Using full disk encryption in the battle against laptop data theft

With more employees taking their work outside of the office, data loss from lost or stolen laptops is becoming more common. In this Q&A, Michael Cobb explains whether that means it's time for full disk encryption.

Given that so much important information is found on company laptops, should a computer's entire hard drive be encrypted? What are the pros and cons? Stories of lost or stolen laptops containing sensitive information from appear almost weekly in the news. I would consider controlling what data can be downloaded to a company laptop in the first place, but statistics certainly support more widespread use of data or hard drive encrypt...


More on encryption
Laptop encryption options

Case Study: Allstate Insurance Company's Local Data Protection Project
So why don't we encrypt our data as a matter of course? Well it's probably because of the impact on performance, plus the required increase in system administration and user support. Full disk encryption (FDE) is a process that encrypts everything on a disk without user action. This includes the operating system, swap file and any temporary files. These last two can often leak important confidential data to a hacker. FDE also provides support for pre-boot authentication. It's an effective technique, but encryption can double data access times, particularly when virtual memory is being heavily accessed.

Another, more significant problem, though, is encryption key and password management. Any encryption system is only as safe as the encryption keys. With FDE, only one key is used to encrypt the entire disk. Usually keys are stored on the local system, and their sole protection is typically the user's password or passphrase. And we all know how weak they can be! Disk encryption therefore requires policies that enforce strong passwords and can handle forgotten passwords, encryption key backup processes and employee termination.

Despite these disadvantages, I think FDE is fast becoming an essential security requirement for any organization that holds sensitive data. Data loss can be crippling both financially and legally, and protecting data with a well-implemented FDE policy will prevent many of these problems. File encryption such as Microsoft's Windows EFS (Encrypting File System) is a start, but EFS doesn't encrypt all of the data saved on the hard disk. Also, file encryption is nowhere near as efficient as drive encryption.

There are plenty of products that will make FDE a more practical solution. Windows Vista Enterprise and Ultimate editions, for example, include BitLocker full volume encryption (FVE). It encrypts the partition on which Vista is installed, and it does so on a sector basis rather than by files. This arrangement protects all data, including that in the paging file, hibernation file and all system files. Other partitions can only be protected using EFS, but at least the EFS encryption keys are located on the OS partition. On the hardware side, Seagate has a hard drive that includes a special encryption chip that will make its data impossible for anyone to read -- or even boot up its PC -- without some form of authentication. (I'm a fan of using hardware tokens to reduce password management overhead, but it's an additional cost to consider.)



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: