Personal computing discussed

Moderators: renee, morphine, Steel

 
BIF
Minister of Gerbil Affairs
Topic Author
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

Help me understand drive encryption...

Sat Jul 25, 2015 6:40 pm

For the last several years, my company has used whole drive encryption on all employee take-home computers. Think Bitlocker, but that's not the one we actually use. Encryption is compulsory, and if an employee is found to have disabled or bypassed the pre-installed encryption, only bad things await him or her. The good thing is that as far as I can tell from personal experience and conversations with others, even our older generation i5 processors have not experienced any significant performance problems attributable to encryption.

In another development, new laptops have been distributed for the last couple years now with SSDs only. HDDs are not even available on a new build. The company black-boxes everything, so I'm essentially "just a user" because I can't really see how they work.

At home, I have a personal workstation and a personal laptop. Both use an i7 processor from their respective eras. The workstation was built in late 2012 and the laptop is from summer 2011.

When it comes to these personal machines, I'm gradually replacing HDDs with SSDs over time, and I'm also replacing smaller SSDs with bigger capacity SSDs.

So now for my questions:

1. Is it practical to adopt whole drive encryption for personal devices? Will this change the way I take backups, recover lost drives, or perform weekly maintenance?

2a. Is it secure to adopt whole drive encryption for personal devices? I must admit that the company laptop is all managed by the "mothership", so I am woefully ignorant about this technology actually works. I also have no idea how these various states compare when it comes to security with whole-drive (or whole-partition) encryption: "locked but running", just "sleeping", "off but plugged in to AC", or "off with battery", or "off without battery". Is there a difference in the state of the data for any given computer power state?

2b. I've also read that people suspect some encryption software of having "back doors" for NSA or other US government entities. If I decide to go to the trouble to do this, I'd like to keep the back door closed, if that's even possible.

3a. Keys. I know that Bitlocker and others use keys/certificates. Where should I go to learn more about how this works and what I need to do so that I can be sure I can always recover the data?

3b. State of my backups. I use Macrium Reflect to back up the laptop and the workstation. How does this change when using encryption on the boot, application, and data drives?

3c. Do defraggers still work on HDDs that have been encrypted? Is there anything I need to know here.

3d. I read that SSD provisioning (or is it TRIM?) doesn't work, or doesn't work fully, on SSDs that have been encrypted. I would like to learn more about this too and whether or not encryption could result in poorer performance and/or a lower life expectancy of the drive. If life expectancy is decreased, I would like to know what that means, realistically speaking (does it degrade unnoticably? By 50%? By 80%?).

4. I would like to know the alternatives to Bitlocker for Windows 8.1 and Windows 10, as well as virtual OSs (Windows and Linux). I mean VMs made to run as virtual systems under those versions of windows. Truecrypt is gone of course, so I'd like to know what my Open Source and non-Open Source options are, and whether there is information available to help me learn more, and a way to look up whether or not back doors have been reported in them.

Okay, that's enough for now. Thanks in advance for anything you can contribute!
 
NovusBogus
Graphmaster Gerbil
Posts: 1408
Joined: Sun Jan 06, 2013 12:37 am

Re: Help me understand drive encryption...

Sun Jul 26, 2015 2:52 am

I don't have a whole lot of experience with Bitlocker, but here's my thoughts on drive encryption in general:

1. Know your risk. Cat videos and game saves aren't a strategic target, and if you're storing the holiest of holies on the C drive you're doing it wrong. FWIW I keep my juicy stuff on an IronKey-like USB stick so it's only vulnerable when I actually need to access it.

2. Drive encryption won't save you from an active attack while you're using the system, it's really only good for preventing someone from coming along, gaining physical access and grabbing stuff and/or surreptitiously installing malware.

3. Re: backdoors, well the nature of backdoors is you can't know for sure if they're there. Bitlocker is a binary blob, nobody outside Microsoft (and its hypothetical shadowy "friends") knows how it works. Open source isn't an aegis either...keep in mind that, as recent events have shown, the thousand-eye code review is largely a myth and there's no guarantee that someone paid fat stacks to create vulnerabilities didn't pull a fast one on overworked volunteers at your crypto project of choice.

