As regulatory requirements increase and organizations slowly mature, many enterprises are moving to full disk encryption (FDE) for data protection. FDE started to gain traction after the Veterans Administration had to report a major breach when a laptop was stolen from an employee. If the data had been encrypted – and the encryption keys secured – there would have been no requirement to disclose a breach, as most breach disclosure regulations recognize that the loss of encrypted data does not represent a breach (although the original breach disclosure law, California 1386, failed to enumerate what encryption strength or algorithm should be used.)
Yes, FDE is an excellent way to prevent the type of accidental data loss associated with laptop and computer theft, but is it a complete solution for end of life disposal of such equipment? There are several problems with FDE that have arisen over the years.
The recent discovery that some MacOS computers store images of files in the clear is one such example. It highlights the concern that arises when an organization opts to rely on FDE as an alternative to data sanitization when they are disposing of old hard drives, servers, laptops and desktops.
What is data sanitization?
Data sanitization is a three-part process. First, some action is taken to permanently destroy data. This could be through physical destruction, or digitally overwriting media. The second step is to verify that the data has been effectively destroyed. The final step is to certify and record the data destruction. Records should be kept of this full process for audit purposes.
Here’s three key issues with full disk encryption:
A major issue with FDE is that often the data is not encrypted at all. This has occurred with several so-called self-encrypting drives. A manufacturer defect can mean that the onboard encryption modules are not even turned on by default. Another issue with self-encrypting drives is that the encryption keys may be discoverable through various side-channel attacks which would make the encryption essentially useless.
A second issue with FDE is key management. The encryption keys may be stored in memory where an attacker can discover it and use it to decrypt the drive. Or, in the case of Microsoft Bitlocker, recovery keys may be inadequately protected. While encryption keys are normally protected by the TPM (trusted platform module), in most Windows environments recovery keys are stored in Active Directory in clear text. A determined hacker could get access to Active Directory and thus all the recovery keys for all the systems, even those that have been scheduled for recycling, or lost or stolen.
There’s one final issue with encryption as a replacement for data sanitization: Attacks against encryption algorithms are ongoing. At the very least, encryption that is considered infeasible to crack today will be trivial to crack in the future. The MITRE report, Security Requirements For Cryptographic Modules, Information Technology Laboratory, National Institute of Standards and Technology, 2001, states:
“Even high profile algorithms by accomplished cryptographic experts” have been defeated in the past and that, “as cryptography advances so rapidly, it is common for an algorithm to be considered ‘unsafe’ even if it was once thought to be strong.”
So relying completely on encryption has to be considered as a temporal defense. Only complete data sanitization, even of encrypted data, which implies testing to ensure that destruction has taken place, serves to ensure that data from lost, stolen or recycled equipment will never come back to haunt you.
For your encrypted hard drives, look to these three steps to ensure data sanitization:
- Find and securely overwrite all keys.
- Test media to ensure that all sectors are indeed encrypted.
- Create a tamper-proof audit report.