Data Encryption for Storage Devices
From Computing and Software Wiki
| m  (→Hidden Volumes:   added a single sentence) | m  (final edit i hope so) | ||
| (11 intermediate revisions not shown) | |||
| Line 1: | Line 1: | ||
| '''Data Encryption for Storage Devices''' is a special case of ''data at rest''<sup>[1]</sup> protection. Data can be encrypted through the use of software, or hardware itself can encrypt data as it is saved to the device. | '''Data Encryption for Storage Devices''' is a special case of ''data at rest''<sup>[1]</sup> protection. Data can be encrypted through the use of software, or hardware itself can encrypt data as it is saved to the device. | ||
| - | + | [[Image:usb_key.jpg|frame|A USB flash drive that encrypts and stores data.]] | |
| == Data Encryption == | == Data Encryption == | ||
| + | :''Main article: [http://en.wikipedia.org/wiki/Encryption Encryption]'' | ||
| Encryption is used in cryptography to transform plaintext to ciphertext<sup>[2]</sup>. In the case of storage devices, encrypted data that is stored can only be accessed with the proper authentication. Physical theft of the medium negates password protection since the data can simply be read from it. On the other hand, if the data is encrypted before being written, the data is still protected unless the key is known. With the theft of personal data becoming an issue<sup>[3]</sup>, the encryption of storage devices becomes an attractive way to avoid such issues. | Encryption is used in cryptography to transform plaintext to ciphertext<sup>[2]</sup>. In the case of storage devices, encrypted data that is stored can only be accessed with the proper authentication. Physical theft of the medium negates password protection since the data can simply be read from it. On the other hand, if the data is encrypted before being written, the data is still protected unless the key is known. With the theft of personal data becoming an issue<sup>[3]</sup>, the encryption of storage devices becomes an attractive way to avoid such issues. | ||
| Line 7: | Line 8: | ||
| Data can be encrypted through encryption technology built into the storage medium, or through the use of software that encrypts data before writing it. | Data can be encrypted through encryption technology built into the storage medium, or through the use of software that encrypts data before writing it. | ||
| === Hardware Implementation === | === Hardware Implementation === | ||
| - | [[Image: | + | [[Image:hdd_external_input.jpg|frame|A hard disk drive that requires the user to unlock the encryption key before use.]] | 
| Hardware implementations include hard disk drives, portable storage drives, and USB flash drives. Encrypted hard disks have been available since April 2008<sup>[4]</sup> but an actual standard was agreed upon and established in January 2009<sup>[5]</sup>. The standards were established by the [https://www.trustedcomputinggroup.org/groups/storage Trusted Computing Group (TCG)] and are outlined as follows<sup>[5]</sup>: | Hardware implementations include hard disk drives, portable storage drives, and USB flash drives. Encrypted hard disks have been available since April 2008<sup>[4]</sup> but an actual standard was agreed upon and established in January 2009<sup>[5]</sup>. The standards were established by the [https://www.trustedcomputinggroup.org/groups/storage Trusted Computing Group (TCG)] and are outlined as follows<sup>[5]</sup>: | ||
| * The Opal specification, which outlines minimum requirements for storage devices used in PCs and laptops. | * The Opal specification, which outlines minimum requirements for storage devices used in PCs and laptops. | ||
| * The Enterprise Security Subsystem Class Specification, which is aimed at drives in data centers and high-volume applications, where typically there is a minimum security configuration at installation. | * The Enterprise Security Subsystem Class Specification, which is aimed at drives in data centers and high-volume applications, where typically there is a minimum security configuration at installation. | ||
| * The Storage Interface Interactions Specification, which specifies how the TCG's existing Storage Core Specification and the other specifications interact with other standards for storage interfaces and connections. For example, the specification supports a number of transports, including ATA parallel and serial, SCSI SAS, Fibre Channel and ATAPI. | * The Storage Interface Interactions Specification, which specifies how the TCG's existing Storage Core Specification and the other specifications interact with other standards for storage interfaces and connections. For example, the specification supports a number of transports, including ATA parallel and serial, SCSI SAS, Fibre Channel and ATAPI. | ||