4. Who said TrueCrypt is dead? The security audit didn't find anything alarming and all evidence points to the developers either getting tired of dealing with support or receiving an unfriendly visit from a powerful adversary. Again, if you're worried about the NSA hijacking your TC client you *really* don't want to be keeping that data on a live PC hard drive.

5. Defragging, trim, etc. should still work as per usual. AFAIK Bitlocker just obfuscates data at the sector level so it has the same problems, (in)efficiencies and mitigation practices as normal read/write behavior. If you try to dynamically change the size of your partition that isn't going to work out very well though...think TC volume, once created it's pretty self-contained but can't be resized.

6. Data recovery is always going to be tricky, by design, since blocking unauthorized data recovery is the whole point of disk encryption. Best get you keys set up in triplicate well before you might need them. Most organizations paranoid enough to use BL consider a problematic drive to be a liability and nuke from orbit, take from that what you will.


I personally find the value proposition of Bitlocker to be rather dubious, especially for a personal desktop that stays in one private residence. There's better, more tradecraft-y ways to keep things secure than throwing everything on a hard drive and praying to the gods of Redmond that their system works as advertised.
 
meerkt
Gerbil Jedi
Posts: 1754
Joined: Sun Aug 25, 2013 2:55 am

Re: Help me understand drive encryption...

Sun Jul 26, 2015 10:13 am

Although it doesn't help with temp files and OS-created stuff, I generally like better the idea of mountable-on-demand encrypted-volume-in-a-file:
http://www.jetico.com/products/personal ... encryption
 
BIF
Minister of Gerbil Affairs
Topic Author
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

Re: Help me understand drive encryption...

Sun Jul 26, 2015 9:09 pm

Thank you both...I will take a look at ironkey for sure.

I was just over at Gibson Research for something unrelated, but I did see his blog entry about how Truecrypt is not dead. So some research is in order there, too.

This laptop (I'm typing this post on it) is 4 years old, and I will probably replace it sometime in the next 18-24 months. So maybe this machine would be a good test and self-training platform.

Edit: I should have clarified that I think I'm interested in doing this, maybe even more since my first post. Not because I'm paranoid or anything. Just because I can. :)
 
TwistedKestrel
Gerbil Elite
Posts: 686
Joined: Mon Jan 06, 2003 4:29 pm

Re: Help me understand drive encryption...

Sun Jul 26, 2015 10:14 pm

Some more points:

-Whole drive encryption can be a blanket approach to secure small amounts of data against "leaking" elsewhere in the system. If you open a document that you keep on an encrypted storage device, the application may immediately save a backup copy of it somewhere, if you hibernate the system or if the system crashes while you have it open, then there may be an unencrypted memory dump somewhere that has the document in it, etc. It also makes interfering with your system when it is outside of your hands much more difficult. Think of things like border crossings and stuff.

-eDrive Bitlocker encryption (Windows 8/10) is essentially free, performance-wise. You might have to jump through a few hoops to get it to work, and not all SSDs will support it, but it is faster and much less stressful on the SSD...

-...because otherwise full-drive encryption on an SSD has a number of problems associated with it. A software encrypted SSD is essentially "full" at all times, which is terrible for performance (drive has to rely 100% on overprovisioned space to perform any writes). The write amplification for any change on a software encrypted SSD is through the roof as well, so it wears on an SSD at a much higher rate. Finally, since you cannot guarantee old versions of encrypted data do not exist elsewhere on the drive, it is not as secure as an encrypted HDD or hardware encrypted SSD. That said, many SSDs are so fast that they just power through most of the performance issues and they may not be noticeable to the end user.

-Trying to proactively secure against undisclosed backdoors in commercial encryption software is next to impossible. The best you can do is stick to trusted vendors (though who could you completely trust, really) or use a machine that is completely airgapped. If we knew about the backdoors, then we wouldn't be using that software :P

I think eDrive is really the way to go if you meet all the requirements.
 
NovusBogus
Graphmaster Gerbil
Posts: 1408
Joined: Sun Jan 06, 2013 12:37 am

Re: Help me understand drive encryption...

Mon Jul 27, 2015 12:05 am

IronKeys are pretty awesome, they're all built like tanks and the nice ones have a microcontroller onboard that bricks itself after X failed key entries. My Lexar/Gemalto counterpart came as a bare drive but I'm told the IK Personal series comes preloaded with some privacy-themed portable apps. Also one of the few flash drives to not only specify SLC or MLC flash, but offer both as options. Eventually I need to pick one up, both as an in-the-wings replacement for the current stick and just because I love big chunky metallic gadgets.

