Workstation hard drive encryption: Overdue or overkill?

In an age of high-profile data breaches and insider risks, encryption is an important defense mechanism for enterprises. The question is: how much encryption is necessary? Many security pros have gone to great lengths to protect data on network servers and laptops, but what about the workstation hard drive? Brien Posey explains why allowing EFS encryption on the workstation may be doing more harm than good.

Live webcast: Encryption tips
Mitigating the Risk of Encryption Related Data Loss
Join us for a live webcast Wednesday, Oct. 29 at 12:00 noon ET, as special guest Brien Posey answers your questions live and explains how to reduce your chances of encryption-related data loss. Reserve your spot today!
Although almost everyone agrees that data security is important in today's age of high-profile breaches and theft, many have debated the need to encrypt workstation hard drives. In my own experience as an IT professional, encrypting workstation hard drives can do more harm than good. At best, the practice gives administrators a false sense of security. At worst, workstation hard drive encryption can lead to data loss. In this article, let's take a look at what kind of security an encrypted hard drive actually provides.

In the vast majority of the companies that I have worked or done consulting jobs for, storing data on the hard drives of workstations (client desktop PCs) was a forbidden practice, both for security reasons and because enterprise workstations were almost never backed up. If an enterprise policy prevents valuable data from being stored on workstation hard drives, a hard drive encryption initiative may be a waste.

Other organizations may feel that encrypting workstation hard drives is warranted based on the potential contents of the workstation's cache or application data that is stored. The application that is probably the most well-known for caching data is Internet Explorer. Many other applications also perform caching, although typically to a far lesser degree. Windows also performs its own caching within the pagefile. While cache contents may vary considerably from one organization to the next, clearly some potentially sensitive data may be stored locally without users or administrators being fully aware of it.

Cache contents, however, are usually short-lived. The issue of whether to encrypt workstation hard drives in an effort to protect the cache depends on your confidence in the organization's physical security. In many cases, the chances of someone sitting down at a user's workstation and extracting data from a cache are rather slim.

It is usually considered a best practice to store data centrally on a network server rather than on workstation hard drives. In circumstances in which all sensitive information is stored on network servers, encrypting workstation hard drives does little to protect that data. When a user opens a file, it is transmitted across the network. Hard disk encryption, however, does nothing to protect data that is flowing across the wire. It's important to note that data transmitted across the network does not always live on the workstation, even on a temporary basis. Some of the data could potentially be cached on the workstation, but generally the workstation establishes a lock on the file residing on the server's hard drive and works directly off of that copy of the file.

Encryption options: What's out there
Those considering encrypting workstation hard drives should examine their current encryption practices, how well they really protect data and whether there is any risk associated with them. Windows Encrypting File System (EFS), a driver that provides encryption of files, folders and drives in Windows operating systems, for example, is only capable of encrypting secondary volumes, not the system volume.

This generally means that EFS is a poor encryption choice for enterprise environments. If no data is being deliberately stored on workstation hard drives, then it is safe to assume that most of the workstations probably won't have secondary volumes. If data does exist on EFS encrypted volumes, though, then it is important to remember that EFS stores the user's encryption keys on the system volume. This has two implications.

First, if the system volume fails, then the user's encryption keys are lost, and the data that is encrypted with those keys can no longer be accessed. This is especially problematic when considering that most workstation hard drives are not backed up.

If the workstation is a domain member, then the domain administrator account can act as a designated recovery agent, meaning that the administrator's recovery key can be imported as a way of recovering the encrypted data. Even so, allowing users to encrypt locally stored data can potentially lead to an increase in calls to the help desk, and the network administrator probably has better things to do than to be decrypting data stored on workstation hard drives. Of course, this may be a small price to pay if an organization determines that it does indeed need the extra security provided by desktop encryption.

EFS encryption keys are stored on the system volume, which is not encrypted. Physical security, therefore, is a must because the encryption keys are accessible to anyone who has access to the machine.

If an organization does decide that it needs to encrypt workstation hard drives, then it is usually best to use BitLocker -- the drive technology introduced with the Enterprise and Ultimate editions of Windows Vista -- or a third party encryption product, rather than relying solely on EFS. Unlike EFS, BitLocker is capable of encrypting the system drive.

The problem with BitLocker, however, is that there is no centralized key management store, which makes it difficult for administrators to manage BitLocker keys across an organization. Those planning to rely on BitLocker encryption should ensure that the IT department assigns BitLocker passwords and retains a copy of them, rather than leaving the process up to the end user. Otherwise, there is no way to recover an encrypted drive when a user forgets his or her BitLocker password.

For more information

Noah Schiffman reveals various laptop encryption options.

Learn why full disk encryption emerged as last year's most innovative security area.
Making the final decision
So is the extra security provided by encrypting workstation hard drives worth it? It really depends on an organization's perceived threats, and on whether the encryption process introduces the risk of data loss or excessive administrative burden. There are certainly environments in which encryption should be used. This is especially true for organizations that are subject to regulations such as HIPAA or PCI DSS. Other organizations may feel that encrypting workstation hard drives is warranted based on the potential contents of the workstation's cache or on data that is stored on the workstation.

Even if you do decide that there is no reason to encrypt the hard drives in desktop workstations, encrypting network servers and laptop hard drives is absolutely essential to an organization's security.

In my opinion, it is not necessary to encrypt workstation hard drives, so long as your organization is not subject to any regulations requiring such encryption, no data is deliberately stored on the workstation hard drives and the organization has adequate physical security. Although some would argue that going ahead and encrypting workstation hard drives any way helps to provide defense in depth, I tend to think that in these types of situations the encryption process causes more headaches than it is worth.

About the author
Brien M. Posey, MCSE, is a freelance technical writer. He was a CIO at a national chain of hospitals and healthcare facilities, and served as a network administrator for the Department of Defense at Fort Knox.

This was first published in October 2008

Dig deeper on Disk Encryption and File Encryption



Enjoy the benefits of Pro+ membership, learn more and join.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: