data at rest encryption

Encryption @ REST

By: Steven Aiello

Microsoft Disk Encryption: EFS

What is it?

Encrypting File System (EFS) is a feature of Windows that you can use to store information on your hard disk in an encrypted format.

Microsoft Disk Encryption: EFS

How does it work?

• Uses AES to encrypt data at rest

• Encryption keys are never stored in the page file (not true with TrueCrypt)

“Kernel memory isn’t paged (generally), and it can be forced never to page. This mitigated the possibility of a stolen laptop having the EFS encryption keys stored in the page file”.

http://msdn.microsoft.com/en-us/library/windows/hardware/ff541920(v=vs.85).aspx

Microsoft Disk Encryption: EFS

How does it work?

• EFS encrypts files with a random file encryption key (FEK) and then the (FEK) is encrypted with a RSA key that belongs to the user. The user key is protected by the Data Protection API (DPAPI).

Microsoft Disk Encryption: EFS

Recovery options?

• The system CAN be setup with a recovery key, this CAN be the local admin; however, this can (and most likely should be) changed.

• Backups are a life saver:http://windows.microsoft.com/en-us/windows-vista/back-up-encrypting-file-system-efs-certificate

Microsoft Disk Encryption: EFS

Recovery options?

• If the workstation is a member of a domain the domain controller with have maintain a decryption key that will allow the decryption of the DRAPI master key, therefore allowing access to the users RSA key.

Microsoft Disk Encryption: EFS

How do you enable it?

• Windows 7 / Windows 8 Professional, Ultimate, Enterprise

Microsoft Disk Encryption: BitLocker

What is it?

Full disk encryption (anyone who knows the password gets all the files)

• TPM only – Integrity • TPM + PIN – Integrity and Authentication • TPM + PIN + USB Key – Integrity and Two Factor Authentication • TPM + USB Key – Integrity and Authentication • USB Key – No integrity but Authentication

Microsoft Disk Encryption: BitLocker

How does it work?

• Uses AES 128 or 256 Encryption

• Encryption keys are never stored in the page file (not true with TrueCrypt) The key is stored externally or decryption can be done with a password on boot

• Trusted Platform Module (TPM) allows system integrity verification

Microsoft Disk Encryption: BitLocker

How do you enable it?

• Windows 7 / Windows 8 Ultimate, Enterprise (No Professional)

• In order to use BitLocker you have at least 2 NTFS drive partitions, one for the system volume and one for the operating system volume. The system volume partition must be at least 1.5 gigabytes (GB) and set as the active partition.

http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

Microsoft Disk Encryption: BitLocker

Key management

After the drive has been encrypted and protected with BitLocker, local and domain administrators can use the Manage BitLocker page in the BitLocker Drive Encryption item in Control Panel to change the password to unlock the drive, remove the password from the drive, add a smart card to unlock the drive, save or print the recovery key again, automatically unlock the drive, duplicate keys, and reset the PIN.

Secure wipe with BitLocker

Hard Disk Encryption: SEDs

What is it?

• SEDs are hard drives that have encryption hardware built in

• Completely transparent to the user

• Comes with software to generate a new key

• Admins can preform a “secure erase” by simply generating a new key

Hard Disk Encryption: SEDs

Auto Locking: What is it?

• When the system (disk) is powered down its locked, when the system is booted up a password is required to unlock the disk. You can start off by only using secure erase and then move to locking mode later. An additional key that wraps the encryption key is generated. The passcode on system startup is needed to unlock this wrapper key. If you wish to return to off auto locking you must cryptographically “erase” the disk and there by the data on it.

Hard Disk Encryption: SEDs

Pros: What are they?

• You can use self-encrypting drives in lower cost arrays like Equallogic:

– PS4100

– PS6100

– PS6500

Hard Disk Encryption: SEDs

Cons: What are they?

• Limited drive types

• Need a key management server (IBM Tivoli Key Lifecycle Manager)

Hard Disk Encryption: SEDs

Pros: What are they?

• Zero performance impact

• No drive choice limitations

• Zero key management issues

Hard Disk Encryption: SEDs

Cons: What are they?

• Expensive

• Not a “complete” solution

Array Based Encryption: Appliances

What is it?

• EMC’s Symmetrix VMAX has a built in RSA Data Protection Manager Physical Appliance built to the storage array.

Hybrid Methods

• Porticore – Virtual Appliance

• Vormetric – Physical appliance

Questions? & Contact

saiello@onlinetech.com

steven@overworkedadmin.com

I don’t use twitter (sorry)