Hard drive / Disk encryption Hard drive or disk encryption protects the entire drive at once. To use a device with an encrypted hard drive you would need to enter the password or key when you. This encryption process is done through the use of a unique and random Data Encryption Key (DEK) which the drive uses to both encrypt and decrypt the data. Whenever data is written to the drive, it first gets encrypted according to the DEK. Nov 28, 2020 In simple terms, encryption is an act of transforming data so that no unauthorized person can access, read, or modify the data. This transformation is done by complex algorithms which use passwords or key files. Now, if the person on the other side wants to access the data, he needs to provide the password or key file. LTO drives use the 256-bit Advanced Encryption Standard with Galois/Counter Mod of Operation (or AES256-GCM for short). It is authenticated encryption that achieves very high speeds in hardware with.
When highly sensitive information, such as customer or otherwise work-related information, is handled with a laptop or desktop computer, data security should be on top of every business owner’s mind. Especially laptops are vulnerable to security risks due to their mobile nature. When a laptop gets lost or stolen, data breaches can become costly.
“Compared to hacking a secure network, it is much easier to download information from an unencrypted or unprotected laptop. This is a reality a lot of business owners and IT professionals fail to realize.”
There are multiple reasons for protecting laptops and the data in them, and luckily, there are various ways to mitigate security risks. One powerful tool is full disk encryption. Full disk encryption is a data protection method, which transforms information in a storage medium into a secret format that can be only understood by people or systems who are allowed to access the information.
In this article, we discuss different data encryption methods and why drive encryption makes sense. We also reveal a smart way to enable drive encryption on your Microsoft Windows or Apple macOS devices.
Topics to be covered in this article:
What is hard drive encryption or full disk encryption?
Essentially, encryption refers to the process of encoding data. In disk encryption, this means that information on your computer’s hard drive is transformed from plaintext to ciphertext, which makes the original information unreadable.
Hard drive encryption uses a specific algorithm, or cipher, to convert a physical disk or logical volume into an unreadable format that cannot be unlocked by anyone without the secret key or password that was used to encrypt the drive. This prevents unauthorized people or hackers from accessing the information.
There are two main computer encryption types: full disk encryption and file-level encryption.
Drivers Data Encryption Tool
- Full Disk Encryption (FDE) or whole disk encryption protects the entire volume and all files on the drive against unauthorized access.
- In contrast to FDE, File-Level Encryption (FLE) is an encryption method, which takes place on the file system level, enabling the encryption of data in individual files and directories.
Full Disk Encryption and File-Level Encryption are not mutually exclusive. In fact, they can be used simultaneously to achieve higher security as they serve different purposes, but that’s a topic on its own.
Modern versions of Windows and macOS have built-in encryption programs: BitLocker for Windows and FileVault for macOS. There are also a few open-source products for encryption, such as VeraCrypt, AxCrypt, and Gpg4win.
What is BitLocker?
BitLocker is Microsoft’s full disk encryption feature that is commonly included in Windows versions that are oriented towards professional, business, or organizational use. With the BitLocker drive encryption, you can encrypt the entire operating system drive and/or other drives mounted to your Windows PCs.
BitLocker is designed to work best with a Trusted Platform Module (TPM) that stores the disk encryption key. TPM is a secure cryptoprocessor that checks whether the encrypted data is being accessed with the right device. Disk encryption on newer Windows OS versions is strongly based on TPM but a USB startup key can also be used to access the encrypted data. However, it is not as popular.
The first BitLocker encryption usually takes some hours to complete depending on the drive features, but after that, the user experience is more or less transparent. All data on the protected drives is stored in an encrypted form while the computer is locked or turned off, but when the user unlocks the system with their Windows login credentials, everything works similarly like in an unencrypted system. Any new files will be encrypted automatically on the fly.
