Today is still Data Privacy Day here in the Pacific timezone of Canada and I thought it would be an excellent occasion to raise awareness of a common problem related to the deployment of full disk encryption (FDE) solutions.
Many companies are switching from traditional desktop computers to laptops as the price of portability has plummeted. Meanwhile, adoption of full disk encryption has accelerated. Unfortunately, many users are overconfident in the magical and misunderstood security blanket of "being encrypted."
Users who feel they are protected through strong encryption begin to engage in riskier activities. When you tell an end-user that their hard disk is jumbled and can only be unlocked with their secure password, they don't understand that when their computer is on, this no longer applies.
Admin to user: "Why did you click on that link in your email/IM/Facebook?"
User: "My computer is encrypted so my data is safe."
Because of the awesome power management features available in modern laptops, users have also gotten into the habit of never shutting down their operating system when they are done at work. They simply close the lid, pick up their notebook, and head for home.
The problem is that when a computer goes into suspend/sleep mode, the disk is still encrypted, but the encryption keys that allow the computer to operate are still in the laptop's RAM. Upon resuming (opening the laptop), all background processes begin operating again and the programs have full access to the encrypted volume.
This allows FireWire attacks to capture the keys from memory, as well as allowing data-stealing malware to continue to operate and thieve the "protected" data.
Sleep/suspend mode isn't safe, but most encryption products, including Sophos SafeGuard for Windows, can safely protect a machine that is in hibernate mode.
As long as the hibernation file is stored on the encrypted volume and the computer is configured to force power-on authentication (POA) to acquire the decryption keys to allow the computer to resume from hibernation, the machine can be considered secure.
What does this all mean? Those of us in IT who understand how encryption works need to educate our users on the proper use of encryption technologies. Our users are a key component in the protection of our data, and need to understand what encryption can and can't do.
When you hand over a shiny, newly encrypted laptop, spend a few moments to explain to the user that locking the keyboard or going into suspend defeats the purpose of encrypting their data. Whenever our computers aren't in use, we must either hibernate them or perform a system shutdown. This is especially important in settings like airports, where theft is frequently reported.
If possible, configure your policies in Active Directory to prevent users from choosing unsafe options like sleep, and deliver regular reminders on the importance of correctly using portable computers.
If you have Mac OS X users, be aware that at this time neither sleep nor hibernate provides full protection for encrypted Macs. Train Mac users to always shutdown their computer when not in use, especially when outside of the office.
Thank you to Michael A. Schmidt of Sophos GMBH for background information that helped me compose this article.