thief could use one of the many utilities available to reset the local administrator's password as a means of getting access to the data, or he could just remove the hard drive, install it into another computer, and bypass Windows altogether. Unless the data on the drive is encrypted, both of these methods will allow the thief to quickly access the user's data.
Storage-level encryption is designed to protect data in these types of situations, but some encryption technologies work better than others. For example, the Windows Encrypting File System (EFS) can encrypt a volume containing data, but it cannot encrypt the system volume--the disk volume that contains the hardware-specific
| files needed to start Windows. This means EFS encrypted data can only remain protected if physical security is guaranteed.
If a computer is stolen, EFS encryption will prevent data from being compromised if an encrypted hard drive is removed and then installed into another machine. However, since the system volume is un-protected there is nothing stopping a thief from using a utility to reset the administrative password, booting Windows, logging in with the new password and gaining access to the data.
Windows Vista and Windows Server 2008 solve this problem by offering BitLocker, which uses the Trusted Platform Module (TPM) to encrypt the system volume. Since this is a BIOS-level encryption mechanism, it will protect against password reset attacks (assuming that the system volume is encrypted).
If you are considering using storage-level encryption, it is important to carefully plan for key management and to have a mechanism in place for key recovery. Encryption key loss is an extremely common problem. When the key is lost, the encrypted data becomes unreadable unless a backup key is available. The result is permanent data loss.
Most third-party storage encryption products on the market work similarly to EFS but offer better manageability. One important difference between EFS and some of the other products (besides the varying encryption algorithms they use) is how they store the encryption keys.
Windows stores the EFS encryption keys on the system drive, which can lead to a couple of problematic situations. First, if the system drive fails, the encryption keys are lost, which results in permanent data loss unless a backup key is available (Windows workstations that are a part of a domain always designate the domain administrator as a key recovery agent). Second, if a laptop is stolen, a skilled hacker may be able to extract the encryption keys from the system drive and use them to unlock the encrypted data. Many third-party encryption products protect against this by storing the encryption keys on USB flash drives or on network servers.
This was first published in October 2008