Download - Data At Rest Encryption
Encryption @ REST
By: Steven Aiello
Microsoft Disk Encryption: EFS
What is it?
Encrypting File System (EFS) is a feature of Windows that you can use to store information on your hard disk in an encrypted format.
Microsoft Disk Encryption: EFS
How does it work?
• Uses AES to encrypt data at rest
• Encryption keys are never stored in the page file (not true with TrueCrypt)
“Kernel memory isn’t paged (generally), and it can be forced never to page. This mitigated the possibility of a stolen laptop having the EFS encryption keys stored in the page file”.
http://msdn.microsoft.com/en-us/library/windows/hardware/ff541920(v=vs.85).aspx
Microsoft Disk Encryption: EFS
How does it work?
• EFS encrypts files with a random file encryption key (FEK) and then the (FEK) is encrypted with a RSA key that belongs to the user. The user key is protected by the Data Protection API (DPAPI).
Microsoft Disk Encryption: EFS
Recovery options?
• The system CAN be setup with a recovery key, this CAN be the local admin; however, this can (and most likely should be) changed.
• Backups are a life saver:http://windows.microsoft.com/en-us/windows-vista/back-up-encrypting-file-system-efs-certificate
Microsoft Disk Encryption: EFS
Recovery options?
• If the workstation is a member of a domain the domain controller with have maintain a decryption key that will allow the decryption of the DRAPI master key, therefore allowing access to the users RSA key.
Microsoft Disk Encryption: EFS
How do you enable it?
• Windows 7 / Windows 8 Professional, Ultimate, Enterprise
Microsoft Disk Encryption: BitLocker
What is it?
Full disk encryption (anyone who knows the password gets all the files)
• TPM only – Integrity • TPM + PIN – Integrity and Authentication • TPM + PIN + USB Key – Integrity and Two Factor Authentication • TPM + USB Key – Integrity and Authentication • USB Key – No integrity but Authentication
Microsoft Disk Encryption: BitLocker
How does it work?
• Uses AES 128 or 256 Encryption
• Encryption keys are never stored in the page file (not true with TrueCrypt) The key is stored externally or decryption can be done with a password on boot
• Trusted Platform Module (TPM) allows system integrity verification
Microsoft Disk Encryption: BitLocker
How do you enable it?
• Windows 7 / Windows 8 Ultimate, Enterprise (No Professional)
• In order to use BitLocker you have at least 2 NTFS drive partitions, one for the system volume and one for the operating system volume. The system volume partition must be at least 1.5 gigabytes (GB) and set as the active partition.
http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/
Microsoft Disk Encryption: BitLocker
Key management
After the drive has been encrypted and protected with BitLocker, local and domain administrators can use the Manage BitLocker page in the BitLocker Drive Encryption item in Control Panel to change the password to unlock the drive, remove the password from the drive, add a smart card to unlock the drive, save or print the recovery key again, automatically unlock the drive, duplicate keys, and reset the PIN.
Secure wipe with BitLocker
Hard Disk Encryption: SEDs
What is it?
• SEDs are hard drives that have encryption hardware built in
• Completely transparent to the user
• Comes with software to generate a new key
• Admins can preform a “secure erase” by simply generating a new key
Hard Disk Encryption: SEDs
Auto Locking: What is it?
• When the system (disk) is powered down its locked, when the system is booted up a password is required to unlock the disk. You can start off by only using secure erase and then move to locking mode later. An additional key that wraps the encryption key is generated. The passcode on system startup is needed to unlock this wrapper key. If you wish to return to off auto locking you must cryptographically “erase” the disk and there by the data on it.
Hard Disk Encryption: SEDs
Pros: What are they?
• You can use self-encrypting drives in lower cost arrays like Equallogic:
– PS4100
– PS6100
– PS6500
Hard Disk Encryption: SEDs
Cons: What are they?
• Limited drive types
• Need a key management server (IBM Tivoli Key Lifecycle Manager)
Hard Disk Encryption: SEDs
Pros: What are they?
• Zero performance impact
• No drive choice limitations
• Zero key management issues
Hard Disk Encryption: SEDs
Cons: What are they?
• Expensive
• Not a “complete” solution
Array Based Encryption: Appliances
What is it?
• EMC’s Symmetrix VMAX has a built in RSA Data Protection Manager Physical Appliance built to the storage array.
Hybrid Methods
• Porticore – Virtual Appliance
• Vormetric – Physical appliance
Questions? & Contact
I don’t use twitter (sorry)
