Jan 21, 2010

Disk encryption software

Per necessita' di lavoro, mi sono informato un po' sulle soluzioni per la cifratura dei dati su PC. Ho scritto un piccolo riassunto, molto pragramatico, e lo copio-incollo qui.

Hi all,
in my spare time in the last months I've done a bit of research about encryption software. Reason behind it, is that we store a lot of confidential data on our PCs and we want to protect it even if a PC is stolen or lost.

The two main solutions to the problem are: 1) to encrypt selected files or folders; 2) to encrypt the full hard disk.

Method 1 is accomplished by stuff like Window's EFS (encrypted file system) and anything similar provided by the Mac, that lets you encrypt your files by applying a certain attribute to them. Method 2 is accomplished by a lot of softwares (such as PGPDisk) and by Microsoft's BitLocker technology.

Note that both methods aim to protect your data when the PC is switched off: if somebody takes your PC away from you while you're working at a starbucks and runs away, there's nothing you can do.

Full-hard disk encryption solutions transparently decrypt data on the fly after the user had entered a password or passphrase at boot time. This is very helpful because the data protection is totally transparent to the user and does not create any hassle during normal operations, except the need to create some kind of "recovery key" and store it in a safe place. Some of these solutions are vulnerable to a potential attack where somebody accesses to your PC, inserts code in the boot record to capture your passphrase, waits for you to type it next time you boot, and then steals the pc at the first occasion. Protection against this evil attack is provided by pre-boot authentication and/or integration with a TPM (Trusted Platform Module) CPU, such as Windows 7 provides.
PROs: it's transparent to OS authentication/authorization, so sharing data is easier.
CONs: you might feel a bit uncomfortable by having *all* your data protected by a single passphrase; data is not encrypted when it leaves the hard disk (email, usb key, etc.), although solutions exist for this case as well; if it's not BitLocker, it means you'll have to install one more third-party software; it works better with TPM.

EFS-like selective encryption are implemented by the OS, so basically the level of security you get is the same of your OS password. Files or folders can be selectively encrypted. Of course, the encryption key/certificate has to be backed up here as well. Window's EFS introduces a major hassle that is the fact that to share your encrypted files with other users, they have to use EFS too and you need to "add" them to the EFS permissions of your file, just like an additional authorization layer. Encryption is lost when copying a file to a non-NTFS drive. I think Windows<-->Mac interactions would be complicated.
PROs: it's available with Windows on any recent version, no particular requirement needed. Afaik, Mac has a similar thing.
CONs: makes sharing data somewhat more complicated; it's a bit less secure, since it's easier to install keyloggers on a running OS.

All in all, I'd say that for data that does not need to be shared, EFS-like encryption is quite OK.

On a longer term, I'd move company-wide to a BitLocker+TPM solution or a third-party solution such as PGPDisk (it supports Mac and pre-boot auth, and you're welcome to install it anyways immediately if you like - a McAfee solution exists as well).

When it comes to disaster recovery (that is, you've lost your encr key), I'd say that both approaches have their pros and cons and introduce a bit of additional hassle for you to keep your data both backed up and secure (what if somebody steals your unencrypted backup? etc.).

I couldn't find any info about the performance impact of these solutions (not that I searched too much...), but the fact that nobody is loudly complaining is probably good news in itself.

Couple of links:

No comments: