Attacking Full Disk Encryption 2
As usual, security and convenience ride a fulcrum. As things are easier to use, security usually suffers. That applies to full disk encryption too.
What?
I was reviewing a B-sides talk by Tom Kopchak on defeating full-disk encryption. Tom was able to gain administrative access to a Windows laptop with full-disk encryption enabled. We aren’t always safe.
How?
- Semantic FDE was setup with non-secure options
- WinXP was the OS – other Windows OSes might be at risk too
- No Pre-Boot authentication was enabled
- Laptop had DMA enabled – firewire was enabled.
- Administrative password crack was available because no pre-boot authentication.
- No TPM module on the device.
Tom’s Recommendations
- DO NOT leave portable devices unattended; physical access is required.
- Disable Standby – RAM has a copy of OS, keys, etc.
- Disable hibernation, if possible; otherwise write to an encrypted partition.
- Disable all DMA devices in the BIOS – RAM has a copy of OS, keys, etc. Forcing a reboot to change the BIOS settings will add a layer of protection to the data. Thunderbolt video is DMA too, so be very careful with security on those machines. Many laptops have PCMCIA or miniPCI cards too, so try to force a reboot to access the machine, so RAM will be cleared.
- Do not enable the OS to boot prior to entering any authentication. This should be a setting in the encryption software.
- Do not allow trivial passwords to be used.
- Disable remote password reset.
- Do not let the helpdesk have access to global keys.
- Mandatory lost device reporting is critical, even if just misplaced.
- Check for physical keyloggers around and in USB ports.
- Test your full disk encryption – independently
- Enable TPM, if available
My Additional Recommendations
- Do not use WinXP – too many hacker tools exist for that OS.
- Use F/LOSS for security tools – KeePass, Truecrypt
- Long passwords. Length is important. 20+ characters for storage. Typing an odd sentence is an easy way to create a good, long, passphrase or just take your normal password and append 15 characters of an easy to remember pattern.
BTW, the only more convenient AND more secure tool that I know is ssh.
Someone More Paranoid than Me!
This guy has thought through most attacks against whole drive encryption. Nice article.
What do you recommend to new Linux users trying to enable Self-Encrypting Disk capability on their Linux box?
First, I am coming across the difficulty of finding a desktop motherboard that supports ATA passwords, which is supposedly the easiest way to enable the SED on SSDs and HDDs that have that capability.
Secondly, I’ve seen some information that suggests that a lot of motherboards only allow one ATA-password-enabled device.
Thirdly, I came across this link (https://wikis.utexas.edu/display/ISO/Breaking+ATA+password+security) that suggests that I need to use a more professional solution (such as SecureDoc) to more securely manage my SEDs. Are you aware of any open source programs that can manage multiple SED-capable disks?
I would like to be able to utilize an SED SSD for my host and and SED HDDs for my data.
Sorry for the delay Daniel.
I cannot recommend anything related to SED – never used it myself. I’ve read about drives with BIOS-level password and the OS doesn’t get involved with those at all. Once the disk is unlocked prior to boot, it is unlocked. The OS doesn’t know anything about it.
I didn’t know about the single-ATA drive limit. Possible and not surprising. I’d ask the SED vendor if they have any recommendations. Addonics is where I’ve purchased storage stuff previously.
Hook ‘Em Horns! That’s all I know about that link. ;)
I’d think that SED for the OS would be nearly mandatory, if you need that level of encryption. I don’t know how much I’d trust the total security, however, after recent NSA leaks. For data, I’m extremely confident in Truecrypt with multiple encryption layers, but I’ve only used it on a laptop running Windows. The partition holds virtual machines. I’ve blogged about that here previously.
Sorry that I’m not much help.