Data is among the most important resources of every corporate organization. Since data security is prioritized by every organization nowadays, special attention is needed to protect sensitive information. With this in mind, employee devices such as Laptops are vulnerable to security risks and must be protected. In this guide, we will discuss Full Disk Encryption with PBA or without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption. See how to enable FileVault disk encryption on a Mac device and how to enable or disable BitLocker on Windows 10” or this link and BitLocker Drive Encryption architecture and implementation scenarios.
Below are some of the dangers that data is exposed to;
- Some of these devices can be stolen or misplaced thereby making data breaches very expensive,
- Misuse of access rights, manipulation of information, and
- Disclosure of sensitive information.
Encryption is a process that encodes a message or file so that it can only be read by certain people. Encryption uses an algorithm to encrypt data and then uses a key for the receiving party to decrypt the information. You may also want to see “How to convert a GPT disk into an MBR disk – Error: Windows cannot be installed on drive 0 Partition 1“, and how to extend System Drive Partition.
Full Disk Encryption with PBA or without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption
In this section, we will discuss the variety of full disk encryption with preboot authentication or without reboot authentication.
There are two main computer encryption types, they are Full Disk Encryption and File or Folder-Level Encryption. FDE and FLE are not mutually exclusive. This means they can be used simultaneously to achieve higher security as they serve different purposes. Since I have tested FDE with PBA using DriveLock, kindly visit this guide for more information on the concept of DriveLock with a focus on Encryption.
Note: The General Data Protection Regulation (GDPR) which is a regulation in EU law on data protection and privacy in the European Union specifies the organisational and technical measures that need to be employed to ensure an adequate level of protection of personal data during processing.
Also, the National IT protection guidelines emphasize and recommend the encryption of notebooks or external storage media. Here is how to initialize and format a virtual disk: How to add and remove a new virtual disk from a VM on VMware Workstation.
Part A: Full Disk Encryption (FDE)
FDE also known as “Hard Drive encryption” is a proper security mechanism that involves actively encrypting the entire disk, and using a password or other authentication materials to decrypt the disk data on boot. This is typically performed by a 3rd party software. But can also be integrated into the disk hardware.
FDE comes into play when an attacker has physical access to the device, let's say a laptop, and can read the data on the disk. As discussed in the first paragraph "Data is among the most important resources of every corporate organization".
The Operating system (OS) security can not do a lot to mitigate this attack, this is where FDE comes into play. FDE’s simplicity makes it more secure than OS security. Here is an example of an FDE solution with PBA “how to download DriveLock software and install DriveLock” that I have tested. kindly take a look at this guide as well “Important DriveLock components to master.
- FDE’s role is to take care of the computer’s security when the OS is not running (power off), therefore making it impossible to access the data on the device.
– Note: The OS firewall and other numerous helpers can help take care of the underlying security when the OS is running.
- As discussed previously, an OS can be attacked through the network, or by someone sitting on the other side of the cubicle. FDE cannot do much in this case as it is only needed if the attacker gets a hold of the computer, whether a laptop or a virtual machine in the cloud. In this case, file and directory encryption should be employed as well.
Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a Password, PIN, a startup key, or all to authenticate prior to making the contents of the system drive accessible.
FDE with PBA or Without PBA Attack Scenarios
Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. This helps mitigate DMA and memory remanence attacks. Because of this, I will be discussing FDE with Pre-Boot Authentication (PBA) and Without PBA.
- FDE with PBA: When the attacker gets a hold of the device and powers it on, he/she will be prompted with the PBA authentication screen. Without the right credential, the attacker can do nothing and the data is more or less useless to him/her. (BitLocker use case: If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key). Other solutions work differently. DriveLock has an emergency account for this kind of rescue as well.
- FDE without PBA: In this model, the OS is booted up and the data remains unencrypted on the disk. But due to the fact that hackers are becoming more sophisticated by the day. With access to the physical device, an attacker can measure and attack the boot process of the device, applying a logic analyzer to monitor the flow of data between the disk, CPU, and memory during the boot process to capture the disk’s encryption key.
While FDE without PBA might be considered secure to some organizations but in reality, due to the increase in attack surfaces, and its vulnerability, is not a well-calculated choice for security-conscious organizations. With this in mind, I would recommend using the "FDA with PBA".