BitLocker is included in Windows 7 (Enterprise and Ultimate) and the Pro, Enterprise, and Education editions of Windows 8.1 and Windows 10. If your operating system version supports BitLocker, you can enable it easily on your computer. But if you need to enforce drive encryption to multiple Windows devices, it’s wise to use a UEM software, like Miradore.
What is FileVault?
FileVault is a full disk encryption feature from Apple built into the Macintosh operating system (macOS). FileVault is supported in Mac OS X 10.3 later, and it provides strong encryption for files and data on Mac computers, protecting the entire drive and all of the files located on the drive — just like BitLocker for Windows. When enabled, FileVault works silently in the background, encrypting all device data on the fly without disruptions.
Just like with BitLocker, you don’t need an additional password to use your files. Just type in your user ID and password when logging in to your computer and you’re good to go. However, to recover the encrypted data, you need a FileVault recovery key that is created when you enable FileVault for the first time.
If you are responsible for managing multiple Mac computers, you can easily enforce drive encryption as a mass deployment with Miradore.
Should I use FileVault or BitLocker disk encryption?
If you need to access sensitive information, such as medical records, customer data, or credit card information, on your computer, using FileVault and BitLocker is smart. It’s fairly easy to enforce and simple for end-users as they don’t have to worry about saving their files in a certain folder.
If you need to access sensitive information, such as medical records, customer data, or credit card information, on your computer, using FileVault and BitLocker is smart.
One of the main advantages of the full disk encryption technologies is the full automation they provide. After the activation of BitLocker or FileVault, these encryption methods will work on their own encrypting everything on the fly. Device users do not even have to think about the encryption ever again.
If a laptop is ever lost, stolen, or decommissioned inappropriately, the odds are that the data will remain safe even then, because encrypted drives are extremely difficult to access without knowing the decryption key. This is not the case with unprotected drives, to which the attacker may gain access, simply by attaching them to another computer.
Full disk encryption is a great way to protect sensitive customer data.
In addition, today’s companies need to adhere to data protection regulations and policies, such as GDPR, HIPAA, and CJIS, and full disk encryption is a great way to protect sensitive customer data.
Drawbacks of disk encryption
Although it may seem a no-brainer to use encryption, many organizations still hesitate to implement disk encryption for different reasons. There may be, for example, uncertainty about how to implement the encryption wisely or concerns about what challenges the encryption could cause for data recovery if a computer breaks down or the user forgets his login password.
“Who has the time and competence to enable encryption?”
“How can we see which drives are or aren’t encrypted?”
“Who should store the recovery keys and where?”
The questions above are examples of valid concerns that may slow down the adoption of disk encryption. Luckily, all of them can be easily addressed with the right tools, like Miradore.
Also, some might be concerned about how drive encryption affects the computer’s performance but with modern Windows computers and Mac, there is no noticeable change.
How to enable BitLocker encryption?
Enabling BitLocker manually is actually quite straightforward and easy if your Windows computer is running the right operating system version. The device user can enable BitLocker disk encryption in Windows File Explorer by right-clicking on a drive and then choosing “Turn on BitLocker”. After that, the user is asked to choose how they want to preserve the BitLocker recovery key. Keeping the recovery key in a safe place is essential as you need it to unlock your disk.
Sounds simple but gets complex quickly if dozens or hundreds of users need to be instructed through the implementation step-by-step and if there is no centralized way for storing the recovery keys.
This is where Miradore steps in.
Miradore makes it easy to enable BitLocker on all of your Windows devices. You can create a Configuration Profile, which defines the desired settings for BitLocker encryption. You only need to choose whether you want to encrypt the system drive or all fixed drives of a computer – and that’s it. If you want, you can also choose the preferred encryption mode.
Creating a Configuration Profile for drive encryption in Miradore
You can then deploy the configuration profile remotely to as many Windows computers as you like and Miradore works its magic to enable the BitLocker.
