So why don't we encrypt our data as a matter of course? Well it's probably because of the impact on performance, plus the required increase in system administration and user support. Full-disk encryption (FDE) is a process that encrypts everything on a disk without user action. This includes the operating system, swap file and any temporary files. These last two can often leak important confidential data to a hacker. FDE also provides support for pre-boot authentication. It's an effective technique, but encryption can double data access times, particularly when virtual memory is being heavily accessed.
Another, more significant problem, though, is encryption key and password management. Any encryption system is only as safe as the encryption keys. With FDE, only one key is used to encrypt the entire disk. Usually keys are stored on the local system, and their sole protection is typically the user's password or passphrase. And we all know how weak they can be! Disk encryption therefore requires policies that enforce strong passwords and can handle forgotten passwords, encryption key backup processes and employee termination.
Despite these disadvantages, I think FDE is fast becoming an essential security requirement for any organization that holds sensitive data. Data loss can be crippling both financially and legally, and protecting data with a well-implemented FDE policy will prevent many of these problems. File encryption such as Microsoft's Windows EFS (Encrypting File System) is a start, but EFS doesn't encrypt all of the data saved on the hard disk. Also, file encryption is nowhere near as efficient as drive encryption.
There are plenty of new products that will make FDE a more practical solution. Windows Vista Enterprise and Ultimate editions, for example, include BitLocker full volume encryption (FVE). It encrypts the partition on which Vista is installed, and it does so on a sector basis rather than by files. This arrangement protects all data, including that in the paging file, hibernation file and all system files. Other partitions can only be protected using EFS, but at least the EFS encryption keys are located on the OS partition. On the hardware side, Seagate is about to ship a hard drive that includes a special encryption chip that will make its data impossible for anyone to read -- or even boot up its PC -- without some form of authentication. (I'm a fan of using hardware tokens to reduce password management overhead, but it's an additional cost to consider.) Thankfully, Seagate is also working to develop an enterprise password management system that works with the drives.
This was first published in February 2007