Protect portable computers with full-volume encryption

by Deb Shinder | Mar 19, 2007 7:00:00 AM

Tags: PRODUCTIVITY, Notebooks, SECURITY, Deb Shinder, computer, operating system, encryption, portable computer, thieve, SMB Strategies Newsletter

Takeaway: It's important for hardware and software vendors to develop ways to help prevent thieves from accessing that data even if they manage to gain physical possession of the computer. One such solution is full-volume encryption.

The security risks inherent in the increasingly ubiquitous nature of mobile computing have been in the public eye for the past few years. For example, a Computer World article last month reported that although the situation has improved somewhat, the employees of some government agencies are still having problems holding onto their portable computers. A Department of Justice audit showed that the FBI has lost an average of four laptops per month for the past four years, and some of those contained sensitive data.

Of course, the scope of this problem extends far beyond the public sector. In the business world, workers often take their work home or on the road, and sometimes that involves storing copies of sensitive company files on their portable computers. Or they connect back to the corporate LAN when they're away from the office, and thus have sensitive information such as stored VPN connectoids and LAN logon credentials on the portable machines. It seems as if every few months--or even more often--we read in the news about some financial services company losing laptops that may have clients’ personal information on them.

The convenience factor figures heavily in the popularity of mobile computing, but having all these portable systems out there "in the wild" makes it convenient for thieves, too. Laptops may be stolen purely for the value of the hardware, but in a world where corporate espionage runs rampant, they may also be stolen for the secrets they contain. That’s why it’s important for hardware and software vendors to develop ways to help prevent thieves from accessing that data even if they manage to gain physical possession of the computer. One such solution is full volume encryption.

How full volume encryption protects portables

There are a number of third-party products that can provide encryption of the entire partition on which the operating system and data are stored, thus thwarting attempts by thieves who aren’t able to log onto the OS to boot a different operating system on the computer and then access the original data from there.

In brief, here’s how they work: Called drive encryption or sometimes (inaccurately) full disk encryption, these products use a strong encryption algorithm, such as AES, to encrypt the partition on which the operating system is installed. Drive encryption is referred to as a "data at rest" protection technology.

Obviously, if all the data on the OS volume is encrypted, there must be some way for the authorized person to decrypt it in order to boot the computer. This requires a way to provide the key before the OS boot process starts. This can be done with a boot time driver that requests a password from the user, by storing the key on a USB drive or other removable device, or by building a Trusted Platform Module (TPM) into the computer hardware. The TPM is a chip on the motherboard that can also associate the encryption key with that specific computer hardware, so that if a thief attempts to remove the hard disk from the computer and put it in another machine to access the data, it won’t work even if he has the key.

Note that full-volume encryption is especially attractive for portable computers because they're at greater risk of falling into the wrong hands, but it can also be useful for desktop computers that are exposed to physical access by unauthorized persons.

Microsoft gets into the drive encryption business

Now Microsoft has added an implementation of drive encryption to the new Windows Vista operating system, called BitLocker. It can be used with a TPM-enabled computer or with a non-TPM system that has a USB port. BitLocker encrypts the boot partition on which Vista is installed. Using BitLocker also requires a second 1.5 GB partition on the disk called the system volume, which is not encrypted and should not be used to store data. Both partitions must be formatted in NTFS.

BitLocker eliminates the need to purchase third-party software to protect portables with full drive encryption, but here’s the rub: BitLocker is only available on the Enterprise and Ultimate versions of Vista. This doesn’t set well with some in the small and midsize business world, who feel that Microsoft has effectively locked them out. Reasons for not including BitLocker in the Home editions of Vista are obvious, but many are wondering why it’s not in the Business edition. That’s the edition that many SMB customers are most likely to deploy, since Enterprise edition is not available through retail channels and Ultimate edition is costly and contains entertainment features such as Media Center that companies don’t need and don’t want their users to have available.

This question came up for me last week during a discussion with fellow IT pros following a Microsoft presentation on BitLocker. The reasoning apparently is that although BitLocker offers valuable protection, it’s best deployed in a very controlled (i.e., enterprise) environment, where knowledgeable admins are more likely to ensure that recovery keys will be created and stored securely but accessibly. In a less controlled environment (i.e., small business), there’s a greater likelihood of users getting themselves into trouble by encrypting the volume and being unable to recover it. Or so the thinking goes. But why, then, put it in Ultimate?

I suppose the answer to that is that Ultimate, by its nature (and price), is designed to be a superset of all the other editions. If you shell out the big bucks, you get it all. One could also argue that Ultimate is likely to be purchased primarily by "power users," or those with more technical savvy, who--like the enterprise IT pros--are less likely to implement BitLocker improperly and suffer data loss as a result.

BitLocker for SMBs?

Even though Microsoft made the business decision to leave BitLocker out of Business edition, SMBs should not take this to mean that full-volume encryption is an enterprise-only solution. Enterprise edition offers other advantages besides BitLocker, such as better support. Although the cost difference between Business and Enterprise is about $100, that’s less than the cost of many of the third party drive encryption products, and comes out to less than $34 per year over a three year period of using the OS.

Of course, if you go with third-party products, you don’t have to upgrade to Vista to get full volume encryption protection. There are a number of both commercial and open source drive encryption products available for older versions of Windows, as well as solutions for those running Linux.

Bottom line: full volume encryption is appropriate for any portable computer that holds sensitive data (the definition of which includes much more than just confidential client data), regardless of the size of your company. And whether it’s BitLocker or a third party product, there’s a solution that will let you benefit from this valuable addition to your multi-layered security strategy.