Full disk encryption (FDE) is widely used to control the risk of users travelling with (and losing) portable computers
containing sensitive information. After a series of incidents in the early part of this century made headlines, including the theft of a Department of Veterans Affairs laptop that compromised the information of 26.5 million vets, most organizations turned to mandatory FDE policies for all mobile computers.
These policies made it easy to feel secure about having your sensitive data left in vehicles, travelling through airports and sitting in computer bags in the homes of your employees -- after all, if you encrypt every device, you don't have to worry about what data may have been stored on a device after it was stolen. The technology certainly lies within the financial and technical reach of organizations of all sizes, as it easily scales from a small business to a large enterprise.
Organizations deploying laptop full disk encryption technologies have encountered enough issues during their implementations that it's worth spending some time discussing. In this tip, we look at three specific areas of concern: performance degradation, disk fragmentation and key management/password recovery.
One of the most common arguments made against full disk encryption is the performance degradation that occurs when you deploy the technology. Encrypting and decrypting data is mathematically intensive and requires more processing time than standard disk operations. Therefore, there is certainly going to be some degradation in performance. Users who don't want their systems encrypted will often cite this degradation as an unacceptable side effect of FDE and use it to argue that their systems should not be encrypted.
Fortunately, the data is on the side of security in this case. Tests performed by an independent third party on behalf of CheckPoint Software demonstrated that the performance degradation of most major FDE projects is relatively small. Three of the commercial products tested (CheckPoint FDE, Microsoft BitLocker and Utimaco SafeGuard Easy) all had degradation rates less than 10%. In the grand scheme of things, this is not a major performance impact, especially in light of the security benefits to the organization.
Another common misconception about FDE products is that they prevent you from defragmenting encrypted disks. This myth simply isn't true. While some earlier encryption products weren't compatible with defragmentation, those problems have been resolved by all major FDE products. For example, when running Windows 2000 with the Encrypting File System (EFS) to do volume encryption, you could not defragment encrypted files. However, FDE products like BitLocker provide applications with direct access to the disk, allowing for the use of defragmentation tools such as the Windows Disk Defragmenter.
Key Management and Password Recovery
The final issue facing organizations seeking to roll out an FDE implementation is key management. How can laptop full disk encryption be used in a manner that accounts for situations where a user either forgets his or her password or leaves the organization without providing administrators with the password?
Fortunately, the major FDE products have solutions for this issue as well. In fact, Windows BitLocker allows you to use Active Directory Group Policy to automatically back up recovery information for encrypted disks to Active Directory Domain Services. This allows administrators to access recovery information when necessary to restore access to encrypted disks.
The real challenges of encryption
An issue you'll want to consider before deploying FDE is ensuring your IT organization is ready to support the deployment. Have you updated your training materials to explain the encryption technology to staff? Employees should understand that encryption protects them against data loss if their computer is lost or stolen, but that it is not a "silver bullet." Many users mistakenly believe that encryption will protect them against malicious code, hackers and all other risks, and they need to be informed that other controls (such as antivirus software and host firewalls) are necessary for full protection.
Do IT administrators understand their role in key management and the key recovery mechanism used by your selected product? The exact role they play will vary based upon the FDE product you choose, but it's likely you'll want to integrate FDE with your existing Active Directory domain. This approach reduces much of the administrative burden of key management by integrating it with existing account management processes. Your AD administrators will need to work with the software vendor on the details of this integration.
Does the help desk know how to assist users with key recovery requests? If you've been involved in user support for any length of time, you know that it won't be long before someone forgets their password. Your help desk should be fully aware of the FDE deployment schedule and know how to help users who have forgotten their passwords and need assistance gaining access to their encrypted disk. You should prepare step-by-step instructions they can use to walk users through the process during your implementation phase.
Overall, full disk encryption is now a mainstream technology that provides both business executives and security professionals with peace-of-mind by allowing the simple encryption of data stored on mobile devices. While the use of this technology creates a marginal performance impact and requires a little added key management work on behalf of system administrators, the benefits clearly outweigh the costs.
About the author: Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.