Data Encryption for Storage Devices

From Computing and Software Wiki

Jump to: navigation, search

Data Encryption for Storage Devices is a special case of data at rest[1] protection. Data can be encrypted through the use of software, or hardware itself can encrypt data as it is saved to the device.

A USB flash drive that encrypts and stores data.

Contents

Data Encryption

Main article: Encryption

Encryption is used in cryptography to transform plaintext to ciphertext[2]. In the case of storage devices, encrypted data that is stored can only be accessed with the proper authentication. Physical theft of the medium negates password protection since the data can simply be read from it. On the other hand, if the data is encrypted before being written, the data is still protected unless the key is known. With the theft of personal data becoming an issue[3], the encryption of storage devices becomes an attractive way to avoid such issues.

Implementations

Data can be encrypted through encryption technology built into the storage medium, or through the use of software that encrypts data before writing it.

Hardware Implementation

A hard disk drive that requires the user to unlock the encryption key before use.

Hardware implementations include hard disk drives, portable storage drives, and USB flash drives. Encrypted hard disks have been available since April 2008[4] but an actual standard was agreed upon and established in January 2009[5]. The standards were established by the Trusted Computing Group (TCG) and are outlined as follows[5]:

  • The Opal specification, which outlines minimum requirements for storage devices used in PCs and laptops.
  • The Enterprise Security Subsystem Class Specification, which is aimed at drives in data centers and high-volume applications, where typically there is a minimum security configuration at installation.
  • The Storage Interface Interactions Specification, which specifies how the TCG's existing Storage Core Specification and the other specifications interact with other standards for storage interfaces and connections. For example, the specification supports a number of transports, including ATA parallel and serial, SCSI SAS, Fibre Channel and ATAPI.

The location of the technology that encrypts the data depends on the type of storage medium. For an internal storage drive or USB drive, the technology is built into the device. In the case of portable storage drives, the technology may be built into the drive or into the housing for the drive. The key can be physically inputted to the housing in the case of a portable storage device (if such input is allowed), or simply entered when the volume is mounted.

Software Implementation

Software implementations are applications which allow a user to encrypt a portion or all of a storage device. Even single files can be individually encrypted. Some implementations provide techniques to prevent the data from being found. Software encryption is offered natively in the MAC OS and Windows Vista operating systems[6]. Additionally, free implementations are available, TrueCrypt and FreeOTFE (Free On The Fly Encryption) are two examples of this.

Security Techniques

Some or all of the following techniques may be employed by encryption software to keep data secure.

Plausible Deniability

The purpose of encrypting data is to keep it secure. The software may encrypt the data in such a way that the existence of the encrypted data is unprovable. Plausible deniability may even be extended to further levels for added security.

Hidden Volumes

This is a feature that adds to the security of plausible deniability. A hidden volume is a steganographic feature that allows "hidden" volumes to be created within a "container" volume. The user will place important looking files within the container volume, but the sensitive data that the user is really trying to protect should be stored within the hidden volume. This method hides the data within what is thought to be hidden data. An attacker that obtains the key to the first volume would find the data that looks important, but would never see the data hidden within the second layer.

Identifying Features

Another feature that helps to ensure plausible deniability is the software technique of not leaving any signature or header that could lead to the existence of encrypted data being discovered. Data is encrypted in such a way to make it impossible to to tell from random data. This is done so that without knowing the key, encrypted data cannot be detected, and neither can hidden volumes.

Comparison of Implementations

Advantages

  • Having the encryption technology on the actual device removes the requirement of having the CPU perform the calculations for the encryption process.
  • The software implementation allows for flexibility in the way volumes, entire disks, or single files may be encrypted.
  • By having the encryption technology as part of the housing for a portable storage device, the actual physical hard drive within is a regular hard drive and can be switched for other compatible hard drives.
  • Some implementations completely wipe all encrypted data after a certain number of failed attempts to unlock the information. This is useful when dealing with highly sensitive data.
  • A combination of both implementations can be used to preserve plausible deniability on a device that encrypts the data itself. Since the hardware encrypts all data written to it, there is no way to deny that there is encrypted data on the drive. The software can be used to implement the security techniques discussed above to preserve plausible deniability.

Disadvantages

  • The cost of storage devices that encrypt data themselves is higher than storage devices that do not. This may be an issue for home/casual use.
  • Proper benchmarking has not been performed yet on hard drives that take care of the encryption process[7].
  • If the user loses their key to the data, the data is lost.
  • Hardware implementations encrypt the entire disk, no option is given. This weakens the case for plausible deniability of encrypted data.

See Also

References

[1] Data at rest definition

[2] Wikipedia:Encryption

[3] TSA Hard Drive Missing

[4] Fujitsu Ups Ante on Integral Hard Disk Encryption

[5] Coming soon: Full-disk encryption for all computer drives

[6] Protect Your Data With Whole-Disk Encryption

[7] Encrypted Drives Keep Your Files Safe

External Links


Shellya 20:55, 10 April 2009 (EDT)

Personal tools