Posts tagged ‘FDE’

« Previous Entries

Full Disk Encryption versus Sleep

July 9, 2011, 4:55 pm

As part of my Symantec Endpoint Encryption (SEE) upgrade, I verified that the new version worked with our main computer models.   During that testing, I looked at how boot/shutdown times changed, and verified that the system could still reboot and enter/exist sleep and hibernate correctly.  The only problem that came out of that testing was when standby was used, the user no longer had to do a preboot authentication before logging into Windows.  Previously GuardianEdge Hard Disk  (GEHD) Encryption provided full disk encryption on a cold boot and on returning from standby or hibernate.    Further testing found GEHD 9.5.3 also had this problem, I just didn’t know it.  

Since the cold boot was announced, it has been best practice to not allow computers using Full Disk Encryption (FDE) to enter sleep.  The encryption key typically remains in memory while the computer is in sleep mode and is thus susceptible to the attack.  

As a side note, hibernate is also dangerous if your FDE product doesn’t encrypt the hibernate file.   SEE should not have this issue.

Personally I refrain from using hibernate or sleep.   In my experience, it is unreliable.  So I’m not the most sympathetic person here.    There is always a tradeoff between security and usability.   If sleep is insecure and you fail to disable sleep then you only have the appearance of security.   You’ve checked the encryption box without actually protecting the data.

Management’s first response to this documented need to disable sleep is to ask for a report comparing sleep versus quarantine shutdown times.    In my experience, getting off XP is the first step toward having decent shutdown times.   The second step is reloading the system once it has the crud.    The effect of creeping crud will be more noticeable now that we are on three-year leases. 

For more information on protection against cold boot attacks with Symantec Endpoint Protection see their knowledgebase.

Tags: , ,
Category: FDE  |  2 Comments

Symantec EndPoint Encryption Installer

April 15, 2011, 5:51 pm

Symantec Endpoint Encryption (SEE) 8.0.1 is my first upgrade since Symantec purchased GuardianEdge.  It is a newer version inspite of being a lower number than GuardianEdge 9.5.x.    I guess it is really too soon to expect big changes.   I was hoping they would address some of the installer annoyances.

With SEE, you install a management server, then create the client install packages.   These are MSI packages.

Separate 32 bit and 64 bit Installer Files
I don’t do MSI package generation myself, but the software I’ve seen allows you to put both 32 bit and 64 into one installation file.   I would think this would make things a lot easier.   The main drawback would be the size of the install file.    I end up putting both 32 and 64 bit files into one installation package and call the appropriate one based on the CPU architecture.   So it doesn’t save me space and instead requires extra scripting work.   Is there some technical limitation I’m not aware of?

Upgrades
Upgrading versions of Symantec Endpoint Encryption (or GuardianEdge Hard Disk Encryption) requires using special switches.   When performing an upgrade, I need to use the command line MSIEXEC /i “\.msi REINSTALL=”ALL” REINSTALLMODE=”vomus”.   This upgrades the client by reinstalling all features of the product.

On the other hand, a regular install of Symantec Endpoint Encrytption, where it was not installed previously, uses more familiar switches (/qb).   In previous upgrades I’ve found that if I try to use the reinstall/reinstallmode switches on a fresh install it will not work.   I then have to script the install to use different command line options based on installation status in addition to 32 bit versions 64 bit.

To make matters worse,  some computers in my environment have Removable Storage Encryption and others don’t.   My install script is getting too complicated.

Full Control
When creating the installation package, you must save the client installation package to a local or network volume with Full control permissions set.  The SEE instructions say “This ensures the success of the upgrade package, as it will retain the Windows permissions of the location to which it is saved.”    Again, I don’t create MSI packages often.   Adobe Reader and Symantec Endpoint Encryption both create packages where a setup.exe calls the MSI.   However in neither case am I advised to change permissions on a folder.

I think I actually have seen issues that support has blamed on not creating the package in a directory with Full Control.    But I’m not sure what the actual problem is.

