Sergey Nivens - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Enterprise disk encryption options after the end of TrueCrypt

The recent news that TrueCrypt is insecure and has been retired has left many enterprises struggling to decide which encryption technologies to trust. Expert Michael Cobb offers other enterprise encryption options.

Encrypt, encrypt, encrypt. It's a security mantra that's been around for a long time and appears in many security standards and privacy laws. Encrypted data is intrinsically secure and allows for the separation of roles as encryption keys control access to data.

However, the popular open source disk encryption program TrueCrypt is no longer being maintained, having been recently declared insecure. So, which, if any, data encryption technologies can enterprises trust now?

In this tip, I'll take a quick look at the cause of TrueCrypt's demise -- and the problems with software-based encryption as a whole -- and review the current options enterprises have in selecting a new disk encryption technology.

A peek into the end of TrueCrypt's demise

Ever since its initial release in 2004, TrueCrypt has had a troubled history, including accusations of stolen source code and potential problems relating to licensing. However, none of this stopped TrueCrypt from becoming a popular encryption tool, mainly due to the fact that it is easy to use and well-documented. But like other software-based disk encryption tools, TrueCrypt relies on the operating system for security, making it vulnerable to various known attacks, such as malware and cold boot attacks. Software-based encryption programs store the encryption keys in memory, which gives hackers the opportunity to recover them while a computer is in power-on, suspended or screen-locked mode, or even after being powered down (for a short time).

These shortcomings of software-based encryption may be the reason why the TrueCrypt team no longer wants to maintain the popular yet highly vulnerable software.

Another problem software-based encryption faces is brute-force attacks against the password or key, as these use the computer's memory to store a counter of the number of login attempts. This counter can be continuously reset by an attacker until an automated password-cracking program finds the password.

Software encryption implementations also cannot prevent a parallel attack. In this type of attack, the encrypted data is copied to another computer where the actual attack is carried out. It is important to note that the Trusted Platform Module (TPM) -- a chip embedded in a device's motherboard that uses its own internal firmware and logic circuits to provide hardware-based cryptographic functions -- can improve the security offered by disk-encryption software. It's used by Microsoft's BitLocker Drive Encryption and WinMagic Inc.'s SecureDoc. When enabled, TPM can ensure the integrity of the trusted boot path to prevent most offline physical attacks and boot sector malware. Nevertheless, once a device is running, any software encryption keys will be stored in memory, where they are susceptible to attack.

These shortcomings of software-based encryption may be the reason why the TrueCrypt team no longer wants to maintain the popular yet highly vulnerable software, and a reason why enterprises may wish to find an alternative to software-based encryption options.

The future of enterprise disk encryption

Rumors have circulated that TrueCrypt may be reincarnated by the likes of TCnext or CipherShed. However, any enterprise looking to upgrade its encryption should consider deploying hardware-based encryption as it is less prone to compromise; does not require driver or software installation; and keeps the encryption independent of the operating system, which helps avoid many of the issues plaguing software-based encryption.

With self-encrypting drives or SEDs, encryption is always on so users can't disable or forget to use it. The key never leaves the drive, which will mitigate the threat of a cold boot attack, and authentication is done independently of the operating system. Protection against brute-force attacks is possible with a self-encrypting drive as the login counter is built into the hardware and auto-lock features will automatically lock the drive and secure its data whenever a drive is removed from a system or the system is turned off.

A self-encrypting drive is virtually transparent to the user and does not degrade performance because the workload is handled by the onboard chipset. Portability is also improved because there is no system-level dependency -- the encryption engine is inside the drive. Also, by deleting the disk encryption key, the data is rendered unreadable, which eliminates the need for time-consuming hard-drive data overwriting processes.

Hardware-based full disk encryption or self-encrypting drives are available from such vendors as Seagate Technology and Western Digital Corp., and from solid-state-drive vendors such as SanDisk Corp.

One problem enterprises may encounter when evaluating hardware-based encryption is that many aspects of how the encryption is implemented are not published by the vendor. This means a risk assessment is essential to ensure that every product meets security thresholds and will protect an organization's information against the most common and pertinent threats the encrypted data is likely to encounter. Be sure to talk to vendors about any concerns that arise out of a risk assessment. Apple's recent example of describing in detail the security features introduced in iOS 7 should encourage more vendors to share enough details about how encryption is implemented in their products for enterprises to make an informed decision, and it should also encourage more organizations to expect and ask for such details.

Whichever encryption product or tool an enterprise chooses, the careful management, backup and safeguarding of keys and passwords will always be of paramount importance. The cost of migrating to hardware encryption technologies may seem prohibitive, but remember that they provide better all-around security for critical enterprise data, and that products that provide central management and control tools can make password recovery and remote wipe a lot easier.

Many organizations are currently in the process of updating server hardware as they migrate from Windows 2003 Server, so now may be just the time to upgrade encryption technologies too.

About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with more than 20 years of experience in the IT industry. He has a passion for making IT security best practices easier to understand and achievable. His website offers free security posters to raise employee awareness of the importance of safeguarding company and client data and of following good practices. He co-authored the book IIS Security, and has written many technical articles for leading IT publications. Mike is also a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme, or CLAS.

Next Steps

View more articles on disk encryption from SearchSecurity

Learn more about encrypting disks at the hardware level

Michael Cobb discusses when open source disk-encryption software should be used

Open source vs. commercial products: Evaluating security tools

This was last published in August 2014

Dig Deeper on Disk and file encryption tools

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I thought the issue was Truecrypt wasn't sure it was concern, and a later audit proved that it was actually probably fine?