Specifying and supporting disk encryption
Encryption is at the top of the business agenda following a spate of embarrassing data breaches. How can you design and implement encryption systems to suit your customers’ needs without making life harder all round?
Encryption. Let’s face it – the technology sells itself these days. Any smart-witted customer will already be talking to you about this, and those that aren’t should be made aware of the dangers of storing data in the clear. It’s true there are fewer data security regulations pertaining to encryption in the UK than in the litigious US but the UK’s Data Protection Act still serves as a catch-all for data privacy and the Office of the Information Commissioner is getting new powers to enforce it. The Companies Act (which comes into full effect this autumn) will unify many governance responsibilities that have previously been scattered across the legislative landscape, creating a new impetus for directors who may previously have adopted a laissez-faire attitude to internal controls. Use this to drive home the message.
Click here to see how to set up false volumes in TrueCrypt
Click here to see how to install SafeGuard Easy
Click here to see about encrypting Backup Tapes
The real place to start is by understanding what data must be locked up, because the likelihood is that the user won’t. Analyse the types of data that the company is producing and consuming will help you to recommend which areas they should focus on. Customer credit card details? Definitely. Press releases, or generic B-roll shots in an edit suite? Not so much.
Does your client require data to be encrypted just at the edge of the network on desktop and laptop machines, or are the ‘crown jewels’ on the server? If you’re encrypting server-based data, are you simply encrypting a network drive, or is there information stored within a database that must be securely stored? And just because you think you know where the data to be encrypted is, doesn’t mean that it isn’t anywhere else. Sensitive account information might be encrypted on the office administrator’s PC, but what if he put it in a USB key to copy it to his PC when the network was down? What if that USB key accidentally went home in his bag over the weekend – and stayed there?
Symantec’s Information Foundation helps with information discovery and ongoing classification, but this is best used for discovery of information after it has been classified. For small businesses, a more manual information audit will be necessary, taking into account all the machines on the network, and all other mobile devices. Interviews or questionnaires may help understand how staff have taken data offsite in the past.
Files, folders and disks
Depending on what needs encrypting and where, you’ll choose either a full disk encryption or a file and folder-based encryption system. PGP, Symantec, McAfee, Utimaco and CheckPoint offer full disk encryption or it’s free in Windows Server 2008 and versions of Vista that include BitLocker – which for small businesses means Ultimate. Applied Security’s fideAS, and Steganos Safe Professional, encrypt specific files and folders, or you can use EFS, the encrypting file system built into Windows.
Microsoft designed BitLocker for encrypting laptops, because they leave the office, and desktops, to simplify disposing of disks securely, but BitLocker is also suitable for protecting servers in branch offices and small businesses. In the release version of Vista, BitLocker can encrypt the system volume through the GUI or any volume through the command line; in SP1 (and Server 2008) you can encrypt all volumes with the GUI. There will be a small unencrypted volume on the machine as well, for storing the MBR, WinPE and Windows loader. Make this at least 1.5GB in case other Windows components need to use it or you want to put recovery or system tools there and set the NTFS permissions so users can’t accidentally write data to it; the BitLocker Drive Preparation Tool (support.microsoft.com/kb/930063) will do a lot of the work or you can script BitLocker installation and configuration using WMI tools and the BitLocker command-line tool, manage-bde.wsf, to locally or remotely configure BitLocker. Encryption takes about a minute for every 500MB and you don’t have to wait until the encryption is finished; the user can get back to work while Vista is still encrypting the files.
BitLocker locks the encrypted volume to the physical PC it’s part of, and to Vista, stopping a thief from accessing the files on another PC or by accessing it from a different operating system. The Storage Root Key is a 2048-bit key pair stored in the Trusted Platform Module (TPM) in the PC chipset that authenticates the machine and guarantees that it hasn’t been tampered with. The SRK is used to authorise all TPM actions; you can’t copy this but it is possible to migrate it to another TPM. The disk sectors are encrypted using the full-volume encryption key (FVEK) which is stored on the hard drive. The FVEK is in turn encrypted with a key called the volume master key (VMK), which is sealed to the TPM using a range of hardware details: the TPM’s Core Root of Trust Measurement (CRTM), the BIOS and any platform extensions, option ROM code, MBR code, the NTFS boot sector and the boot manager. Change any of that and BitLocker will lock the drive.
This is minimal protection if the PC is stolen and the user password is easy to guess, so if the data you’re protecting is commercially sensitive, add a PIN or a USB token with a startup key (or both in SP1; you can enforce this remotely by running a script, even on already encrypted drives, and it doesn’t require re-encrypting the hard drive). The PIN can be 4 to 28 digits, but if it’s too long there’s a danger users will write it on a sticky note and keep it with the notebook. Similarly, the temptation is to keep a USB drive used for the BitLocker startup key with the PC, so you’ll need to warn users that’s what’s convenient for them is also convenient for thieves. You can use BitLocker to protect PCs without TPM, by using Group Policy to store the keys only on an external USB drive, but again, this gives less protection.
BitLocker can be managed through WMI and PowerShell. The encryption keys are automatically archived in Active Directory in case of hardware failures and forgotten PINs; they are in clear text but they are secured by ACLs as confidential attributes that only domain administrators can see. The recovery keys are not automatically archived in AD but you can change this. If you have a customer who doesn’t have a server, or where not all PCs are joined to the domain, set up a system for storing copies, recovery keys and recovery passwords securely. The 48-digit numerical recovery password can be saved on a USB drive (make sure it’s not the same drive used for the startup key), into a network folder or printed out.