The old Files
In the past, when I’ve upgraded using the switches provided, I found I needed to have all the old install file available.   While people are generally on one version, I found it better to leave every version I’ve ever used in the install directory.   That can take up a lot of room.

I’m really lost as to the cause of this issue.   Shouldn’t MSI files be cached locally so even if it did need the original installation files it should have them, not require me to have them.   I am going to try one more time and removing the old install files from my SEE8.0.1 package and see if I still have issues.   Perhaps that was a problem only with older versions of the product.

Doesn’t Symantec own a MSI packaging company?   Hopefully some in-house expertise can cross divisions of the company to create a better product.

Tags: , ,
Category: FDE  |  7 Comments

Migrating FDE Vendors

January 12, 2011, 7:49 am

I was asked recently via email how to pragmatically uninstall GuardianEdge.   I’d been thinking about something similar, that is how do you migrate endpoint security vendors including Full Disk Encryption.

To a certain extent this problem doesn’t affect very many people.   Is Full Disk Encryption installed at many companies outside the Federal Government and Government Contractors?  I imagine its starting to make more inroads via the encryption safe harbor and regulatory requirements.  

I’ve had Full Disk Encryption deployed for over 3 years.   With many security products that is an eternity.   Features change.  Companies get bought and sold.   What if I decide to switch from yellow (Symantec) to red (McAfee).   Does Sophos have a color?  

As far as uninstalling GuardianEdge specifically, I’m pretty sure the manual says you need to decrypt before you uninstall.   Therefore, I would need to deploy a decrypt policy via Group Policy, then after sufficient time has occurred for decryption, uninstall GuardianEdge and replace it with my new favorite Full Disk Encryption.   The problem with this scenario is 1) The computer is left unencrypted for a period of time 2) this period of time is unspecified 3) The end-user will experience the joyful performance hit of decrypting and encrypting the hard drive.    Not Good!

Another possibility is to introduce the new encryption products as computers are replaced.   This has the benefit of not interrupting the user.   The downside is the helpdesk would have to keep track of two different one-time password programs to allow users to access computers with a forgotten password.   Management is twice as hard.   I’d have to maintain two different systems.   With a three-year lease cycle on computers it would be quite a while before all computers are on the new system.

We’re about to do a rip and replace migration to Windows 7.   This would be an ideal time when you’re already doing a system refresh.   You don’t have to worry about the decrypt/uninstall.   You just back up data, drop the Win7 Ghost load, restore data, encrypt.   It is a rare opportunity.

I don’t like these options.   Readers, have any of you migrated Full Disk Encryption products?   Do you see any alternatives I”m missing?   Comments welcomed below.   First time commenters will be held in the moderation queue.   All comments must clear the spam filter.

Tags: , ,
Category: FDE  |  6 Comments

Hibernate and FDE

December 16, 2010, 11:50 am

Earlier this week, I read this article reporting on Passware’s presentation at Password^20.   It reported that if you are using BitLocker or TrueCrypt and you’ve ever used hibernate, then Passware Kit Forensic is able to recover the encryption key from the Hibernate file.   The recommendation was “NEVER EVER EVER EVER allow hibernation for any computer.”

I found this hard to believe.    So I watched the presentation.  The Q and A made it clear that if the disk is truly fully encrypted, that is including the hibernate files, and the system is off.

I’m not as familiar with BitLocker or TrueCrypt as I am with the product I use with at work.   Apparently people using TrueCrypt or BitLocker often only encrypt data volumes.   Certainly that leaves you more vulnerable.   The product I use actually encrypts the full drive,and provides pre-boot authentication at all times.   So I think the advice to never use hibernate isn’t correct if you truly have full disk encryption.

Tags: , , ,
Category: FDE, Microsoft  |  3 Comments

GuardianEdge Windows 7 Looking Back

July 30, 2010, 6:13 am

Like a lot of companies we are trying to go to Windows 7 sooner rather than later. We skipped Vista and XP is starting to seem a bit old. One of the things holding us back is GuardianEdge’s Full Disk Encryption product. Here’s our timeline.

