What you will learn: This tip explains the pros and cons of hardware-based laptop disk encryption and offers an overview of products on the market today.
Unless you've been playing Second Life nonstop for months, you're probably all too aware of the problem of data loss from laptop computers. It seems like every month there is another announcement where megabytes of sensitive data is lost because someone's laptop was stolen.
Protecting information on laptops comes down to three things:
First, control the information on the laptops with policies that limit the kind of data that can installed on them.
Second, make the laptops harder to steal with appropriate security measures.
Third, make it as hard as possible for anyone to use the information on the laptops by encrypting it. Fortunately, manufacturers are making it easier to protect laptops with encryption.
Data can be encrypted at the file level with software, the entire disk can be encrypted with software, or you can use a special hard disk with built in encryption of the entire disk. File-level encryption is best suited for data in motion over a network, disk-level encryption in software is more secure, and hardware encrypted disks are more secure yet.
Of course. none of this is absolute. For one thing, it depends on the nature and implementation of the encryption scheme used. Also, the security levels are relative. Once a hard disk is physically in the hands of the bad guys, it is at risk. The question is how much effort is needed to get at the information. In the case of a well-designed hardware encrypted disk, the effort should be very large indeed.
Full disk encryption (FDE) usually prevents the computer from being booted up without the password or key. That protects not only the files themselves, but also things like .tmp files, buffers and other points of attack.
The problem with software-based FDE is overhead. Effective encryption takes processing power, and software FDE increases save time by 40% to 300%, depending on the product. By contrast, hardware FDE unloads the encryption function onto a specialized processor, typically built into the disk or controller and has little or no effect on disk performance.
While there have been hardware-based FDE products before, such as Enova, very few computer manufacturers supply laptop systems with them. Now Seagate, Hitachi and others are offering laptop drives with built-in full-disk encryption and other drive manufacturers are expected to follow soon.
This is still very new. Seagate and Hitachi only announced their FDE drives in Dec. 2006 and began shipping their drives in the spring of 2007. The first vendor to announce a laptop using them, ASI Computer Technologies, has just begun shipping Seagate-equipped laptops to VARs for resale to vertical market. According to ASI, the base price of the systems is around $2,150. The Hitachi drives are available in Alienware and Dell XPS laptops. The company says the Travelstar 7K200 will be available from retailers this summer for about $250 for aftermarket installation.
Unlike Seagate, which uses a separate chip to handle encryption, Hitachi builds the encryption function into the disk firmware. This allows FDE to be easily enabled by the manufacturer before shipping the disk. (Encryption cannot be enabled or disabled by the purchaser.)
FDE introduces some requirements of its own. Key management is a major issue, just as it is with any encryption scheme. For that reason, you want to make sure you have an effective key management and recovery system in place before introducing FDE laptops into the organization. It may also make sense to standardize on a single brand of drive with good key management facilities.
About the author: Rick Cook specializes in writing about issues related to storage and storage management.
