To achieve the ultimate in full disk encryption protection requires hardware-enabled encryption on board the hard drive. Drive-based encryption closes all of TPM's loopholes, since the encryption key is no longer stored in OS-accessible memory. Hardware-based full disk encryption also eliminates the performance penalty incurred by software-based full disk encryption, although with today's fast, processors, that software encryption overhead is not noticeable to most users.
The cost for TPM protection starts at zero for Microsoft's BitLocker, which is built into Vista Enterprise and Ultimate, Windows Server 2008, and the forthcoming Windows 7. Major laptop manufacturers also sell software bundles that enable TPM in any Windows version, including XP, such as Wave's Embassy Trust Suite and McAfee's SafeBoot. The advantage of bundled software is sole-source support and pre-tested configurations.
You can also roll your own software protection using stand-alone packages such as PGP Whole Disk Encryption.
All these products support a wide range of enterprise-class management tools that let you enforce uniform policies and centrally store encryption keys, including special data-recovery keys that solve the problem of lost passwords and prevent employees from locking employers out of their hard drives.
If you can't do TPM, here's your plan B for encryption
Although the deployment of TPM-based full description is ideal, you may count the cost of full disk encryption and come up short-funded, especially if you just refreshed your enterprise laptops with non-TPM models. Forklifting your entire laptop population is an undeniably expensive proposition, as is replacing the non-TPM laptops if your company has a mix of TPM and non-TPM laptops. If you can't go all TPM, there's a plan B that can give you much of the encryption benefits you need.
You might think that plan B involves partial disk encryption, typically deployed by designating specific folders on a laptop as encrypted; as files are moved into that folder, they are automatically encrypted. Apple and Microsoft have long offered this form of encryption, via FileVault on the Mac and the Encrypted File System tools in Windows XP and Vista. But this approach has a major flaw: It depends on users to properly store sensitive data only in encrypted form.
A variation of folder-level encryption is virtual disk encryption (VDE), in which a single disk file contains a virtual disk image that the user can mount when needed; this virtual disk collects all sensitive files in one location. Microsoft's BitLocker offers this feature in all Vista editions, as well as in Windows Server 2008 and Windows XP. Third-party products such as PGPDisk and even free open source software programs such as TrueCrypt have VDE capabilities. Many of these third-party utilities are easier to use than BitLocker, so they can save you some implementation expense.
Another form of partial disk encryption is to apply encryption to specific files, typically those residing on corporate servers that users want to open locally. In this approach, users must enter a password every time they open a protected file. IT not only is on the hook to ensure that all sensitive files get encrypted but also has no way to stop users from simply saving the opened file as an unencrypted copy. Still, this protection is better than nothing and is widely available via free disk utilities. But key management can be a problem, and these file-level encryption tools generally don't support multifactor authentication.
But the best plan B to TPM-enabled full disk encryption isn't any of these partial disk methods. The best plan is software-only full disk encryption, in which either the operating system or a third-party program performs the same encryption as with TPM but uses another method to store the encryption keys, such as a thumb drive or a smart card.
The good news is that virtually all-TPM full disk encryption suppliers' offerings, including BitLocker, can operate in this software-only mode, which relies on a removable hardware token so that you can use this approach for your non-TPM devices while having a consistent encryption method to manage across all your laptops.
It's true that software-based full disk encryption is less secure than if you have a TPM-equipped laptop: The entire drive can still be encrypted, but a determined hacker will have more opportunities to gain access through compromised keys. For example, if the key-storage token is left with the notebook computer (how likely is that?), the hacker may be able to simply plug the token in and gain access to the drive contents. Even multifactor authentication in this scenario is subject to attack by inspection, since the key token is not tightly bound to the system motherboard.
Still, when TPM-enabled encryption is not an option, pure software full disk encryption can still give you considerable peace of mind, as well as provide the "safe harbor" benefits afforded encrypted systems in data-privacy regulations. Software full disk encryption solutions have also been around long enough that they're available for most mobile computing platforms, including Linux and Mac OS X.
TPM technology changes to come
Although TPM full disk encryption with hardware-based encryption in the hard drive is the best you can do for data protection today, security researchers are constantly testing TPM's mettle and devising improvements to it.
One potential vulnerability of today's separate TPM chip implementation is that keys must be transported across conductors in the motherboard to the CPU for software-based full disk encryption, or to the hard drive for hardware-based full disk encryption. That could provide an entry point for a hacker. That's why a major vendor trend is to move all TPM-oriented data manipulation on to the CPU chip set in the form of customized silicon. Intel has advertised its vPro solution, which is part of the upcoming Danbury processor and Eaglelake chip set. This feature will perform all encryption and decryption for SATA and eSATA drives without involving the CPU, OS device drivers, or even the hard drive itself.
Such an approach could make TPM even more secure. But there's no reason to wait until such chips are standard in laptops. With today's TPM-equipped laptops, and with the software-based fallback option for non-TPM laptops, you have a platform for a consistent, manageable, secure deployment strategy. Consider yourself lucky if you've successfully dodged the stolen laptop bullet thus far. But don't tempt fate -- or hackers. Implement some form of laptop encryption today.
This story, "Your Laptop Data Is Not Safe. So Fix It." was originally published by InfoWorld.