Why Not Use Full Disk Encryption on Laptops? 446
Saqib Ali asks: "According to the 2006 Security Breaches Matrix, a large number of the data leaks were caused due to stolen/missing laptops. Mobile devices will be stolen or lost, but one way to easily mitigate the harm is to use Full Disk Encryption (FDE) on all mobile devices. So, why don't we encrypt all our HDDs?"
"Cost, and performance impact are the usual arguments.
Analysis shows that the access time increases by 56%-85% after FDE. As HDDs fills up the fragmentation increases and so will the file access time. With FDE, the swap file (system's virtual memory) gets encrypted as well. This will impact the system's performance noticeably when the virtual memory is being used more often.
Encryption key & password management blues follow. What happens when the user forgets his/her new FDE password? How to manage the encryption key backup files? Who has possession of the backups of the encryption keys? What about when the users quits and does not hand over the password / encryption keys? Who can access the system and its encrypted files? How frequently does the password need to be changed? How to prevent the user from writing the passwords down? Using hardware token (RSA Token, smartcard etc) can alleviate many of the password management issues. But these hardware tokens are costly!
Cost for Full Disk Encryption solutions ranges from $0-$300.
Is it not worth using Full Disk Encryption on mobile devices after all the data leaks we have seen in the last few years?"
Analysis shows that the access time increases by 56%-85% after FDE. As HDDs fills up the fragmentation increases and so will the file access time. With FDE, the swap file (system's virtual memory) gets encrypted as well. This will impact the system's performance noticeably when the virtual memory is being used more often.
Encryption key & password management blues follow. What happens when the user forgets his/her new FDE password? How to manage the encryption key backup files? Who has possession of the backups of the encryption keys? What about when the users quits and does not hand over the password / encryption keys? Who can access the system and its encrypted files? How frequently does the password need to be changed? How to prevent the user from writing the passwords down? Using hardware token (RSA Token, smartcard etc) can alleviate many of the password management issues. But these hardware tokens are costly!
Cost for Full Disk Encryption solutions ranges from $0-$300.
Is it not worth using Full Disk Encryption on mobile devices after all the data leaks we have seen in the last few years?"
I'm confused (Score:4, Insightful)
Oh yea, I can hear it now. (Score:5, Insightful)
Really, we all know that people will forget/lose the password. Or they'll write it down and leave it in the laptop case.
Vista feature (Score:4, Insightful)
Security vs Convenience (Score:5, Insightful)
The real problem is convenience. People don't like to use secure passphrases each time they turn on their computer. How many people actually used the BIOS password feature? An easier thing would be to use some identification based (USB fob, fingerprint scanner) access, but the acceptance rate of those are very small.
Unless security is important to them personally, people just don't care. (checking under my keyboard for the root password for all the machines at work)
We're too stupid (Score:1, Insightful)
It should be done. (Score:5, Insightful)
But then again, I use linux. Encryption is actually pretty simple under it for people who actually know how to admin a Linux system.
At one time, I even ran Win2k under VMware from an image on the encrypted disk. Which means the *ENTIRE* win2k "partition" was encrypted -- something that I understand to be impossible when run natively.
The real reasons why most don't do it?
1) Ignorance -- it is not a built-in feature in Windows
2) Hassle -- overtasked IT professionals aren't going to incur extra liability for encrypting a disk, handling lost passwods, etc. (It would be really bad to forget the password)
3) Performance -- Encrypted disks aren't good for high I/O apps... Fortunately, most apps aren't!
I sleep much better, knowing that my data is safe even if I loose possession of it. I have no qualms about storing tax returns, financial records, etc on my laptop.
Re:Oh yea, I can hear it now. (Score:5, Insightful)
I can think of one reason... (Score:3, Insightful)
Anything with moving parts is bound to break, and if you move it about it'll just break all the faster.
So can't it be a serious problem if your data is encrypted and bytes get knocked out here and there?
Also, mobile devices are usually much slower than stationary ones and will only get slower if it has to apply complex algorithms to all data that goes in and out. And that would probably also put a real big penalty on your battery life.
It boils down to one thing: You have to select a cost-effective level of paranoia. It would make your life infinitely complex to secure yourself against every possible scenario. How important is the secrecy of your data?
Is the juice worth the squeeze?