Therefore, the need for authentication is evident and should be done in the following ways, the choice is yours. It is worth pointing out that both can be implemented in a single solution if you are so security conscious!
1: Full Disk Encryption with PBA
Authenticate the user before the drive is unlocked and the OS is booted up. Here, PBA provides an environment external to the OS as a trusted authentication layer and prevents any data from being read from the drive, including the OS, until the user authenticates to the PBA by entering the right credentials. See these articles “concept of DriveLock with a focus on Encryption and how to install Standalone Installation DriveLock Encryption software“.
2: Full Disk Encryption without PBA
Authenticate the user after the drive is unlocked. Unlock the drive automatically, then load the OS or an application and prompt the user to authenticate. This model is not PCI-DSS compliant, you can read more about this on their site.
Part B: – Unified Extensible Firmware Interface (UEFI)
The Unified Extensible Firmware Interface is often abbreviated as UEFI. The UEFI specification establishes a standard model for the interface between personal computer OS and platform firmware.
This provides a standard condition for booting an operating system and running pre-boot applications such as the PBA for FDE as described in part A. UEFI has replaced the traditional legacy BIOS interface that was used with Windows 7 and older devices. On more modern devices, such as Windows 10, UEFI is more widely adopted.
Part C – Secure Boot
This is one of the key security features of UEFI. Therefore, UEFI Secure Boot is a verification mechanism for ensuring that code launched by firmware is trusted.
Secure Boot” is enabled, the UEFI Boot Manager firmware that is built into the computer checks the signature of each UEFI driver and application that it loads.
If the module is not properly signed
(i.e. not trusted) or it has been revoked then the UEFI Boot Manager rejects the module and may display an error such as “Security Violation” at boot time.
Secure Boot helps mitigate attacks when the attacker gets access to the unattended or shutdown device. Secure Boot also helps secure the boot process against rootkits.
Part D – BIOS
BIOS stands for “Basic Input/Output System”, and is a type of firmware stored on a chip on your motherboard. When you start your computer, the computer boots the BIOS, which configures your hardware before handing it off to a boot device (usually your hard drive). The BIOS boot password is simply a logical check inside the BIOS chip, which can be bypassed by flashing the BIOS manually or replacing the chip. It’s a soft protection mechanism.
Note: Both UEFI and BIOS are low-level software that starts when you boot your device. Both offers interfaces you can access to change a variety of system settings.
For example, you can modify your boot order, tweak overclocking options, lock down your computer with a boot password, enable virtualization hardware support, and tweak other low-level features such as passwords etc.
These passwords allow you to restrict people from booting the computer. Booting from removable devices, and changing BIOS or UEFI settings without your permission.
Trusted Platform Module
A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with when offline. See this guide on how to determine if TPM is present on your device.
Part E: What are the attack scenarios for Full Disk Encryption?
In reality, Full-disk Encryption (FDA) prevents unauthorized access to the data in case the device is lost. It also protects against malicious tampering of the files contained on the disk when the device is turned off.
Note: FDA provides no protection against attackers with remote access when your PC is powered on. This is because it requires all data to be decrypted. This is where “File-level encryption” comes into play. DriveLock has a solution for this called “DriveLock Smart File Protect”.
Part F – File and Folder Level Encryption (FLE)
FLE is an encryption method that takes place on the file system level. This enables the encryption of data in individual files and directories. Here are some further usefulnesses of FLE.
- It protects your device in case of infection from sending sensitive files to the attacker.
- It also prevents unauthorized access to your files and folders while actively working on your device. This ensures encrypted files are decrypted only on explicit user requests by providing a password.
- Even when your password falls into the wrong hand, your files are still protected.
Part G – Container Encryption
The exchange of data is still often done with the help of mobile data carriers such as USB sticks. The risk of data loss is high in this case, be it through accidental loss or theft. Data can be copied within seconds without the person concerned noticing. This option provides methods to encrypt removable media, USB, and external hard drives. This allows you to encrypt the entire partition (entire device) which is similar to FDE.
DriveLock has a module for this called Encryption 2-Go or Container Encryption. This ensures that your data is protected even when it leaves the organization via storage media such as USB sticks.
I hope you found this blog post helpful. In this guide, you have learnt about Full Disk Encryption with PBA or without PBA, UEFI, Secure Boot, BIOS, File and Directory Encryption and Container Encryption. If you have any questions, please let me know in the comment session.