Disk Encryption Aaron Howard IT Security Office
Types of Disk Encryption? Folder Encryption Volume or Full Disk Encryption OS / Boot Volume Data Volume Managed or Unmanaged Key Backup and Data Assurance
How Does Disk Encryption Help? Useful when Physical Security Fails Stolen Laptop Protects Data from Public Disclosure Not a replacement for permissions Does Encryption Protect from Malware?
Recomendation for Laptops Mobile Device Physical Security Secured when not in use Implement Screen Saver Passwords Mobile Devices should not contain Level 3 Highly Sensitive Data e.g. CC #s, SSNs, Medical Records Data Classification Guide
Level 3 Highly Sensitive Data Stored on Laptops Must be Encrypted
Encryption Challenges Business Continuity Encryption Key Management Passwords Backups & Restores Additional Complexity False sense of security
Strategy for Deployment Identify Sensitive Data Cornell Spider Is sensitive data required? Can data be moved to a server? Only encrypt when sensitive data is required
What s Being Done? Upgrading Existing AD Integrated PKI Offline Root CA Adding support for EFS Planning EFS Pilot Develop Support Documentation FDE Product Evaluation
Which Technology to Use? Migrate Laptops to Vista Use Bitlocker for long term solution When EFS Infrastructure is ready Enable EFS on Legacy hardware Use AD & PKI for Key Management PGP interim solution
Encrypting File System Included in Windows 2000+ NTFS + Encryption Module Transparent Encryption Uses Public Keys - PKI Managed with AD & Group Policy
EFS Data Recovery Multiple ways to Recover Data Key Recovery Agents Key Backup / Escrow Data Recovery Agent Allowed to Decrypt Only
Key Recovery 2003 Enterprise CA Creates backup key automatically Key Recovery Separation of Duties CA Admin extracts encrypted key Key Recovery Agent(s) decrypts key Key Escrow
EFS Best Practices Use EFS with domain accounts Assign Data Recovery Agent Backup EFS Keys Encrypt folders instead of files Disable swap file and hibernation
EFS Warnings XP Local account password reset Causes loss of encryption keys Change password back Use Data Recovery Agent to recover XP does not have a Default DRA
EFS Vulnerabilities Windows 2000 Local Admin default DRA Local Admin can access EFS data Original Clear text files are not wiped Create files in encrypted folder Use secure erase or cipher to wipe Won t encrypt swap or hibernation file
What EFS Doesn t Do Doesn t encrypt across network FTP, CIFS, SMB ( Network Shares ) WEBDAV is encrypted EFS is enabled on specific folders Accidents happen Sensitive data could be made public
Manual Key Backup Backup keys before encrypting Certificate Manager MMC Right click key -- Export Cipher.exe Keep backup keys offline Store keys in secure location
EFS Setup Disable EFS when not in Use Curious users may enable EFS Data could be lost Configure EFS individually Configure Data Recovery Agent Backup encryption keys Encrypt data and temporary folders
Which Folders to Encrypt? My Documents and all subfolders All Folders with Sensitive Data Temporary folders Found in Environment Variables Use set command
EFS Data is Protected by a Password EFS is as weak as your password Use at least 15 character complex pw Require authentication after hibernation or screen saver Enable Syskey for Windows 2000 or when using local accounts
Encrypting for multiple Users XP & 2003 only EFS files can be shared Add additional users to specific files Managed via file properties Cumbersome to manage Can t add groups or share folders Try sharing encrypted ZIP files
FDE Full Disk Encryption
Full Disk Encryption All data is encrypted Including Swap & Hibernation files Better protection for stolen laptops Separate pre-boot authentication Disk unlocked at boot Still requires password after screensaver, sleep and hibernation
FDE Product Evaluation Ongoing PGP Enterprise Pointsec Winmagic SecureDoc Guardian Edge Compusec Bitlocker and others
OS Specific Encryption Most are windows only Bitlocker Vista Only Linux Open Source or Pointsec OS X FileVault or PGP Data Volumes or virtual disks
Hardware Disk Encryption Seagate and others have disks with encryption built-in Is it enterprise ready? Management tools are in development Can we make key backups? How will encryption keys be protected?
MS Bitlocker FDE Built into Vista Enterprise Managed via group policy Scriptable with WMI AD key backup Great pre-boot authentication Supported by MS
Bitlocker Pre-Boot Authentication Trusted Platform Module TPM Based Modes TPM only TPM + PIN TPM + USB Key USB Key Only Mode
USB Key Only
Bitlocker Disk Configuration Two NTFS drive partitions one for bitlocker one for the operating system volume Bitlocker partition must be at least 1.5 GB
Bitlocker Hardware Requirements TPM chip, version 1.2 Or USB key attached to user Trusted Computing Group (TCG) compliant BIOS Minimum requirements for Vista
How To Configure Bitlocker Bitlocker installation guide on Technet Partition drives before installing Vista Initialize TPM TPM MMC Enable Bitlocker Control Panel Create recovery password
Bitlocker AD Integration Backup recovery key in AD Disable encryption until key is stored Initialize TPM Backup TPM password or key in AD Select encryption strength AES 128 512 bit keys
Recovery Password 48 digit random number Saved to USB Key Saved to Network File Share Sent to Printer
Disaster Recovery TPM is not required for recovery Encrypted disk can be recovered on alternate system Boot normally Type in recovery password What happens if the drive fails? What about corrupt sectors?
Bitlocker Security Is Bitlocker Secure? Not yet FIPS 140-2 compliant Use BIOS password with TPM Does not support single sign-on TPM plus fingerprint reader
Performance FDE can slow disk usage 2x Most FDE is reasonable to use Copying large files will show latency Faster CPU will help
Vista Security Guide Best practices for implementing Bitlocker and EFS Great advice on preventing malware Templates and tools for Vista security http://www.microsoft.com/technet/win dowsvista/security/guide.mspx