Cross platform FDE/PBA encryption

Posted on 21 June 2013

0


I’d like to have the safe feeling of Full Disk Encryption. This means that the whole disk is encrypted so you are always sure that nobody can access your data, not even from the swap files of your OS.

Note that encryption is not the same authorization and authentication. And that an encryption key is not the same as the password/passphrase. A password on your windows can’t prevent people from reading your personal stuff, all they have to do is hook your harddrive up to a cable and access it as if it’s an external drive.

Slang

The best would be to have hardware encryption (Self Encrypting Drives) or hardware acceleration. The problem with normal software encryption is the performance hit. The Intel i3+ processors have AES NI on board for hardware acceleration, so there is not much of a CPU hit. But overall harddisk performance drops with 20-30%. On the other hand, will it not with hardware encryption? I’d like to test that!

It’s important that the encryption works with RAID sets (both software and hardware raid), with all filesystems (like NTFS, HFS, exFAT) and preferably also with TPM. For encryption: XTS is important.

The last requirement is that the files can be accessed from both windows and mac, and it would be great if it supports Pre Boot Authentification (PBA) on both windows and mac.

Options

The choice is between software or hardware encryption.

Software

Bitlocker comes free with windows but is for windows only. Filevault 2 (benchmarks) comes free with osX 10.8+ but is osX only. It’s safe (AES-128) as long as you enable the screensaver password, turn off your laptop when travelling, and turn off automatic login (source: tuaw). I’m sure this won’t encrypt the Bootcamp partition and that the osX partition is not accessible from the windows partition.

So what are the options for both windows and mac:

  • € 99 Bestcrypt. Only the € 59 Container Encryption version supports all filesystems, raid, XTS is cross-platform, but that works with virtual drives and has no PBA. The € 99 Volume Encryption version has PBA and TPM but only works with Windows.
  • OpenPGP/GPG, originally developed for e-mail (RFC4880). PGPdisk 6.0.2 (PBA, TPM) is free (both win and mac) but is discontinued when PGP corporation bought the commercial part (which in turn has been bought by Symantec Group, see below). GPG is the new open alternative that uses the openPGP standard for file encryption, there already are quite a few nice GUI’s with that, but there is no FDE/PBA version(yet).
  • Free (and libre) Truecript works with both windows and osX, but only offers PBA for windows. They support hardware acceleration, all filesystems and XTS. No support for TMP. There are rumours about it being made freely available by secret services, so they can sniff through our secret stuff. I don’t know about that, but it’s free and it’s documentation is great! So I will test this. Here a manual for exFAT formatting and here for disabling the ‘this disk needs formatting’ message.

With PBA for both mac and windows:

  •  $ 100 Symantec PGP WDE, aka Symantec Endpoint Protection. This works with both windows and osX and supports boot-password for both (including bootcamp). It might not support exFAT?
  • $ ?? Mc Affee Safeboot / Endpoint Encryption documentation is not very clear. Just like their software. They offer TPM, hardware acceleration and all filesystems. Here I found that they have “Endpoint Encryption for Mac (EEMac) that relies on the NVRAM variable and the EEMac EFI driver to ensure that the Pre Boot Authentication application launches. The PBA is a UEFI application present in the boot order of the system, before the boot sequence for Mac OS X.”
  • $ ?? Checkpoint FDE. Looks very pro, like WinMagic.
  • $ 99 Winmagic SecureDoc, for win and mac offers PBA, TPM and hardware acceleration. From their SecureDoc for mac brochure: “SecureDoc for Mac OS leverages pre-boot user authentication and works transparently ensuring there no noticeable performance difference to the user once the device is encrypted.” Don’t know if it’s possible to buy one single license. WinMagic also supports SED’s.

These are all very pro programs so it might be hard to get only one license. I guess truecript might be the best option at this moment, otherwise look at Winmagic SecureDoc.

One nice package I came across is KeyParc (free and paid plans). But this stores the keys online so it always needs an internet connection.

Hardware

There are  a few external SED (self encrypting drives) aka BDE (bulk data encryption). One of those  are the WD my Passport drives. For internal drives, it’s more complicated as not all bios and boot systems support SED.

Hardware/bios solutions have the advantage of not being OS dependent and have no extra drain on the processor. It’s the fastest and safest, using the Bios or a second MBR to retrieve the password (or smartcard etc) to access the key. There is a very reduced risk of keylogging the key, because you have to type that in before the OS is booted, although there still is the risk of BIOS/firmware attacts and hardware keylogging/eyeballing.

This works with most windows computers supporting TPM or another BIOS/MBR to unlock the encryption key. But what are the options for my MBP? It’s complicated. It’s not possible due to EFI+GUID instead of BIOS+MBR. But WinMagic SecureDoc (see above) also supports SED’s on osX.

I read something about windows 8 and UEFI. As I understand it EFI will replace BIOS for all computers in time?

Update august 2014: FIPS140-2 (2001). Seagate has FIPS140-2 level 2 SED. OSX Lion seems to support it. But after some more reading it only turns out that FIPS is a security standard, not a boot system or alternative to TPM. I’ll stick with external SED’s.

Advertisements
Posted in: Computers