Back in July we wrote about the Basics of Encryption. We wrote at great length about asymmetric encryption, or “public key” encryption, and just briefly about symmetric encryption. That does not mean that symmetric encryption is less important. It serves an important purpose. When we speak about encryption in general, and how to apply it, we must use both symmetric and asymmetric encryption in combination to gain the strongest security policy possible.
Just recently, a hospital in Norfolk, Virginia had two hard drives stolen from their facility. Due to this theft, it is estimated that patient names, medical record numbers, dates of birth, procedure dates, diagnosis, procedures, surgeon and staff names, allergies, visitation notes, and medications associated with the procedures from September 4, 2014 to August 14, 2015 were leaked. But, this breach of patient information could have been prevented. It should have been prevented.
This breach leads the security-conscience to consider physical security, but that is a topic best left for another article on another day. Today we want to focus on whole-disk encryption. Even if the drive was stolen, whole-disk encryption would have prevented this breach.
Whole-disk encryption relies on the strength and speed of symmetric encryption. Symmetric encryption relies on one key, often a strong password, to encrypt data across the entire drive. We will not go into the details, because it can become complicated quickly. We do want to discuss implementation though, because data breaches can be prevented.
One way to implement whole-disk encryption is to use Microsoft’s BitLocker technology. For internal drives in workstations and laptops we recommend using BitLocker, primarily because it has been built-in to Microsoft Windows Ultimate (Windows Vista and 7), Professional (Windows 8 and 10), and Enterprise (All versions) editions since Windows Vista. Before you begin encrypting every disk in every computer, there are some things you need to know:
- Data Recovery – Once your disk is encrypted via BitLocker you will have to remember a passphrase, or keep a recovery key if a Trusted Platform Module (TPM) chip is used for key storage. If this passphrase or recovery key is lost, your data will be lost forever. Due to the nature of encryption, recovery without this information is intentionally impossible.
- Time to Encrypt/Decrypt – Depending on the size of the drive it can take hours or days to fully encrypt or decrypt a drive, during which time the system will not be available for use. Encryption and decryption should not be done during production hours.
If you want to implement whole-disk encryption across multiple computers or need a more enterprise grade solution we can help you find the right solution. There are management consoles that allow an acting administrator to create recovery keys, manage users, and even perform a remote wipe of all data.
We can also help you determine if a computer needs to have whole-disk encryption in the first place. There are times where the convenience of not encrypting your data can be afforded, but this is often determined on a per machine basis.
If you are looking to implement encryption for external drives, we can help there as well.
Customer and client data must be treated with respect. It is something that we seek to protect at all times. Encryption is just one brick in a wall of security. If you have other concerns about security please reach out to us.