Monday, January 22, 2007

Introduction to Full Disk Encryption

So what is this Full Disk Encryption (FDE) you ask?

In short, it is a security solution that fully encrypts your entire Hard Disk Drive (HDD), including the Operating System etc. It is one of the "most transparent" encryption products you can get for your computer. Once installed you just have to authenticate once before the boot time, and if successful the HDD is unlocked and behaves like any other HDD. You don't have to worry about what files to encrypt and what not to encrypt. With FDE everything is encrypted. It is for the same reason that the US Government is currently conducting a competition of various FDE solutions to select and implement the best one.

You can find more info about the Government competition at

http://www.fbo.gov/spg/USAF/AFMC/ESC/FA8771-07-R-0001/Attachments.html
and
http://www.fbo.gov/spg/USAF/AFMC/ESC/FA8771%2D07%2DR%2D0001/listing.html

So what are the benefits of Full Disk Encryption?

Full disk encryption has several benefits compared to regular file or folder encryption, or encrypted vaults. The following are some benefits of full disk encryption:

  1. Everything including the swap space and the temporary files are encrypted. Encrypting these files is important, as they can reveal important confidential data.
  2. With full disk encryption, the decision of which files to encrypt is not left up to users.
  3. Support for pre-boot authentication.

I heard using encryption slows down a computer. It is true for FDE as well?

Yes and No. There is many hardware based FDE solutions (e.g. Seagate Momemtus FDE.2) that have NO impact on the computer's performance. On the other, hand software based FDE create a processing overhead, and slow down the computer - especially if you are working with large (more than 2 GB) files. But who works 2+ GB files on a daily basis anyways?

You ask: So where do I get this FDE thingy, and how much does it cost?

Good questions. FDE solutions come in many flavors. Most importantly they can cost anywhere from $0.00 (Free (e.g. Compusec)) to $200 (e.g. Pointsec) depending on the features and encryption algorithm being used. See below for comparison chart of the popular FDE solutions currently in the market, their feature set, and their cost.

Product
Vendor
Hardware or Software Based
Cost
CompuSec Software CE-Infosys
Software
Free ($0.00)
CompuSec HSM , Mobile & CryptCard
CE-Infosys Hardware
???
DataArmor
Mobile Armor
Software

DriveCrypt Plus
SecurStar
Software
$60.00+
Embassy Trust Suite
WaveSys
Software
???
Encryption Anywhere Hard Disk
GuardianEdge
Software
???
Enovatech X-Wall and DriveCrypt
Enova Technology
Software
???
Entelligence Disk Security
Entrust
Software
???
FlagStone
Stonewood
Hardware
???
Hibun AE
Hitachi Software
Software / Hardware
???
Momentus 5400 FDE.2
Seagate
Hardware
???
PGP Whole Disk Encryption
PGP Corporation
Software
$149.00 - 249.00
pointsec for PC
Pointsec
Software
???
SafeBoot Mobile Data Security
SafeBoot
Software
$123.00
SafeEnterprise ProtectDrive
SafeNet
Software
???
SafeGuard Easy Hard Disk Encryption
Utimaco
Software
$240.00+
Secude Secure Notebook
Secude
Software
???
SecureDisk Voltage Security
Software
$150.00+
SecureDoc Hard Drive Encryption
WinMagic
Software
???
Secure PCI Adapter & RAID Controller
dLock Hardware
$34-$95 for PCI Adaptor

How would I recover my data if I lose my pre-boot authentication password?

Another fine question. Lot of people ask this. Many of the FDE solutions in the chart above provide for easy but "secure" password recovery. Some support Challenge/Response sequence to recover password, while others can create password protected encryption key files that can be copied to CD and stored in a safe. Many of them provide both. Which method will work best for you, depends on your situation. If you installing the FDE solution on your personal laptop for home use, creation of the password protected encryption key is the best option. However if you are deploying the FDE solution in a large enterprise with IT Help Desk, Challenge/Response sequence may be the best option. If a remote user calls in to the Help Desk about a forgotten password, the Help Desk first authenticates the user, and then performs Challenge/Response sequence to recover the password. With the Challenge/Response password recovery mechanism the IT doesn't have to maintain a huge database of encryption key files, which can be a nightmare to manage.

So where can I find more info about this FDE thingy?

There are several Mailing Lists and Discussion Forum where you can get your questions answered:

  1. http://www.full-disk-encryption.net - A Mailing List and Discussion dedicated to the FDE solutions, where all the major players contribute to answer user's questions:

  2. http://tech.groups.yahoo.com/group/CompuSec/ - A Mailing List dedicated to discussion of the CompuSec FDE Solution, which a excellent "FREE" FDE product.

  3. http://forums.pgpsupport.com/viewforum.php?f=54 - A Discussion Forum for PGP's FDE solutions.