Deploying the created Configuration Profile to multiple Windows computers
Miradore applies exactly the same encryption settings tirelessly to all computers without the risk of a human error and what’s best: it stores the recovery keys from all devices automatically in one place – to your Miradore site. You can rest assured knowing that device users do not need to bother you with questions and the recovery keys are stored appropriately. Other users than administrators cannot see the stored recovery keys on your Miradore site.
Miradore stores BitLocker recovery keys in one place
What’s more, Miradore shows you which drives on your Miradore managed computers are protected with BitLocker, which makes it easy to follow-up the disk encryption status of your Windows devices.
View the BitLocker encryption status of your Windows devices
You can also add the BitLocker encryption configuration profile as part of a Business Policy which enables the automation of device setups.
How to enable FileVault disk encryption?
Enabling FileVault disk encryption works quite similarly to enabling BitLocker. In System Preferences, click Security & Privacy, go to the FileVault tab, and click the Lock button. After entering your admin name and password, you can turn on FileVault.
Miradore supports FileVault disk encryption for macOS 10.9 and newer devices. The implementation procedure follows the same lines as for the BitLocker with a few exceptions. You can enable FileVault to your Mac devices by creating a Configuration Profile that defines the right settings for encryption and deploy that configuration profile remotely to multiple Macs. With Miradore’s dashboard widget, you can view the FileVault drive encryption status of your device fleet.
View the FileVault encryption status of your Mac computers
With FileVault, you can choose whether you want to use personal, institutional, or both types of recovery keys for unlocking the encryption. The personal recovery key is always device-specific, and it will be generated automatically at the target device when enabling the encryption. The device’s user is responsible for writing down and storing the personal recovery key. The institutional key, on the other hand, is intended for organizations to unlock encrypted drives. As said, it is also possible to use both key types which means an encrypted drive could be unlocked using the correct personal or institutional key.
Best practices for drive encryption
A few things should be remembered when planning full disk encryption:
- Back up your files: Make sure to back up your files before encryption and regularly after the encryption has been enabled. This ensures that you can recover your files quickly if something happens to your hard drive.
- Use a strong passcode: As the Windows and Mac login credentials are used to access the encrypted files and documents, make sure to use a strong passcode that includes both letters and numbers.
- Keep your recovery key in a safe place: If you forget your password, a recovery key is the only way to access the encrypted data. Thus, it’s important to store your recovery key in a secure place. You can for example use a password manager or Miradore.
Summary
Altogether, drive encryption is a very powerful data protection method, which is relatively easy to implement with proper tools.
The use of BitLocker and FileVault can step up the data security of any organization where Windows and Mac devices are used to process and store any kind of valuable or sensitive information like customer information, credit card details, or employee information. With Miradore’s Enterprise plan, you can easily enable BitLocker and FileVault to all your organization’s devices remotely.
If you’re responsible for ensuring data security in your organization, you can test Miradore’s Enterprise plan for free for 14 days. If you want to know more about disk encryption or Miradore’s capabilities, don’t hesitate to reach out to us!
Related Articles
Stay up to date with modern device management
Subscribe to Miradore's quarterly newsletter and blog notifications.
This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.
Hardware-based full-disk encryption (FDE) is now available from many hard disk (HDD) vendors, becoming increasingly common especially for solid state drives. The term 'self-encrypting drive' (SED) is now common when referring to HDDs or SSDs with built-in full-disk encryption. OPAL is a set of specifications for self-encrypting drives developed by the Trusted Computing Group.
Overview
Many of the self-encrypting SSDs/HDDs available today implement the OPAL 2.0 and Enterprise standards developed by the Trusted Computing Group (TCG). Enterprise SAS versions of the TCG standard are called 'TCG Enterprise' drives. The hardware manufactured according to the standards is labeled accordingly.
Unlocking of the drive can be done during operating system runtime using software utilities, in a pre-boot authentication environment, or with a #BIOS based ATA-password on power up.
