Full Disk Encryption Dos and Don'ts
"Just encrypt it!" seems like a simple way to protect data, especially on laptops. It does protect data, but it's not necessarily so simple. Save time (and maybe your data!) with these practicals of full disk encryption.
By Mary Brandel
October 21, 2009 — CSO —
Full disk encryption (FDE) systems use strong encryption algorithms to automatically protect all data stored on the hard drives of PCs and laptop computers. Users can access the data via an authentication device, such as a password, token or smart card. This enables the system to retrieve the key that decrypts the disk. On many systems, functions such as key management, access control, lock-outs, reporting and recovery are all managed centrally.See FDE: How to Buy It for key features and selection criteria
According to John Girard, an analyst at Gartner, the main differences among available products derive from their varying approaches to management, encryption strength, user authentication, policy management and value-added features, such as protection of information on removable media.
Here we'll look at two prime considations in selecting encryption solutions, as well as dos and don'ts suggested by veterans of encryption implementation.
Full disk encryption versus file or folder encryption system. With FDE, data is encrypted automatically when it's stored on the hard disk. This is different from file or folder encryption systems, where it's up to the user to decide which data needs encrypting. FDE's biggest advantage is that there's no room for error if users don't abide by or don't understand encryption policies.
The shortcoming of FDE, Lambert points out, is that it does not protect data in transit, such as information shared between devices, stored on a portable hard drive or USB, or sent through e-mail. FES, she says, is ideal for this, although it requires a lot of attention to developing a policy for what gets encrypted and what doesn't, as well as training users on the policy. FES is also more compute-intensive than FDE, she says, leading to PC performance hits of 15 percent to 20 percent, versus just 3 percent or 4 percent.
Hardware versus software encryption. According to Girard, hardware-based encryption promises significant performance improvements over software-based technologies, and the new Trusted Computing Group (TCG) open standard offers a common management specification for hard-drive manufacturers.
However, there is a lack of real-world products using the standard, he says. Hardware encryption will continue to evolve, he says, and future choices will appear in other device subsystems, such as CPUs or supporting chip sets.
Today's self-encrypting hard drives—such as those from Seagate Technologies—are mainly geared toward consumers, Lambert says. That's because without TCG, they do not yet perform better than software-based encryption, and most cannot be centrally managed. An exception, she says, is a partnership among Dell, Seagate and McAfee to provide laptops with encrypted hard drives and enterprise-level management tools. Wave Systems also sells key management software for Seagate drives, says Eric Maiwald, an analyst at Burton Group.