Information Security, Privacy and Regulatory Compliance - Encryption

Whole Disk Encryption (WDE) – And Comparison of PGP vs TrueCrypt for WDE

nospam@example.com (Keith Pachulski) — Thu, 03 Jun 2010 20:40:37 -0400

Whole Disk Encryption (WDE^[?]) – And Comparison of PGP vs TrueCrypt for WDE

In this day and age there is absolutely no reason for any business with laptops being used for business or personal reasons that contain sensitive information to not be encrypted.

Whole Disk Encryption, also known as Full Disk Encryption, is what it says; it encrypts all information contained on the specified disk or partition. WDE should not however not to be confused with file system encryption. With WDE one key is used to encrypt the entire disk. Should the key become compromised, the entire disk is thereby compromised. For those individuals needing or who are required to transmit sensitive information on their laptops, I would strongly recommend using WDE in conjunction with file system encryption.

File system encryption is often known as folder or file encryption because it was designed, from a high level, to encrypt specific targets within the system whereas WDE deals with the entire disk.

File System encryption examples can be found in a previous blog post on TrueCrypt Containers for examples.

TrueCrypt vs PGP	TrueCrypt	PGP
Cost	Free	$149.00
Encrypt internal, external and removable media	yes	yes
Encrypt all user data, applications, boot sector and swap files	yes	yes
Shred/Wipe Function	no	yes
Encrypt Email	no	option $$
Encrypt IM	no	option $$

TrueCrypt Whole Disk Encryption on Windows - Step by Step

Select Create Volume

Encrypt the system partition or entire system drive

Type of System Encryption - Normal

Area to Encrypt – Encrypt the whole drive

Encryption of the Host Protected Area – If you know there are utilities in the Host Protected Area (HPA) you do not want encrypted, select No – Otherwise encrypted the HPA as well

Number of Operating Systems – Select the appropriate response, typically this will be 1

Encryption Options – Select the Preferred Encryption and hashing Algorithms – for NIST^[?] compliance select AES^[?]

Notes:
Unlike PGP below where you generate your public/private keypair that can be used for other PGP plug-in applications, the keys for TrueCrypt are generated based on the movement of your mouse and are only used for drive encrypt/decrypt functions
If you are overly paranoid, you can select a cascading algorithm here such as AES+TwoFish to increase the strength

Password – enter the password, this will be used to access the system once the entire disk has been encrypted

Rescue Disk – The iso image created must be copied off the system and it is recommended it be burnt to a CD. This will be required if the password is forgotten or any portion of the loader becomes corrupted. Once the image has been burnt, eject and reinsert the CD and click next to allow Truecrypt to verify the image. Once it has completed, it will ask you to reboot, select yes for the encryption Pretest.

At the boot prompt, enter the password you had entered earlier.

Once Windows boots, you'll be presented with the Pretest screen and the option to begin the encryption process, select Encrypt, go for a coke...

The encryption status window will appear, once the disk encryption has completed a notification window will appear.

That’s about all that you need to do.

If for whatever reason you want to permanently decrypt the drive, open the TrueCrypt application, select System then “Permanently decrypt system partition/drive”.

PGP (Pretty Good Privacy) WDE on Windows - Quasi Step by Step

The setup is pretty straightforward and almost identical to the TrueCrypt setup; install the application from the exe. Once it finished open the PGP Desktop application from the system tray and click on PGP Disk then Encrypt Whole Disk.

During the installation you`ll be prompted to create a key pair. These keys will be used for encrypting and decrypting the drive(s). These are also the keys you`ll use if you buy the extra PGP addons such as email. Make sure you use your legitimate email address during creation.

It is recommended you create a recovery disk, same as a above.

Select the disk to encrypt then select the keys you created during installation by selecting Add User Key.

Click Encrypt, go for a coke..

By default PGP uses AES-256 for encryption and SHA-1 for hashing. As far as I am aware there is no possible customization to either the encryption or hashing algorithms.

Soap Box

While I am a huge fan of TrueCrypt for only WDE or file system encryption, it does not scale well in large deployments like PGP offers with the Universal Server. With the PGP Universal Server, enrollments and encryption policies can be controlled and deployed from a central server. The PGP server can generate "reports" from the server on demand. I put the quotes around the word report because the export is simply a csv export of the entire database structure, which is severely lacking in the ability to perform decent reporting and database maintenance.

Seriously though, with whatever solution you choose..choose one. The 30 minutes of your time it takes to install and configure the software will pale in comparison to being immortalized on the Internet as yet another failure to protect sensitive information...