The Real Problem...USERS (Score:2, Insightful)
Besides, how many laptops would then have the password for FDE engraved into them, or with a nice post-it note on them? And what would this password be? Their mother's name? Their birthday? Their dog's name? The street they live on? Users are notorious for using horrendously uncomplicated passwords.
on the other hand, if someone were to use say MdLg25GvNtUp35
Then yea, it would be effective. Brute forcing that would take what, 50 years?
Of course if the password must rotate every so often, then users will be CONSTANTLY requesting resets (as someone mentioned a moment ago I believe), which will drive up help-desk costs and also drive productivity down.
The BEST solution is to EDUCATE the user, and have strict IA policies in place. Period.
Why Encrypt Everything? (Score:5, Insightful)
Plus, a lot of the recent newsworthy leaks would be avoided or minimized by using encrypted access to sensitive databases via an application on the laptop, rather than people copying large databases of sensitive data to their laptop to take it home and work on it, and then losing the laptop.
Re:So, why don't we encrypt all our HDDs?" (Score:2, Insightful)
its not hard to do either
Re:So, why don't we encrypt all our HDDs?" (Score:2, Insightful)
Re:I'm confused (Score:4, Insightful)
It provided some usual answers, but left plenty of room for debate.
Comment removed (Score:3, Insightful)
Re:I can think of one reason... (Score:5, Insightful)
Re:Oh yea, I can hear it now. (Score:2, Insightful)
Re:Oh yea, I can hear it now. (Score:5, Insightful)
Re:Why Encrypt Everything? (Score:5, Insightful)
Sensitive data gets dumped to the swap file, Your word/spreadsheet/e-mail/other client will dump backup/temp copies in unencrypted places, etc etc etc.
It isn't enough just to encrypt sensitive information, you have to make sure every application that touches the info will not compromise your efforts.
Re:Why ? (Score:3, Insightful)
If someone steals the laptop and can't access the data, all you lost was the laptop, your access to it, and your modifications of the contents (you do have it backed up at the office, don't you)?
If someone steals the laptop and the data is available, you've lost the laptop and your access to it. But you might be able to retrieve your modifications of the contents when they are posted across the Internet for all to see.
Of course, that confidential information may make it into the hands of someone who can use it so you may also lose thye contents of your bank account, find your credit cards charged up, serious damage to your company's image to the public, possibly several millions of dollars in lawsuits, the wages of the people it takes to deal with the situation, etc.
It is, or at least, it should be, a no-brainer if you have any kind of confidential information at all.
Re:Why ? (Score:3, Insightful)
Re:I'm confused (Score:4, Insightful)
context (Score:5, Insightful)
In such a context, given that FDE makes data recovery harder and more time-consuming, it can make sense to encrypt only that tiny fraction of data where one would more mind its becoming public than one's losing it. In other contexts, it will be different.
Halfway (Score:3, Insightful)
The simply solution is to use USB disks/keys with encryption and stick all sensitive data on those. You can get 4 Gb solid-state and larger if you use something like an iPod. How many people really need > 4 Gb of secure data available off-net? The vast majority would be fine with fast USB 2.0 memory sticks.
Key escrow solves the "I lost my password" as well as employees that leave without telling their boss/replacement the passwords.
For super-secure stuff, make them call home first to check a CRL and validate they still have permission.
For those that don't like the USB stick solution, then partition hard drives and just don't encrypt C:\.
Charles
Re:Stupid idea. (Score:2, Insightful)
Because you can not trust your system to never write this data on another location on the disk.
Why keep sensitive data on the laptop at all? (Score:2, Insightful)
File Vault has free space issues (Score:3, Insightful)
Re:Stupid idea. (Score:2, Insightful)
99% users won't notice and I don't care if my user does experiance a slight performance hit if it enhances the security of my customers data (in our tests it was 5 to 10% on IO intensive operations)
re: Anyway why encrypt everything
Your laptop may contain confidential and public data. Your laptop should be secured to the highest classified data on your laptop. In addition - most users are lazy. If i have the choice (and I do) of encrypting the entire laptop or just one or two directories and "trust" that the user will do the right thing - I will encrypt the entire laptop. It eliminates my need to trust that user. And for users who write their password and paste it on the laptop - our solution is simple - we fire em.
re: hassle
I don't get this point at all. Its easier just to enforce whole disk encryption than rely on the user to make sure the data is encrypted.
You are doing your boss a disfavor if this how you approve solving a security problem.
Re:Oh yea, I can hear it now. (Score:5, Insightful)
#1 The unions would never go for it. I've worked at governmental agencies that couldn't make basic computer literacy a condition of employment, because of the union.