Do note that IK's hardware encryption algorithm is strongly suspected to have a government backdoor. They actually used to proudly trumpet a product endorsement by the NSA, but for some funny reason they don't do that so much anymore. Per my previous post, if this is a concern you need much more sophisticated countermeasures than just hiding behind a big scary math formula.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Help me understand drive encryption...

Mon Jul 27, 2015 5:56 am

TwistedKestrel wrote:
-...because otherwise full-drive encryption on an SSD has a number of problems associated with it. A software encrypted SSD is essentially "full" at all times, which is terrible for performance (drive has to rely 100% on overprovisioned space to perform any writes). The write amplification for any change on a software encrypted SSD is through the roof as well, so it wears on an SSD at a much higher rate.

Are you sure about that? My understanding is that Bitlocker encrypts at the sector level, and that TRIM is still supported on encrypted drives. This implies that there should be little or no effect on endurance or write amplification, other than the extra writes required for the initial encryption pass when Bitlocker is first enabled.
Nostalgia isn't what it used to be.
 
TwistedKestrel
Gerbil Elite
Posts: 686
Joined: Mon Jan 06, 2003 4:29 pm

Re: Help me understand drive encryption...

Mon Jul 27, 2015 11:32 am

just brew it! wrote:
TwistedKestrel wrote:
-...because otherwise full-drive encryption on an SSD has a number of problems associated with it. A software encrypted SSD is essentially "full" at all times, which is terrible for performance (drive has to rely 100% on overprovisioned space to perform any writes). The write amplification for any change on a software encrypted SSD is through the roof as well, so it wears on an SSD at a much higher rate.

Are you sure about that? My understanding is that Bitlocker encrypts at the sector level, and that TRIM is still supported on encrypted drives. This implies that there should be little or no effect on endurance or write amplification, other than the extra writes required for the initial encryption pass when Bitlocker is first enabled.


You're right about it being sector level, there was something faintly ringing in my mind when I wrote that. TRIM still won't be as effective on any SSD that is full or near full as it would be on an SSD with free space. (Write amplification would be an issue for Sandforce drives I guess, but they are somewhat less common these days). I'm not sure TRIM would do anything at all, if it is replacing one sector with another on a fully partitioned drive.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Help me understand drive encryption...

Mon Jul 27, 2015 11:47 am

If each sector is encrypted individually TRIM should work just as well as it does on an unencrypted drive. You're still allocating/freeing the same sectors, the data in them just happens to be scrambled.

You are correct that it will impact Sandforce drives negatively, since the encrypted data will likely be incompressible.
Nostalgia isn't what it used to be.
 
BIF
Minister of Gerbil Affairs
Topic Author
Posts: 2458
Joined: Tue May 25, 2004 7:41 pm

Re: Help me understand drive encryption...

Sat Aug 01, 2015 9:57 pm

So, I'm feeling like this is a green-light. I'm on Windows 10 now; no issues so far...so maybe in a few weeks.

New question - I use Macrium Reflect for my backups. How best to accommodate encrypted drives for backups?
 
bhtooefr
Lord High Gerbil
Posts: 8198
Joined: Mon Feb 16, 2004 11:20 am
Location: Newark, OH
Contact:

Re: Help me understand drive encryption...

Tue Sep 08, 2015 9:02 am

Here's Macrium's documentation on that: http://kb.macrium.com/KnowledgebaseArticle50140.aspx
Image
 
Atradeimos
Gerbil Team Leader
Posts: 238
Joined: Thu Mar 27, 2008 11:04 pm

Re: Help me understand drive encryption...

Tue Sep 08, 2015 10:11 am

just brew it! wrote:
You are correct that it will impact Sandforce drives negatively, since the encrypted data will likely be incompressible.


Actually, weren't Sandforce controllers supposed to do the encryption for you? As a part of the compression algorithms?

I think their implementation was initially broken, but I'm not sure if they fixed it in later releases. It seemed like a clever idea at the time.

Edit: I guess it was only the 256 bit AES that was broken, and the controllers were using 128 bit instead. I imagine that's sufficient for most users, but I'm not a crypto expert.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On