| - | The location of the technology that encrypts the data depends on the type of storage medium. For an internal storage drive or USB drive, the technology is built into the device. In the case of portable storage drives, the technology may be built into the drive or into the housing for the drive. | + | The location of the technology that encrypts the data depends on the type of storage medium. For an internal storage drive or USB drive, the technology is built into the device. In the case of portable storage drives, the technology may be built into the drive or into the housing for the drive. The key can be physically inputted to the housing in the case of a portable storage device (if such input is allowed), or simply entered when the volume is mounted. | 
| === Software Implementation === | === Software Implementation === | ||
| - | Software implementations are applications which allow a user to encrypt a portion or all of a storage device. Even single files can be individually encrypted. Some implementations provide techniques to prevent the data from being found. Software encryption is offered natively in MAC  | + | Software implementations are applications which allow a user to encrypt a portion or all of a storage device. Even single files can be individually encrypted. Some implementations provide techniques to prevent the data from being found. Software encryption is offered natively in the MAC OS and Windows Vista operating systems<sup>[6]</sup>. Additionally, free implementations are available, [http://en.wikipedia.org/wiki/TrueCrypt TrueCrypt] and [http://en.wikipedia.org/wiki/FreeOTFE FreeOTFE ('''Free''' '''O'''n '''T'''he '''F'''ly '''E'''ncryption)] are two examples of this. | 
| ==== Security Techniques ==== | ==== Security Techniques ==== | ||
| - | Some or all of the following techniques may be employed by encryption software. | + | Some or all of the following techniques may be employed by encryption software to keep data secure. | 
| ===== Plausible Deniability ===== | ===== Plausible Deniability ===== | ||
| The purpose of encrypting data is to keep it secure. The software may encrypt the data in such a way that the existence of the encrypted data is unprovable. [http://en.wikipedia.org/wiki/Plausible_deniability#Use_in_cryptography Plausible deniability] may even be extended to further levels for added security. | The purpose of encrypting data is to keep it secure. The software may encrypt the data in such a way that the existence of the encrypted data is unprovable. [http://en.wikipedia.org/wiki/Plausible_deniability#Use_in_cryptography Plausible deniability] may even be extended to further levels for added security. | ||
| ===== Hidden Volumes ===== | ===== Hidden Volumes ===== | ||
| This is a feature that adds to the security of plausible deniability. A hidden volume is a [[Steganography and Digital Watermarking|steganographic]] feature that allows "hidden" volumes to be created within a "container" volume. The user will place important looking files within the container volume, but the sensitive data that the user is really trying to protect should be stored within the hidden volume. This method hides the data within what is thought to be hidden data. An attacker that obtains the key to the first volume would find the data that looks important, but would never see the data hidden within the second layer. | This is a feature that adds to the security of plausible deniability. A hidden volume is a [[Steganography and Digital Watermarking|steganographic]] feature that allows "hidden" volumes to be created within a "container" volume. The user will place important looking files within the container volume, but the sensitive data that the user is really trying to protect should be stored within the hidden volume. This method hides the data within what is thought to be hidden data. An attacker that obtains the key to the first volume would find the data that looks important, but would never see the data hidden within the second layer. | ||
| + | ===== Identifying Features ===== | ||
| + | Another feature that helps to ensure plausible deniability is the software technique of not leaving any signature or header that could lead to the existence of encrypted data being discovered. Data is encrypted in such a way to make it impossible to to tell from random data. This is done so that without knowing the key, encrypted data cannot be detected, and neither can hidden volumes. | ||
| - | == | + | == Comparison of Implementations == | 
| === Advantages === | === Advantages === | ||
| - | *  | + | * Having the encryption technology on the actual device removes the requirement of having the CPU perform the calculations for the encryption process. | 
