Tuesday, March 13, 2007

Encrypting hard drives from Seagate

This week, Seagate technology made headlines with their announcement of a new encrypting hard drive. The idea is that the hard drive will automatically encrypt and decrypt data so that it will always be stored encrypted. That way if a laptop with this hard disk is lost or stolen, the data will not be accessible to an attacker. I performed a search on this story on google news today and came up with over 250 articles covering this announcement.

I think that the drive is an appropriate choice for where to encrypt data, but the limitations of this approach should be addressed, and none of the news stories that I read mentioned the shortcomings of drive-level encryption. On the positive side, data in this scheme is encrypted on the fly so that users and applications do not need to participate in the encryption - it is entirely transparent. A raw hard drive physically extracted from a laptop provides no data to an attacker, assuming a proper encryption key is used. This provides protection for the data at rest, when nobody is using the computer, and no user is logged in.

However, an encrypted drive does not guarantee that attackers can never access the data on the disk. To function properly, the system must allow access to legitimate users. This access must be simple and transparent. My expectation is that the user login password will be used to derive the encryption keys that protect the data on the drive. But, regardless of the scheme used to obtain the key, when a user is active on the machine, the keys must be available to the hard drive so that data can be encrypted and decrypted in the course of normal use. At that time, the data is just as available to malicious code in the form of spyware, Trojan horses and viruses as it is to the legitimate user. If the system is designed well, then the keys will be erased whenever a user logs out. Another problem with login keys to encrypt the drives is that user-level keys are frequently susceptible to dictionary attacks.

I'm not certain, though, that user-level keying makes sense for a drive-level encryption scheme. Drives contain all kinds of data, including system data, and data from many different users. At the disk drive level, there is no notion of a user, just data blocks. So, it would be awkward to use login keys to encrypt the drive. How would system files be decrypted? In fact, all kinds of file system information, such as file permissions, are not supposed to be known at the disk drive level. So, my feeling is that there is not an intuitive key management scheme for the Seagate hard drives. I'd be curious to know what they are doing in that regard. Encryption is great, but without proper key management, its benefits are questionable.

I applaud Seagate for pushing the envelope and encrypting at the drive level. Such a move by the leading manufacturer of disks can only be good news for those concerned about security. But, I caution users not to blindly trust that their data is no longer susceptible to theft. As long as users can access their data, so can attackers, and the security of the data on a lost laptop is to a large extent dependent on what Seagate did for key management - a difficult problem that is often left unsolved.