Full Disk Encryption Evolves
Greg Shipley and InformationWeek
September 28, 2009
In January 2009, the Trusted Computing Group released the final specification of the Opal Security Subsystem Class, a standard for applying hardware-based encryption. Moving hard-drive encryption into hardware has a number of advantages. For starters, it works with any OS. It also moves the computational overhead of the encryption process to dedicated processors, alleviating any computing load on the system's CPU. In addition, the encryption/decryption keys are stored in the hard-drive controller and never sit in the system's memory, making "cold boot" attacks ineffective.
Hardware-based FDE also simplifies the key escrow dilemma--that is, the need to manage encryption keys. Simply put, the keys used by the hard drive can be unlocked only by a passphrase entered during the pre-boot sequence. The passphrase is sent to the hard drive controller before the OS boots, so the keys never leave the hard drive's hardware. Also, multiple passphrases can be configured to unlock those keys.
Note that software-based FDE products do allow you to choose the encryption algorithm and variable key strengths, while most Opal drives are limited to AES-128. We see this as being an issue only for organizations that require specific algorithms or larger key sizes.
Consider yourself warned: Without an integrated management infrastructure, enterprise deployment and support of Opal-compliant hard drives will be a nightmare. There are a few key features that are essential. For starters, organizations must manage boot passwords and password resets. If an employee leaves, becomes unavailable, or just forgets the password, IT needs a way to access the data on the drive. Conversely, if an IT administrator leaves, the organization must be able to change admin accounts.