It seems that the world is going crazy; everyone wants everyone else’s information. Some companies are going to great lengths to protect their data. Laptops have gone missing or stolen with tons of important data on them, copy machines have latent images on the hard drives that can contain vital or important private information on them. So what can be done about all this? Some companies, including my own, have started encrypting hard drives. This is nothing new as types of encryption have been around for thousands of years (ever watch an Indiana Jones movie?), but it seems as soon as something makes the news, the purchasing departments or C level staff finally listens to IT.
Full disk encryption does more than protect specific files on a hard drive; it encrypts every sector on the drive, including those occupied by swap space, temp files, and hibernation files. By encrypting every sector on the drive, you eliminate the need for a user to interact with encryption software to protect individual files. If the drive is removed from the host computer, device, or copier, it is unreadable, protecting the valuable data.
So how does it all work? There are various methods in which Full Disk Encryption, or FDE, works. Some encryption packages work by utilizing the Trusted Platform Module, or TPM, and some require a boot key or password, dongle, or other means of providing the key to decrypt the data.
The encryption itself takes the data, uses an algorithm called a cipher to alter the data and makes it unreadable by anyone that doesn’t possess the key or password.
The Trusted Platform Modules is a secure cryptoprocessor that allows the decryption process to happen without user interaction. The TPM is unique to every system and many manufacturers of motherboards, laptops, and workstations are including these modules standard. Each TPM has a unique RSA key burned in when produced which provides decryption software the necessary information to allow decryption to occur. If the RSA key does not match, then the data will remain encrypted. One obvious concern about using the TPM is; what if my motherboard dies and I need to replace it? The RSA key in the TPM module of the new motherboard will be different rendering your data unreadable. Thus, if a thief steals your hard drive, simply putting it in another system will be useless. BitLocker can utilize TPM and is included with many flavors of the Windows operating systems.
Many of the available encryption software applications use Advanced Encryption Standard, or AES. AES comprises three different block ciphers, AES-128, AES-192, and AES-256; each of which contains a block size of 128 bits and key sizes that are identified by the number following AES. AES encrypts information using a number of rounds, 10, 12, or 14, of steps for the process. (information below from Wikipedia)
- Initial Round
- Final Round (no MixColumns)
Advanced Encryption Standard is an extremely complex method of encryption and is secure enough for the US government to use!
Hard drive encryption can effect the performance of your machine. However, hardware encryption methods don’t suffer as much as software encryption methods. It has been reported that performance hits of 5% to 15% have been realized with exceptions much higher. Many software encryption manufactures claim that users will not typically notice the performance degradation, but this is a LIE! Since encryption, my laptop is NOTICEABLY slower, evident by more CPU usage and considerably more disk swaps as data undergoes the encryption process. Granted variables such as the quality of hardware can minimize the impact, there is still an impact.
With the paranoia mounting, hard drive encryption is a nice way to add to peace of mind. The performance degradation is worth the security of your data. The portfolio of encryption packages is growing daily making the decision a bit hard, but if you own some of the more advanced versions of a Windows operating system you may already have all the tools you need to secure the data on your hard drive.