As usual, security and convenience ride a fulcrum. As things are easier to use, security usually suffers. That applies to full disk encryption too.
I was reviewing a B-sides talk by Tom Kopchak on defeating full-disk encryption. Tom was able to gain administrative access to a Windows laptop with full-disk encryption enabled. We aren’t always safe.
- Semantic FDE was setup with non-secure options
- WinXP was the OS – other Windows OSes might be at risk too
- No Pre-Boot authentication was enabled
- Laptop had DMA enabled – firewire was enabled.
- Administrative password crack was available because no pre-boot authentication.
- No TPM module on the device.
- DO NOT leave portable devices unattended; physical access is required.
- Disable Standby – RAM has a copy of OS, keys, etc.
- Disable hibernation, if possible; otherwise write to an encrypted partition.
- Disable all DMA devices in the BIOS – RAM has a copy of OS, keys, etc. Forcing a reboot to change the BIOS settings will add a layer of protection to the data. Thunderbolt video is DMA too, so be very careful with security on those machines. Many laptops have PCMCIA or miniPCI cards too, so try to force a reboot to access the machine, so RAM will be cleared.
- Do not enable the OS to boot prior to entering any authentication. This should be a setting in the encryption software.
- Do not allow trivial passwords to be used.
- Disable remote password reset.
- Do not let the helpdesk have access to global keys.
- Mandatory lost device reporting is critical, even if just misplaced.
- Check for physical keyloggers around and in USB ports.
- Test your full disk encryption – independently
- Enable TPM, if available
My Additional Recommendations
- Do not use WinXP – too many hacker tools exist for that OS.
- Use F/LOSS for security tools – KeePass, Truecrypt
- Long passwords. Length is important. 20+ characters for storage. Typing an odd sentence is an easy way to create a good, long, passphrase or just take your normal password and append 15 characters of an easy to remember pattern.
BTW, the only more convenient AND more secure tool that I know is ssh.