Disk Encryption - The OpenSource Solution - TrueCrypt

nospam@example.com (Keith Pachulski) — Sat, 17 Apr 2010 12:22:41 -0400

My "secure" USB drive and a toilet bowel had a duel and the toilet bowl won. With that, I was torn between buying a new "secure" USB drive for $70-100 or buying a base plain USB drive and finding some disk encryption software. Of course in the back of my mind was a task of encrypting the entire disk on my laptop. With that I set out to find a free and moderately easy to use disk encryption software package. My requirements for the software package were the following:

- Must work on all the different operating systems I commonly use (Windows & Linux)
- Must be portable, if needed to be accessed on a different system it must work with at most installing the application
- Must be able to encrypt the entire file system
- Must be able to create virtual encrypted volumes (volume must not be overtly visible)
- Must be able to create an encrypted file system on removable media (SD or USB & volume must not be overtly visible)
- Must allow for auto-mounting of the encrypted file system, either virtual or removable media
- Must automatically unmount the drive when system is shut down or idle for a predefined time period
- Must lock/wipe the device on a predefined numbers of authentication failures
- Must use NIST^[?] approved encryption and hashing algorithms

After tinkering with 12-13 different software packages I decided on TrueCrypt, it met all my requirements except the lock/wipe the device on authentication failures. I could live without that one.

In creating the volumes, you are offered standard encryption algorithms or cascading algorithms. Cascading meaning you can implement multiple types of encryption algorithms built atop each other. Supported direct and cascaded algorithms include the following:

- AES^[?] in XTS Mode (NIST Approved)
- TwoFish
- Serpent

Cascading algorithms include the following:

- AES-TwoFish
- Serpent-AES
- Serpent-TwoFish-AES
- AES-TwoFish-Serpent

Speed wise, the direct algorithm is the preferred choice. AES will be the fastest of the available algorithm selections. If you are more concerned with security of the data at rest, the AES-TwoFish-Serpent cascade algorithm is recommended. bearing in mind, using the cascade algorithms will significantly slow the overall encrypt/decrypt throughput.

Hashing algorithms supported include the following:

- RIPEMD160
- SHA512 (NIST Approved)
- Whirlpool

Quick Volume Setup Guide for Removable Media for the Windows Operating System

Insert the USB or SD card into the reader or USB slot, open TrueCrypt and click on Create Volume.

- Select Encrypt a non-system partition/drive
- Volume Type - Standard TrueCrypt volume
- Select the USB drive (IMPORTANT NOTE: Make sure you select the USB drive and not your primary hard disk)
-- you'll get an error asking you to confirm that you want to encrypt the device, select yes

- Volume Creation Mode
-- Create encrypted volume and format it

- Encryption Options (select what you want here)
-- Encryption Select AES
-- Hashing Select SHA512

Volume Size - Select next as you're encrypting the entire file space

Volume Password - Enter the password you want to use to access the encrypted volume here

Volume Format - select NTFS for the filesystem type - do not select Quick Format, select Format

Once the device has been wiped and encrypted, remove the USB device and reinsert it into the system.

Quick Setup Guide for Creating Encrypted File Containers

Create a dummy file someone on your primary harddisk, for simplicity I used c:\temp\TrueCryptVolume

From the TrueCrypt application, click on Create Volume

- Select Create an encrypted file container
- Standard TrueCrypt Volume
- Click on Select file and navigate to where your container file is located - when prompted if you want to replace it select Yes
- Choose the encryption and hashing algorithm of your preference
- Designate the desired size of the encrypted volume
- Set the volume password
- Select NTFS for the filesystem and click on format - click yes to the warning to confirm creating the container
- Mount the container by clicking on Select File, navigate to the container file, select an unused drive letter, then click on mount

Enabling Automount for TrueCrypt Volumes

From the TrueCrypt application select Settings -> Prefereces - Checks the boxes next to the following options:

- TrueCrypt Background Task Enable
- Start TrueCrypt Background Task
- Mount all device-hosted TrueCrypt Volumes
- Mount Favorite Volumes

If you want the drives, after being idle for a predefined time period, to automatically dismount, select the "auto dismount volume after no data has been read/written to it for" and enter your time limit.

Click OK - Click Auto-Mount Devices, you will be prompted for the volume password.

Important Notes

Be aware that all disk encryption programs only protect the information "physically" written to the encrypted media be it virtual or physical. Any information you access is temporarily stored in system memory. If a computer system is not:

- shut down properly
- suffers from a power failure
- the removable media is removed without being unmounted
- as well as slew of other issues that may cause an unclean memory purge

May result in sensitive information being inadvertently left in temporary file space on the hardrdrive of the computer. If the entire system harddisk, as well as removable media, is encrypted, this is not an issue.

if you are encrypting the entire system harddrive, there have been some freak occurrences of on improper shutdown, the boot record becoming corrupted; Thereby turning your computer into a doorstop. However, full disk encryption is the recommended path if the information on your laptop for example is sensitive and may cause some severe impact to you if it were say stolen..not that laptop theft ever occurs right =)