Tip:Types Data Encryption
'Encryption' in the context of this page refers to hardware-based encryption. See encryption, they can configure the passphrase (authentication key), which will then be used to encrypt the existing data encryption key (thus prompting for passphrase before decrypting the data encryption key in future). However, as the existing data encryption key will not be changed (regenerated), this in effect locks the drive, while preserving the existing encrypted data on the disk.Advantages
Drivers Data Encryption
- Easier to setup (compared to software-based encryption)
- Notably transparent to the user, except for initial bootup authentication
- Data-at-Rest protection
- Increased performance (CPU is freed up from encryption/decryption calculations)
- The main CPU and RAM are eliminated as possible attack targets
- Optimally fast and #Secure disk erasure (sanitation) (regardless of disk size)
- Protection from alternative boot methods due to the possibility to encrypt the MBR, rendering the drive inaccessible before pre-boot authentication
Disadvantages
- Constant-power exploits
- Typical self-encrypting drives, once unlocked, will remain unlocked as long as power is provided. This vulnerability can be exploited by means of altering the environment external to the drive, without cutting power, in effect keeping the drive in an unlocked state. For example, it has been shown (by researchers at University of Erlangen-Nuremberg) that it is possible to reboot the computer into an attacker-controlled operating system without cutting power to the drive. The researchers have also demonstrated moving the drive to another computer without cutting power.[1]
- Key-in-memory exploits
- When the system is powered down into S3 ('sleep') mode, the drive is powered down, but the drive keeps access to the encryption key in its internal memory (NVRAM) to allow for a resume ('wake'). This is necessary because for system booted with an arbitrary operating system there is no standard mechanism to prompt the user to re-enter the pre-boot decryption passphrase again. An attacker (with physical access to the drive) can leverage this to access the drive. Taking together known exploits the researchers summarize 'we were able to break hardware-based full-disk encryption on eleven [of twelve] of those systems provided they were running or in standby mode'.[2] Note, however, S3 ('sleep') is not currently supported by sedutil (the current available toolset for managing a TCG OPAL 2.0 self-encrypting drives via Linux)
- Compromised firmware
- The firmware of the drive may be compromised (backdoor) and data sent to it thus potentially compromised (decryptable by the malicious third party in question, provided access to physical drive is achievable). A study demonstrated methods for compromising device firmware, as well as applying invalid passwords to access data on OPAL devices.[3] If data is encrypted by the operating system (e.g. dm-crypt), the encryption key is unknown to the compromised drive, thus circumventing this attack vector entirely.
Linux support
This article or section needs expansion.
BLK_SED_OPAL self-encrypting drives support.[4] (Discuss in Talk:Self-encrypting drives#)msed and OpalTool, the two known Open Source code bases available for self-encrypting drives support on Linux, have both been retired, and their development efforts officially merged to form sedutil, under the umbrella of The Drive Trust Alliance (DTA). sedutil is 'an Open Source (GPLv3) effort to make Self Encrypting Drive technology freely available to everyone.'
Install the sedutilAUR package, which contains the sedutil-cli tool, and helper scripts to create a custom pre-boot authorization (PBA) image based off the current OS in use (e.g. for setting a custom console keymap). Alternatively, you can install sedutil solely for acquiring the sedutil-cli toolset, but download and use the precompiled PBA image (for BIOS or UEFI) provided by the Drive Trust Alliance.
libata.allow_tpmmust be set to 1 (true) in order to use sedutil. Either add libata.allow_tpm=1 to the kernel parameters, or by setting /sys/module/libata/parameters/allow_tpm to 1 on a running system.
Encrypting the root (boot) drive
This article or section is out of date.
These instructions assume you have the sedutil-cli tool installed (via the AUR, or by other means)
Check if your disk supports OPAL
If you get something like
then your disk doesn't support OPAL. On the contrary, the following output means OPAL is supported:
Windows version of sedutils output:
Download (or create) the pre-boot authorization (PBA) image
Download the pre-boot authorization (PBA) image for a BIOS or UEFI machine provided by the Drive Trust Alliance.
The factual accuracy of this article or section is disputed.
Alternatively, you can create your own PBA image using the supplied helpers:
to create an EFI image (/boot/linuxpba-efi.diskimg) and
to create a BIOS image (/boot/linuxpba.diskimg).
Test the PBA on your machine (optional)
Refer to the official docs.
Don't expect to get a list of your OPAL disks. If you try the PBA from a USB stick and your SSD disk is still not activated for OPAL locking (as it is recommended before the PBA has been successfully tested) you will get an error message including 'INVALID PARAMETER' (see this issue). But this shows that the PBA is actually working and finding your disk. The Wiki is outdated in this regard.
Prepare and test the rescue image (optional)
Refer to the official docs.
Set up the drive
Decompress the PBA (if required):
Use the output of lsblk --fs to help identify the correct drive.
Enable locking
Power off the computer to lock the drive.
When the computer is next powered on, the PBA should ask for your password; then unlock the drive and chain-load the decrypted OS.
Accessing the drive from a live distro
The easiest way is to boot the encrypted SSD first, in order to run the shadow MBR. Then press the key that prompts the boot menu and boot whatever device you prefer. Such a way the SED will be completely transparent.
Another way is to directly boot into the live distro and use sedutil to unlock the SSD:
libata.allow_tpmmust be set to 1 (true) in order to use sedutil. Either add libata.allow_tpm=1 to the kernel parameters, or by setting /sys/module/libata/parameters/allow_tpm to 1 on a running system.
Disable locking
If you want to turn off Locking and the PBA:
Data Encryption Software
Re-enable locking and the PBA
You can later re-enable locking and the PBA using this command sequence
Encrypting a non-root drive
This article or section needs language, wiki syntax or style improvements. See Help:Style for reference.
A non-root drive does not require loading a PBA. So, activating the encryption is as simple as running:
Changing the passphrase
Changing the passphrase does not lose existing data on the drive, and does not require re-encryption of data.
Read the #Key management technical implementation section above to learn about how this is implemented securely within the drive, and why it is possible to change the passphrase without losing the existing encrypted data on the drive.
Waking up from suspend
Suspending the system results in a crash by default, because power is being cut from the drive and that causes it to lock itself. In order to wake up from suspend the kernel should know a hashed password for the disk. This functionality is in-kernel since 4.11, but in it's only available via a fork of sedutil, sedutil-sleep-gitAUR.
Generate a hashed password for the block device specified as /dev/device:
Then create a systemd service, inserting hashes for each device:
Secure disk erasure
Drivers Data Encryption Tool
Whole disk erasure is very fast, and remarkably simple for a self-encrypting drive. Simply passing a cryptographic disk erasure (or crypto erase) command (after providing the correct authentication credentials) will have the drive self-generate a new random data encryption key internally. This will permanently discard the old key, thus rendering the encrypted data irrevocably un-decryptable. The drive will now be in a 'new drive' state.
Read the #Key management technical implementation section above to learn more about how this is implemented securely within the drive.
BIOS based ATA-password
Previous to the industry's TCG OPAL 2.0 standard initiative, the relevant ATA standard defined an 'ATA security feature set' for full-disk encryption using self-encrypting drives. This relies on the PC (not SSD/HDD) BIOS to feature an unlocking mechanism utilizing the BIOS to setup the user's encryption password/passphrase. This legacy BIOS-based (ATA) method was considered more unreliable to setup and prone to error with regard to interoperability between PC vendors.[5] Typical errors include, for example, inabilities to unlock a device once it is plugged into a system from a different hardware vendor. Hence, the availability of BIOS support for the legacy password mechanism decreases in availability, particularly for consumer hardware.
See Solid state drive#Security for more information.
See also