Cloud // Cloud Storage
News
12/8/2009
11:51 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Getting Started With Full Disk Encryption

Today, full-system encryption in software is feasible and practical. Here's how to get up and running using solutions from PGP, McAfee, Sophos, and open-source options TrueCrypt and DiskCryptor.




PGP Desktop, encrypting a system disk.
(click for image gallery)

There was a time, not all that long ago, when a fully-encrypted system disk was something only for people with money to burn. You bought a special disk controller which performed hardware-based encryption, and then trusted the hardware vendor to make sure everything was implemented properly -- e.g., that they were using a good algorithm, that the key size for the encryption wasn't laughably short, and so on.

Today, full-system encryption in software is both feasible and practical -- although how practical will depend on the workload involved. But it's not a security silver bullet, much as it might seem to be from the outside. It can, and does, add a layer of protection that greatly reduces the risk of data compromise in the event hardware is lost or stolen. But that protection depends entirely on how it's implemented, and whether or not the user's been educated in the way an encrypted system works.

How Disk Encryption Works

System-disk encryption, or full-disk encryption, involves encrypting the operating system partition on a computer and then booting and running with the system drive encrypted at all times. If the computer is stolen or lost, all the data on the drive -- including the OS itself -- is unreadable without that volume's key. The data on the system can be considered a write-off without the need to remotely wipe the device.

When you boot an encrypted system, you need to provide a decryption key at boot time. The key could be any number of different things -- a password; a USB flash drive with the decryption key; an RSA token-generating device; a fingerprint in conjunction with a Trusted Platform Module; or a combination of the above, in some variety of two-factor authentication. For the most part, the only thing that changes for the end user is the boot process, and then only minimally.

If the key itself is lost or stolen, most full-disk encryption systems provide some form of key escrow. This means a backup copy of the encryption key is held by the system administrator and can be used to recover the data on the system, and a new key can be generated without too much trouble. Professional-grade products typically allow the key to be held in a central repository such as an LDAP or Active Directory schema. (The lost key itself is useless without the data encrypted with it, so it can generally be written off if it goes missing.)

Previous
1 of 5
Next
Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.