| + | * The software implementation allows for flexibility in the way volumes, entire disks, or single files may be encrypted. | ||
| + | * By having the encryption technology as part of the housing for a portable storage device, the actual physical hard drive within is a regular hard drive and can be switched for other compatible hard drives. | ||
| + | * Some implementations completely wipe all encrypted data after a certain number of failed attempts to unlock the information. This is useful when dealing with highly sensitive data. | ||
| + | * A combination of both implementations can be used to preserve plausible deniability on a device that encrypts the data itself. Since the hardware encrypts all data written to it, there is no way to deny that there is encrypted data on the drive. The software can be used to implement the security techniques discussed above to preserve plausible deniability. | ||
| + | |||
| === Disadvantages === | === Disadvantages === | ||
| - | * The cost of  | + | * The cost of storage devices that encrypt data themselves is higher than storage devices that do not. This may be an issue for home/casual use. | 
| - | * Proper benchmarking has not been performed yet<sup>[ | + | * Proper benchmarking has not been performed yet on hard drives that take care of the encryption process<sup>[7]</sup>. | 
| + | * If the user loses their key to the data, the data is lost. | ||
| + | * Hardware implementations encrypt the entire disk, no option is given. This weakens the case for plausible deniability of encrypted data. | ||
| == See Also == | == See Also == | ||
| * [[Conventional Encryption Algorithms]] | * [[Conventional Encryption Algorithms]] | ||
| + | * [[Corporate Security and IT Policies]] | ||
| * [[Cryptography in Information Security]] | * [[Cryptography in Information Security]] | ||
| + | * [[Information security awareness|Information Security Awareness]] | ||
| + | * [[Personal Data Protection and Privacy]] | ||
| * [[Security and Storage Mediums]] | * [[Security and Storage Mediums]] | ||
| * [[Steganography and Digital Watermarking]] | * [[Steganography and Digital Watermarking]] | ||
| Line 46: | Line 59: | ||
| [5] [http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9126869&taxonomyId=19&intsrc=kc_top ''Coming soon: Full-disk encryption for all computer drives''] | [5] [http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=storage&articleId=9126869&taxonomyId=19&intsrc=kc_top ''Coming soon: Full-disk encryption for all computer drives''] | ||
| - | [6] [http://www.pcworld.com/article/ | + | [6] [http://www.pcworld.com/article/161519/whole_disk_encryption.html ''Protect Your Data With Whole-Disk Encryption''] | 
| - | [7] [http://www.pcworld.com/article/ | + | [7] [http://www.pcworld.com/article/158775/encrypted_drives.html ''Encrypted Drives Keep Your Files Safe''] | 
| == External Links == | == External Links == | ||
| Line 60: | Line 73: | ||
| ---- | ---- | ||
| - | [[User:Shellya|Shellya]]  | + | [[User:Shellya|Shellya]] 20:55, 10 April 2009 (EDT) | 
Current revision as of 00:55, 11 April 2009
Data Encryption for Storage Devices is a special case of data at rest[1] protection. Data can be encrypted through the use of software, or hardware itself can encrypt data as it is saved to the device.
| Contents | 
Data Encryption
- Main article: Encryption
Encryption is used in cryptography to transform plaintext to ciphertext[2]. In the case of storage devices, encrypted data that is stored can only be accessed with the proper authentication. Physical theft of the medium negates password protection since the data can simply be read from it. On the other hand, if the data is encrypted before being written, the data is still protected unless the key is known. With the theft of personal data becoming an issue[3], the encryption of storage devices becomes an attractive way to avoid such issues.
Implementations
Data can be encrypted through encryption technology built into the storage medium, or through the use of software that encrypts data before writing it.
Hardware Implementation
Hardware implementations include hard disk drives, portable storage drives, and USB flash drives. Encrypted hard disks have been available since April 2008[4] but an actual standard was agreed upon and established in January 2009[5]. The standards were established by the Trusted Computing Group (TCG) and are outlined as follows[5]:
- The Opal specification, which outlines minimum requirements for storage devices used in PCs and laptops.
- The Enterprise Security Subsystem Class Specification, which is aimed at drives in data centers and high-volume applications, where typically there is a minimum security configuration at installation.
