Full disk encryption
Hard disk encryption (also English full disk encryption or FDE ) describes the encryption of an entire hard disk or individual partitions in order to prevent unauthorized access to sensitive data.
Methods
Hard disk encryption can be carried out for the entire hard disk or for individual partitions. However, the data required for booting must be available unencrypted on the hard drive or decrypted by a special boot manager . To use the data, the user is authorized ( pre-boot authentication ), which usually takes place by means of a password . As an alternative or in addition, hardware-supported authentication using security tokens , fingerprints , PIN entry or chip cards is also possible.
The encryption can also be carried out or supported by the hardware (for example by TPM or hard drives with special firmware ). The choice of encryption method has a decisive influence on the level of protection achieved. According to the Federal Office for Information Security , XTS-AES offers "relatively good security properties and good efficiency" for hard disk encryption.
Attack opportunities
Attackers who want to spy on an encrypted hard drive usually try to obtain the password in a variety of ways.
The following methods can be used for this:
- Recovering the password from the swap file on the hard disk (only possible with partially encrypted disks)
- Spy on the password with the help of a Trojan horse that logs the keyboard input
- Reading of the main memory by DMA (e.g. using Firewire )
- Reading out the main memory by utilizing the physical properties of the DRAM
- Guessing a weak password through a dictionary or brute force attack
- Bypassing the encryption mechanism by exploiting vulnerabilities
- Obtaining the password through social engineering
- Infection of the master boot record by a boot kit
Another weak point of hard disk encryption is that it offers no protection when the computer is booted and connected to a network. In principle, the hard disk content can then be accessed via the network or locally on the computer, whereby the latter can be made more difficult by using a screen saver that becomes active and requires a password when it is terminated. Hard disk encryption therefore only protects against loss or theft, but not during operation. The use of hard disk encryption is therefore only of limited use in such cases (e.g. to protect a file server ). Hard disk encryption is also not suitable for ensuring workgroup-wide access to encrypted data. Alternatives such as file and folder encryption are recommended here.
software
Disk encryption programs are available for almost every operating system . With some these are already integrated. Windows has had the encrypted file system EFS for NTFS drives since Windows 2000 , which can be used to encrypt directories and files. It is integrated in Microsoft Windows 2000 (all Server and Professional versions), XP (Professional only), Server 2003 and 2003 R2, Windows Vista (Business, Ultimate) and Windows 7. Since Vista there has also been the BitLocker program from Microsoft, which is only integrated in certain editions of Windows Vista, Windows 7 and Windows 10 as well as Windows Server 2008 . While EFS is encrypted at the individual user level and is not suitable for encrypting the operating system itself, BitLocker is also able to encrypt the operating system itself, regardless of the respective user, using either a key in a TPM chip or an external key in the form of a USB memory.
Under Linux are loop-AES and crypt dm widespread macOS brings FileVault with.
Hard disk encryption programs also exist for other operating systems (such as OS / 2 ).
There are also several, in some cases interoperable, solutions for the transparent encryption of virtual drives on the basis of container files for the encryption of non-system partitions or for a file-by-file transparent encryption within an operating system.
In addition to these encryption programs, there are also some that enable cross-operating system use and are free software . CrossCrypt and FreeOTFE make it possible to use encrypted Linux partitions under Windows. TrueCrypt and the 2012 spin-off VeraCrypt use their own method that is supported under Linux, Windows and Mac OS X. DiskCryptor is another free software that is limited to the Windows operating system.
Various additional software offers the possibility of encrypting data by integrating device drivers . The use of encryption is transparent to the user if single sign-on is used.
Other proprietary programs are
- PGP Whole Disk Encryption from PGP Corporation offers not only the encryption of any partitions under Windows, but also the encryption of hard disks under macOS , there from version 9.9 including the system hard disk . Encrypted removable media can be exchanged between the two operating systems.
- SafeGuard Easy and SafeGuard Enterprise are proprietary software products for the partition-by-partition encryption of hard disks, floppy disks and removable media .
- SafeBoot Device Encryption from SafeBoot also offers proprietary hard disk encryption under Windows, but is even more aimed at centrally administered networks than SafeGuard Easy.
- BestCrypt Volume Encryption from Jetico offers afunctionality comparableto SafeGuard Easy , but with a smaller range of functions.
- Pointsec for PC or Pointsec for Linux from Checkpoint enables complete encryption of the hard drive for Windows and Linux.
- DriveCrypt Plus Pack from SecurStar can also encrypt hard drives in partitions under Windows.
- Encrypt Disc for BitLocker from IDpendant offers PreBoot authentication for Microsoft BitLocker, full smart card and token support
- Free CompuSec from CE-Infosys always encrypts the entire hard drive, is available free of charge and, in addition to Windows, also supports a few versions of Suse (Linux) and Redhat (Linux) as operating systems.
- EgoSecure HDD Encryption from EgoSecure (from Secude AG until 2014). Strong authentication (e.g. with smart cards) and pre-boot authentication are supported.
- DriveLock from the German manufacturer CenterTools. DriveLock offers central management and is integrated into Microsoft Active Directory. Strong authentication (RSA token, SmartCard) and pre-boot authentication with single sign-on are also included.
- SecureDoc from WinMagic. SecureDoc - Full-Disk Encryption is compatible with Microsoft Windows 7, Vista, XP and 2000 as well as MacOS and Linux. In addition, SecureDoc with PBConnex offers a network connection already in the pre-boot phase.
disadvantage
Since a read access also requires decryption of the respective file, noticeable losses in speed can result if the main processor does not have an AES instruction set extension . This is particularly problematic with larger files that the system cannot keep in memory for a long time.
hardware
The encryption according to the various encryption methods (XOR, AES & Co) can also be carried out using encryption modules. These are used in external storage media (USB sticks, USB hard drives). The hardware must be equipped with an encryption module accordingly. With a current high-performance module, the data (e.g. 256-bit AES) can be encrypted almost in real time. Performance losses are hardly noticeable in top models. The hardware-based encryption also increases security.
swell
- ↑ BSI - Technical Guideline, Cryptographic Procedures: Recommendations and Key Lengths, BSI TR-02102, Version: 2014-01, February 10, 2014, page 19
- ↑ Password theft through cooled storage heise online, February 22, 2008.
- ↑ A long list of false assumptions made by Technology Review
- ↑ Bootkit breaks hard disk encryption , heise online, July 30, 2009.
- ↑ PGP Whole Disk Encryption for Mac OS X with pre-boot authentication . Press release of the manufacturer PGP Corporation dated June 9, 2008.
- ↑ EgoSecure homepage
- ↑ CenterTools DriveLock
- ↑ SecureDoc Full Disk Encryption ( Memento from March 13, 2008 in the Internet Archive )
- ↑ Christiane Rütten: Secured to be paralyzed? - Performance losses due to hard disk encryption. In: c't 25/08 , pp. 214-216.