



Any one and every one who has ever had a computer always have a number of files/folders which are private. One would not want anyone else going through them. But at the same time, one would also want it to be on the system, easy accessible whenever needed. That is an inconvenient combination. In such a case, one can go for something called Encryption.

For a scenario like this, there are two options that one can exercise. Software based encryption and Hardware based encryption. Software based encryption might be easier to deploy and manage, but its slow, and one will have to choose individual files or drives to encrypt. Software based encryption mostly uses the computer's CPU, which makes the encryption and decryption process slow and not at all seamless. If one wants to write and read data onto the disk securely in a manner which safeguards the data from malicious entities, while also keeping the whole procedure seamless and fast, Hardware based Full Disk Encryption (FDE) is the way to go. FDE can seamlessly encrypt every bit of data traveling in and out of the disk without the user ever knowing of its presence.

Hardware based Full Disk Encryption are of 3 types.

1) Self Encrypting Drives (SED)

This is one of the older methods of achieving FDE. There are a number of variations of this method, but the core concept remains the same. The entire disk is encrypted and decrypted continuously, on the go, as and when the data is written and read respectively. The CPU and the memory of the system never gets to access the encryption/decryption keys. At power on, the disk is in a non-accessible state (either still encrypted or in a locked, read-only shadow state). An authentication step is initiated. The authentication step would need the user to enter an already set password, or insert a USB key, or a smartcard, etc. This would initiate the decryption of the key, which will then be used for the disk encryption/decryption. The main Operating System files are then loaded, and the boot process continues.

In most of the variations of this method, the main key is stored in the disk itself. The disk is usually divided into partitions. One very small partition which holds the authentication program, the encryption/decryption keys and the special MBR exists. This partition is unencrypted and available to the system when it is powered on. The other partition holds the actual MBR and all the data and is encrypted and locked until authentication succeeds.

In some variations, a dedicated chip is used to generate and store the keys. This chip is called a Trusted Platform Module cryptoprocessor. In addition to providing a safe haven for the encryption/decryption keys, it also verifies the integrity of the boot environment. It does this by keeping an account of the hardware connected to the system (through hashed system variables).

It is important to note that once the system is up and running, all the data from the disk is available. Even if one puts the system in sleep, the data stays in an unlocked state. An attacker can simply disconnect the disk without cutting power to it, and connect it back to some other system (hot swapping) and he/she will have access to all the data. Only when one switches off the system does the disk gets locked. A power on would then trigger the usual authentication procedure.

Also, if the TPM chip is not being used, it becomes easy to tamper with the boot environment. A malicious entity can install a custom bootkit to change the boot procedure.

2) Enclosed hard disk drive FDE

In this method, the disk is enclosed in a chassis. This chassis contains the controller and the encryption/decryption chip. As long as the drive is inside the chassis, the encryption/decryption happens automatically. However, this also means that in case the chassis gets damaged, it may be not be possible to recover the data. The chassis usually comes with a tamper-evident casing which assures that it has not been meddled with.

Just like the previous method, the encryption/decryption happens always. One has to set a password to enable authentication. Although, even without the password set, if the drive is taken out of the chassis; the data would be in an encrypted form and hence will be inaccessible.

3) Chipset Full Disk Encryption

An encryptor bridge and chipset is placed in between the system and the disk. Every sector of the disk is encrypted in this way.



