crypted disk

[g.bon]

Hi,
I've been asked to install a crypted hard disk drive on a Windows
computer.
I thought about an internal Sata HDD or an external HDD (USB or esata).

So, do you think it will make the computer slower ?
Any advice on what hardware to choose ?

Thanks,
GB

 

[Paul]

Hi,
I've been asked to install a crypted hard disk drive on a Windows computer.
I thought about an internal Sata HDD or an external HDD (USB or esata).

So, do you think it will make the computer slower ?
Any advice on what hardware to choose ?

Thanks,
GB

http://en.wikipedia.org/wiki/Full_disk_encryption

http://en.wikipedia.org/wiki/Hardware-based_Full_Disk_Encryption

With the hardware based solution, decryption is handled by the
disk drive itself, leading to little impact on performance. The
chip on the disk drive, decrypts data as fast as the drive can
read it.

The problem is the implementation details. How do you set one up ?
Can you actually buy the FDE drive at a retail store ?
Does the computer need special properties (such as support
for prompting for a password before boot) ? I haven't
really seen a practical "howto" about this. All I see
are confusing articles like the two in Wikipedia.

These schemes have been delivered in business computers, as
a pre-configured solution. Now, the challenge is, how
do we get them into *any* computer on demand ?

*******

If you use a software based solution, then the decryption
stage is presumably done by the CPU. An example might be
BitLocker.

http://en.wikipedia.org/wiki/Bitlocker

Another example is Truecrypt.

http://en.wikipedia.org/wiki/Truecrypt

No scheme is prefect, but the FDE has some advantages in
terms of encrypting everything. The software based schemes
have a few more exposures than the hardware based ones.

Paul

 

[VanguardLH]

Hi,
I've been asked to install a crypted hard disk drive on a Windows
computer.
I thought about an internal Sata HDD or an external HDD (USB or esata).

So, do you think it will make the computer slower ?
Any advice on what hardware to choose ?

Thanks,
GB

Encryption, whether hardware or software based, will always impact the
performance of accessing and writing back the data. After all, to *use*
the data means it has to first get decrypted, you use it, then it has to
get encrypted when put back. Obviously hardware is faster than software
(well, usually it is) but you never described what you meant by "crypted
hard disk". That could be a hard drive that has inbuilt encryption in
its firmware, or a chip on the mobo that does the encryption, or you are
using software to create encrypted containers or partitions on the hard
disk.

Does whomever who asked for encryption have a problem with security of
their data? Is the data on their hard disk more sensitive than, say,
what's in their wallet or file cabinet at work/home? Is this for a
laptop or desktop? Is the concern only over protecting the data or also
blocking anyone that, say, steals a laptop from also running the OS on
it? What will this user do when (and not if) they forget the password
to access the encrypted data (when using a software solution)? If using
hardware encryption, how are they going to retrieve their data should
the hard disk go dead or they need to move it to a new computer? Who is
doing all the support (software or hardware) for the encryption method?
Who is going to do the recovery? What backup scheme is employed?

 

[g.bon]

Paul a écrit :

http://en.wikipedia.org/wiki/Bitlocker

Another example is Truecrypt.

http://en.wikipedia.org/wiki/Truecrypt

No scheme is prefect, but the FDE has some advantages in
terms of encrypting everything. The software based schemes
have a few more exposures than the hardware based ones.

Paul

Thanks you very much,

FDE seems to be interresting.
However, do you know examples of hardware that can manage FDE ?
I can't find motherboard or hard disks that is supposed to support
Bitlocker or FDE.

Thanks,
GB

 

[Paul]

Paul a écrit :


Thanks you very much,

FDE seems to be interresting.
However, do you know examples of hardware that can manage FDE ?
I can't find motherboard or hard disks that is supposed to support
Bitlocker or FDE.

Thanks,
GB

I'm still finding this stuff confusing. The last time I
read a few docs, I couldn't understand the full scheme. And
I still can't see the scheme in complete detail.

They refer to some initial password and "warm booting" here.
They also mention a 130MB "preboot" area on the drive, which
is not encrypted. I'd never heard of that before, and that
is a departure from the concept of Full Disk Encryption.

http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=206011

Having a 130MB "preboot" area, makes it sound a bit more
similar to BitLocker. Except compared to BitLocker, the
decrypting of C: is done at hardware speed, inside the drive
controller. That reduces performance penalties on the OS.
There is a claim, that Windows 7 installs on two partitions,
so that the small "SYSTEM RESERVED" partition which boots
the computer, can remain unencrypted, while the main C:
partition is encrypted with BitLocker. This preboot area
sounds like a similar concept.

http://seagate.custkb.com/seagate/crm/selfservice/search.jsp?DocId=205983&Hilite=#15

It's a fun subject.

http://www.computerworld.com/s/arti..._Full_disk_encryption_for_all_computer_drives

"Coming soon: Full-disk encryption for all computer drives
Drive makers settle on a single encryption standard"

*******

With regard to BitLocker, it has several means to enter information
to cause the information to be decrypted. One means, uses a TPM
module on the motherboard. But because not every motherboard
has TPM, there are other methods that can be used as well. Perhaps
a USB pen drive has the password, you plug it in, and BitLocker is
unlocked.

http://en.wikipedia.org/wiki/Bitlocker

In any case, what I'm reading above about FDE, doesn't seem
self consistent. The existence of a 130MB "preboot" area,
implies a design which doesn't need a BIOS password step.
Simply execute code in the "preboot" area, and prompt the
user for the password in there. Doing the password at
the BIOS level though, relies on the security by obscurity
of BIOS code, as it's harder to snoop a password which is
being entered at the BIOS level. Otherwise, they could
have the password entry stage in the preboot code. But
if a person inserted a keylogger into the preboot code,
then you could snoop the password. If the password has
to be entered in the BIOS followed by the warm boot,
that's secure as long as the BIOS flash chip is not compromised.

Maybe devices like this, get rid of the preboot area.

"PMC Delivers SAS/SATA Controller-Based Encryption Solutions"
http://money.msn.com/business-news/article.aspx?feed=BW&Date=20111024&ID=14425700

http://www.plxtech.com/download/file/1157

"OXUFS946DSE Dual SATA RAID Controller with Encryption"
http://www.plxtech.com/download/file/1157

So devices like that, if available, would allow the usage
of ordinary hard drives, with the encryption engine on
the SATA controller card.

It's amazing how much this stuff has changed, since the
last time I read about it.

Paul