#2 It attempts to solve a problem by demanding that people be responsible for their own idiocy. What happens when the Big Boss writes down his password? Trust me, the only guy getting fired for that is the IT guy who tries to enforce the policy.
Re:Oh yea, I can hear it now. (Score:5, Insightful)
You are not a manager, clearly. Termination of someone's employment will cost your company a lot of money, time and lost opportunity (unless you wanted to get rid of that employee anyway; then you have your excuse.) People are trained to do their jobs, and they are not as replaceable as an elevator operator might be. Some people train for years to do certain things, and they become really good in their area of expertise. They may be highly paid (and valued) engineers, leading designs and themselves managing projects. If such a person forgets the password what do you do, fire him and cancel the already announced release of a new product, which the customers already paid for and the delivery is due in weeks, and penalties for failure to deliver would be immense? If you fire the guy, you will be kicked out of your job so hard you will overtake him on your trajectory to the door.
What a real manager does is this. He tries to understand how this happened, and then does his best to prevent this from happening again. This may require a private chat with the person, or an official department-wide training. The data... the data is lost already, and it's foolish to make it worse by firing the guy who is best to recreate it. Your job, as a manager, is to get the job done. Firing people in a fit of rage is not the way to do it.
Full-Disk vs. File System encryption (Score:4, Insightful)
The reason to encrypt the whole drive as opposed to the writable sections is simply convenience - if you've got hardware assistance, it's probably designed to encrypt the whole disk using some crypto chip in the disk controller, and administratively simpler to use, and if you don't have that, it's probably easier to encrypt individual partitions or filesystems, or sometimes directories, rather than hack up some CPU-based driver that encrypts the whole disk.
From a performance standpoint, it's probably faster *not* to encrypt your program filesystems, and as far as encrypting swap goes, you took the big hit when you started to swap anyway, and rotational+seek latency is usually more of a limitation than overall throughput, so if this bothers you, but some more RAM. Encryption chips on the disk controller are probably faster than CPU software drivers, but not necessarily - your mileage is extremely variable.
Why is the data on a laptop in the first place? (Score:3, Insightful)
When I do consulting work (especially with regards to security), I often compare putting sensitive data on a laptop to putting the company's main database directly accessible on the Internet and hoping that whoever attacks it can't exploit it or guess a username/password combination. That will usually scare a few people into thinking about what they are doing, and the others who think that it is alright probably deserve nothing less than getting hacked.
As for disk encryption, it works well IF it is transparent to the user and IF the overall security is indeed strengthened by such encryption, because a weak link like a poor password adds no actual security value where it is expected.
Re:Because it's a pain on Linux (Score:1, Insightful)
WTF? You want security but you don't want to enter a password? You want to go swimming without getting wet?
Re:Because it's a pain on Linux (Score:3, Insightful)
Using only encrypted filesystems, then the decryption keys for the public areas have to be available unencrypted, because you need to be able to boot enough of the OS to be able to read the filesystem and decode everything.
I'm not sure which part you are confusing. Are you suggesting using FS level encryption for a volume's boot record, or do you not understand that volume level encryption is below the FS level encryption?
Let me try to shed light in both directions...
You wouldn't or shouldn't use a filesystem level encryption in this instance. File System level protection is not a viable choice for volume protection, it is only viable for select files or folders on the volume.
This is why for example NTFS's encryption (Filesystem level) is not meant to encrypt the entire volume, and why Vista's Bitlocker IS DESIGNED to encrypt the Volume. (I know these are MS analogies, but go look up NTFS encryption and then lookup BitLocker.) They give a good pro and con of each concept.
Trying to protect a volume with FS level encryption won't work without a two key stategy, pre-user authorization and user authorization. In contrast, bitlocker being below the FS, has a single integrated key concept, but yet lies underneath the FS for the volume. This allows the volume to boot, yet leaves it encrypted even while showing the Windows Login Screen.
What you suggest is not possible as it is circular in reasoning. If you want the to encrypt the boot record, then you want to encrypt the volume and not just the file system on the volume.
There is no way to encrypt a boot record at the FS level without needing a key or password to access it. So you are right that the volume key would have to be issued prior to boot, and why FS level encryption is not a good option for an entire volume.
I don't think I disagree with you, but I disagree that a FS encryption concept is securely viable for boot record/volume level encryption.
Does this make sense?