If the system changes or the user loses the USB drive with their BitLocker key or forgets their PIN, BitLocker will prompt them to insert the drive with the recovery key; the system will reboot to read it. If the recovery drive is missing, or one hasn’t been created, the screen will ask them to type in the 48-digit password using the function keys rather than the usual number keys (check they’ve used these if they complain the recovery password doesn’t work). If you need to open a BitLocker-protected drive on another PC (which has to be running Vista or Windows Server 2008), use the BitLocker control panel; the only option is to unlock the drive with the recovery key or password.
BitLocker can be disabled without decrypting the data; in this case, the VMK is protected only by a new key that is stored unencrypted. This clear key allows the system to access the drive as if it were unprotected but the user doesn’t have to wait for the contents of the hard drive to be unencrypted and it can be protected again instantly; this can be useful for system maintenance. You can also protect a drive that you’re sending elsewhere or storing on your own premises by leaving it encrypted, keeping a copy of the key and deleting the local copy of the key from the hard drive. When you decommission a hard disk, you can delete all the keys, or create new keys but not store them; formatting the drive will also delete the keys and overwrite those sectors securely.
BitLocker is free, but it has drawbacks. To get it, you have to take your customers to Vista, and they have to pay for Ultimate licences. If you want to protect older versions of Windows, or Macs, you’ll need to use other software like PGP Whole Disk Encryption for those machines. You’ll also need additional tools to force data written to removable media such as USB keys or CD-ROM drives to be encrypted, instead of leaving it to the users.
Whatever encryption you choose, once you have transparently encrypted drives, you need to make sure users don’t save files elsewhere and have company data compromised; use ACLs and Group Policy to restrict access to folders or hide drive letters (http://support.microsoft.com/kb/231289/en-us).
Some other encryption tools can store PINs and recovery keys on a server too; again the master key is stored on a smart card or on the hard disk that has been encrypted. FideAS doesn’t store keys in Active Directory, just policy information. Its administration console connects to a security server, which in turn connects to a file server. The security server handles the keys and also applies encryption policies to the file server, but it relies on existing group and individual definitions in Active Directory for applying policies, which controls which directory paths use transparent encryption.
PGP’s Universal Server is a centralised management console which lets you manage keys and encryption policies for multiple customers remotely, from a single server. It uses the asymmetric OpenPGP key structure for its keys. The private key is used for simple disk encryption, with a public key for tasks such as exchanging encrypted email with large numbers of people. You can add different key components transparently from the central management console, using PGP Desktop on the client PCs. This can install all client-side PGP applications, such as PGP Email and disk encryption, and handles key management tasks with Universal Server in ‘managed mode’.Travellers who lose their decryption keys can call your helpdesk number to request a passphrase recovery token after a manual challenge/response test. You read them a token over the phone, which is a one-time key crafted specifically for that device, which will let them in until they log back into their company network. At this point, they have access to their private key again,
so Universal Server invalidates the passphrase security token and creates another for use in a future emergency.
Universal Server doesn’t yet support automatic online challenge/response systems for passphrase recovery tokens, so you’ll want to agree what hours the helpdesk will be available in your SLA. It also doesn’t support hardware security modules or biometric access to encrypted data. However, it is possible to integrate the system with Active Directory to manage keys and encryption policies.
Hardware-based key management appliances like nCipher’s netHSM may be worthwhile if you have a lot of keys to deal with; this gives you an audit trail to show when keys were created and destroyed, and who had a copy. That’s going to be important when a laptop is lost and the auditor asks whether the key to those files was stored on any other devices. Keys are stored in an encrypted central database in nCipher, because the long random numbers that make them up can be easy to spot if an attacker gains access to the server.
You need to set up your encryption to protect against carelessness as well as malicious attacks. Once the user walks away from a switched-on PC, it’s easy for data to be compromised. Use Group Policy to force the machine to ask for a password when the system wakes up. You can set a PC to sleep or hibernate after only a short period of inactivity, protecting users who just walk away; but expect complaints that the machine locked up while they were using it from users who lost track of time, or tried to access their PC halfway through a long phone call.
Setting a separate encryption password as part of preboot authorisation is technically more secure, but users will often use the same password, making it ineffective. There are attacks that use a FireWire connection to control a PC or try to recover the encryption keys from memory when the PC is asleep rather than hibernated – including physically freezing the memory to preserve the state. Many of the attacks only work if the thief can take the laptop away right after it’s been used and work on it quickly and you can protect against them by using Group Policy to put machines into hibernation rather than sleep and use a PIN with BitLocker. If laptops contain particularly confidential information, consider locking down the BIOS so they can’t boot from network or external hard drives and turn off FireWire ports.
Whole disk encryption protects against offline attacks, where the machine is turned off. Even with strong, two-factor authentication, using biometrics or smart cards to complement a user’s own password, users are the weakest link. Users who leave their PC on and walk away or who write down their PIN (or memorise an easily guessable one, like their birthday or phone number) are vulnerable to data theft. The same goes for inadequately protected hardware tokens. The ‘soft’ aspect of encryption, training users to follow common sense guidelines, is just as important as the ‘hard’, technological one.