- The Storage Interface Interactions Specification, which specifies how the TCG's existing Storage Core Specification and the other specifications interact with other standards for storage interfaces and connections. For example, the specification supports a number of transports, including ATA parallel and serial, SCSI SAS, Fibre Channel and ATAPI.
The location of the technology that encrypts the data depends on the type of storage medium. For an internal storage drive or USB drive, the technology is built into the device. In the case of portable storage drives, the technology may be built into the drive or into the housing for the drive. The key can be physically inputted to the housing in the case of a portable storage device (if such input is allowed), or simply entered when the volume is mounted.
Software Implementation
Software implementations are applications which allow a user to encrypt a portion or all of a storage device. Even single files can be individually encrypted. Some implementations provide techniques to prevent the data from being found. Software encryption is offered natively in the MAC OS and Windows Vista operating systems[6]. Additionally, free implementations are available, TrueCrypt and FreeOTFE (Free On The Fly Encryption) are two examples of this.
Security Techniques
Some or all of the following techniques may be employed by encryption software to keep data secure.
Plausible Deniability
The purpose of encrypting data is to keep it secure. The software may encrypt the data in such a way that the existence of the encrypted data is unprovable. Plausible deniability may even be extended to further levels for added security.
Hidden Volumes
This is a feature that adds to the security of plausible deniability. A hidden volume is a steganographic feature that allows "hidden" volumes to be created within a "container" volume. The user will place important looking files within the container volume, but the sensitive data that the user is really trying to protect should be stored within the hidden volume. This method hides the data within what is thought to be hidden data. An attacker that obtains the key to the first volume would find the data that looks important, but would never see the data hidden within the second layer.
Identifying Features
Another feature that helps to ensure plausible deniability is the software technique of not leaving any signature or header that could lead to the existence of encrypted data being discovered. Data is encrypted in such a way to make it impossible to to tell from random data. This is done so that without knowing the key, encrypted data cannot be detected, and neither can hidden volumes.
Comparison of Implementations
Advantages
- Having the encryption technology on the actual device removes the requirement of having the CPU perform the calculations for the encryption process.
- The software implementation allows for flexibility in the way volumes, entire disks, or single files may be encrypted.
- By having the encryption technology as part of the housing for a portable storage device, the actual physical hard drive within is a regular hard drive and can be switched for other compatible hard drives.
- Some implementations completely wipe all encrypted data after a certain number of failed attempts to unlock the information. This is useful when dealing with highly sensitive data.
- A combination of both implementations can be used to preserve plausible deniability on a device that encrypts the data itself. Since the hardware encrypts all data written to it, there is no way to deny that there is encrypted data on the drive. The software can be used to implement the security techniques discussed above to preserve plausible deniability.
Disadvantages
- The cost of storage devices that encrypt data themselves is higher than storage devices that do not. This may be an issue for home/casual use.
- Proper benchmarking has not been performed yet on hard drives that take care of the encryption process[7].
- If the user loses their key to the data, the data is lost.
- Hardware implementations encrypt the entire disk, no option is given. This weakens the case for plausible deniability of encrypted data.
See Also
- Conventional Encryption Algorithms
- Corporate Security and IT Policies
- Cryptography in Information Security
- Information Security Awareness
- Personal Data Protection and Privacy
- Security and Storage Mediums
- Steganography and Digital Watermarking
References
[4] Fujitsu Ups Ante on Integral Hard Disk Encryption
[5] Coming soon: Full-disk encryption for all computer drives
[6] Protect Your Data With Whole-Disk Encryption
[7] Encrypted Drives Keep Your Files Safe
External Links
- IEEE Security in Storage Working Group
- Disk Encryption HowTo (Linux)
- Official FreeOTFE Website
- Official TrueCrypt Website
- Wikipedia:Encryption
- Trusted Computing Group
- Protect Your Data With Encryption : TrueCrypt 6.1--Tried And Tested
Shellya 20:55, 10 April 2009 (EDT)


