Evaluating encryption options
With so many options for endpoint encryption, choosing the best one for your business can be difficult. Understanding the difference between the major technologies, and the benefits and drawbacks of each, will help you find the right data encryption solution for your environment.
Software full disk encryption
Full disk encryption (FDE) usually encrypts all sectors of a hard drive, except critical files required for boot processes. The goal is to protect as much data as possible, but the master boot record (MBR) must be left unencrypted to start to the computer. Typically, FDE implementations load a Linux® OS as part of a real-time OS to enable a degree of customization in the boot process and a less vulnerable attack target. The MBR of the user OS is replaced by the encrypting system’s MBR. The boot OS then loads the encrypted user OS.
FDE solutions frequently include features such as user authentication capabilities for fingerprint, smart cards, multifactor authentication, facial recognition and other advanced technologies. However, FDE solutions may make it difficult to manage the user OS because of software and OS interdependence. The management interface for FDE is usually proprietary and requires a separate management vendor console, along with unique implementations for recovery and migration.
File and folder encryption
File-based encryption differs from FDE in that only user files and folders are encrypted, while applications and the OS are not. Though simple in concept, implementation can be daunting involving encryption of temporary files created by applications, file and folder, copy and paste, print to file, screen copy and paste, and backup files.
File and folder encryption offers features not found in FDE solutions. Flexible key policies can be defined per folder, file type, base user or user basis. Keys are only required to remain in memory for as long as the file is open then are discarded. Performance on a file and folder encrypted drive is typically better than on one using FDE. Management is simplified because the OS and applications are not involved and authentication is frequently native to the OS.
Self-encrypting drives (SEDs) are a class of storage devices that include internal encryption accelerators. The standard interface for these devices is defined by the Trusted Computing Group’s Opal Security Subsystem Class Specification 1.0. Opal specifies either 128- or 256-bit AES encryption support and the encryption key is contained within the drive electronics and never released.
To enable SED, commands are sent to the drive to configure it for encrypted operation. A small partition on the drive is created to store the boot code, which authenticates the user to the drive. The Opal specification defines the interface between the boot code and the drive. The boot code authenticates the user to the drive then transitions to normal boot operation.
There is typically no performance degradation using SED drives. There is no key backup because the encryption never leaves the drive. Authentication backup must be used, and restore tools, which are specific to different vendors, must be capable of restoring the SED authentication sequence.
The right encryption solution: What to consider
Selecting an encryption solution that’s right for your organization requires weighing many factors. Once you understand the technology types, be sure to consider these major points:
- Legacy system support: Take stock of the systems in your environment and the encryption that can be used for them. FDE and file and folder encryption work with new and legacy systems, while SED can be limiting.
- Ease of deployment: FDE solutions require frequent disk defragmentation scans to produce continuous files, while agent-based solutions can enforce policy transparently to users.
- Removable media: Understand the risk external storage poses; FDE and SED may require a separate product to encrypt external data.
- Flexibility: FDE and SED are overarching solutions, while file-based encryption allows for flexible policy enforcement.
- Audit and enforcement: Ensure the solution you choose enforces your organization’s security policy, and includes audit and reporting capabilities to remain in compliance.