Encryption no longer an optional technology


This article can also be found in the Premium Editorial Download "Information Security magazine: Security 7 Award winners sound off on key information security issues."

Download it now to read this article plus other related content.

Storage encryption is simply a mechanism that encrypts files stored on a hard drive or other media such as backup tapes. This type of encryption is used primarily as a contingency against a physical security breach such as a stolen laptop containing sensitive data. In such a situation, the Windows operating system will provide at least some protection. Assuming that the hard drive is using the NTFS file system and the appropriate file system permissions are being used, the thief shouldn't be able to access the user's data unless he knows the user's password.

However, a computer savvy thief could use one of the many utilities available to reset the local administrator's password as a means of getting access to the data, or he could just remove the hard drive, install it into another computer, and bypass Windows altogether. Unless the data on the drive is encrypted, both of these methods will allow the thief to quickly access the user's data.

Storage-level encryption is designed to protect data in these types of situations, but some encryption technologies work better than others. For example, the Windows Encrypting File System (EFS) can encrypt a volume containing data, but it cannot encrypt the system volume--the disk volume that contains the hardware-specific

    Requires Free Membership to View

files needed to start Windows. This means EFS encrypted data can only remain protected if physical security is guaranteed.

If a computer is stolen, EFS encryption will prevent data from being compromised if an encrypted hard drive is removed and then installed into another machine. However, since the system volume is un-protected there is nothing stopping a thief from using a utility to reset the administrative password, booting Windows, logging in with the new password and gaining access to the data.

Windows Vista and Windows Server 2008 solve this problem by offering BitLocker, which uses the Trusted Platform Module (TPM) to encrypt the system volume. Since this is a BIOS-level encryption mechanism, it will protect against password reset attacks (assuming that the system volume is encrypted).

If you are considering using storage-level encryption, it is important to carefully plan for key management and to have a mechanism in place for key recovery. Encryption key loss is an extremely common problem. When the key is lost, the encrypted data becomes unreadable unless a backup key is available. The result is permanent data loss.

Most third-party storage encryption products on the market work similarly to EFS but offer better manageability. One important difference between EFS and some of the other products (besides the varying encryption algorithms they use) is how they store the encryption keys.

Windows stores the EFS encryption keys on the system drive, which can lead to a couple of problematic situations. First, if the system drive fails, the encryption keys are lost, which results in permanent data loss unless a backup key is available (Windows workstations that are a part of a domain always designate the domain administrator as a key recovery agent). Second, if a laptop is stolen, a skilled hacker may be able to extract the encryption keys from the system drive and use them to unlock the encrypted data. Many third-party encryption products protect against this by storing the encryption keys on USB flash drives or on network servers.

This was first published in October 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: