Is Microsoft really claiming pre-boot authentication (PBA) for Full Disk Encryption (FDE) is not necessary? One could certainly get that impression from recent articles (HERE and HERE) posted by the organization. The first article on “Types of attacks for volume encryption keys” lists a few known historical attacks that “could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution”, and the second makes statements like “For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented.”
It has been a while since I have written about UEFI, Secure Boot and their impact on Full Disk Encryption (FDE) pre-boot authentication (PBA) so it’s time for an update on what is new in this area, but first here is a recap because this is a bit of an arcane technical subject. UEFI stands for “Unified Extensible Firmware Interface”. The UEFI specification defines a standard model for the interface between personal-computer operating systems and platform firmware. It provides a standard environment for booting an operating system and running pre-boot applications such as the PBA for FDE. It replaces the traditional legacy BIOS interface that was used with Windows 7 and older systems. Now that Windows 10 is being widely adopted I expect to see UEFI used on almost all new machines.
If you have been following our blogs you know that the ideal FDE architecture has two main components. The actual encryption component is a separate layer from the key management. The encryption can be done by the OS (e.g. BitLocker for Windows or FileVault2 for Mac), by Self-Encrypting Drives (SEDs) or by ISVs such as WinMagic’s FIPS140-2 validated software cryptographic engine.
As I was reviewing Gartner’s 2014 Magic Quadrant (MQ) for Mobile Data Protection, not surprisingly I found that nearly every competitor on that grid offers more than just data encryption. With anti-virus and firewall solutions being the primary focus, data encryption literally seems to be a check mark on their existing arsenal.
Our previous blog posting established that storage encryption technologies, such as full disk encryption (FDE), and their associated key management functions should be separated from each other.
Staffordshire University in UK reported that a laptop containing applicant information was stolen from a car belonging to a staff member. Due to the size of the data file, the information was held locally on the hard drive of the laptop.
The never-ending torrent of high-profile data breaches encourages companies to evaluate security fundamentals. Among them is full-disk encryption (FDE), a security best practice that protects information on servers, laptops and other devices while they are at rest.
NVMe technology had a big presence at the Intel Developer Forum (IDF), held in San Francisco of September this year. There were products and demonstrations from about a dozen leading vendors including Intel and Micron. I also attended quite a few sessions, but the one on NVMe was the only one that was overflowing with people.
TPMs have been shipping for nearly 8 years now. WinMagic was an early adopter and supported TPM version 1.1 for full disk encryption before most. We expanded our support to the more main stream version 1.2 TPMs when they started shipping. Now more than 100 Million TPMs are out there in laptops and other devices, and soon many, many Version 2.0 TPMs will join them. TPM 2.0 and disk encryption will be a good topic for a future blog but today I am going to set the ground work on where we are today.
Last week we announced the results of the Ponemon Institute study we commissioned and had co-sponsored by leading industry SED partners. We wanted to take this opportunity to remind readers that next week we’ll be reviewing the data via a webinar we’re hosting on Tuesday, April 30th at 1pm ET.
There are plenty of ways to secure data and all have pretty acronyms: Full Disk Encryption (FDE), File and Folder Encryption (FFE), Removable Media Encryption (RME) and so on. These three are the ‘meat’ of any good encryption solution. The question an organization has to ask itself is – which is best for me?
This post is going to be a lot of shameless self-promotion for WinMagic but it’s something we think is important as it’s tied directly to the recent launch of SecureDoc 6.1.