In October 2009 I asked GuardianEdge about Windows 7 support and Windows 7 64 bit support. They said both would available in version 9.5 due out in December 2009.

When GuardianEdge Hard Disk Encryption 9.5 was released (January or February), I found that there was no support for preboot authentication. Without preboot authentication, I think the encryption is pretty worthless. Support tells me 9.5.1 will include preboot authentication and be available in April 2010.

9.5.1 is released and I find it doesn’t work on my Toshiba Portege with windows 7 32 bit installed. I decide this may be a one-off. I’m the only one using the Toshiba so I try it out on a few Dell E6500 computers with Windows XP and Windows 7. This failed miserably. It turns out this was a known issue with Dell E6500 and GuardianEdge was working on a patch.

GEHD 9.5.1 patch 1 came out. While it fixed the assorted problems with the E6500, I now see in the release notes:

There are known issues with GuardianEdge Hard Disk on various configurations of the following Dell computer models
■ Dell E4310
■ Dell E6410
■ Dell E6510
■ Dell E5410, and
■ Dell E5510

Unfortunately the E6410 and the E6510 are two of the three systems listed on our standard configuration page. The third E4300, I suspect would really be the E4310.

GuardianEdge says this will be fixed in September 2010.

I wouldn’t this be surprised if this led to looking at other solutions and revisiting Bitlocker. I wrote about Bitlocker in March. These pretzels are making me thirsty.

Tags: , , , ,
Category: FDE  |  3 Comments

GuardianEdge 9.5.1 Patch 1

June 16, 2010, 1:47 am

GuardianEdge 9.5.1 patch 1 was released to address the Dell issues that I previously wrote about.

Support provided client installer packages so I could quickly see if this also fixed the issue I had with the Toshiba (sadly it did not).   Not sure if I’m going to get a chance to verify this patch resolves the Dell issue this week.   It is good news that this patch is out so quickly.   We need GEHD  9.5.1 working for our Windows 7 testing to progress.

<update>
I’ve tested with one Dell and Windows 7 32 bit.   patch 1 solved the original problem in that the computer now successfully boots when it has been shut down.   However when it is restarted it comes up with 5 dots on the screen after GuardianEdge authentication and goes no further.

Tags: , ,
Category: FDE  |  4 Comments

GuardianEdge 9.51 issues with some Dell

June 7, 2010, 3:29 pm

I’ve been doing more testing with GuardianEdge 9.5.1 since my last post on the subject.   A Dell E6500 with Windows 7 64 bit wouldn’t get to the GuardianEdge pre-boot authentication screen.  I attributed that to issues specific to Windows 7 64 bit and possibly a OEM drive partition.   So I went ahead and tried to upgrade a Windows XP computer from GEHD 8.7 to 9.5.1.   It had the same issues.  I called support and apparently I didn’t get a memo they tried to send out to everyone who downloaded 9.5.1.

Since its release, we have confirmed reports of error conditions when the Hard Disk client v9.5.1 is installed or upgraded on a specific set of machines. 

The following machines are affected:

•     Dell E series ( excluding E6400 )
•     Dell M Series ( excluding M6500 )
•     Dell D830
•     Dell XT
•     Dell XT2

GuardianEdge is committed to releasing a software update that will address these machine-specific issues in the next few weeks and will inform you as soon as the update is available. We strongly recommend that you do not deploy the Hard Disk client v9.5.1 to these machines until this update is released.

Once again, things that could have been brought to my attention yesterday. 

 

 

Tags: ,
Category: FDE  |  6 Comments

GuardianEdge 9.5.1, Windows 7 and Me

May 18, 2010, 7:51 pm

Long time readers, and anyone who has ever Googled “Guardian Edge” recall my intense dissatisfaction with GuardianEdge 8.7 and Vista on my Toshiba Laptop. Everything old is new again.
GuardianEdge released 9.5.1 last month so we finally have support for Hard Disk Encryption with preboot authentication on Windows 7. The short version of the story is I’ll be finding out how good my Windows Backup is. I installed GuardianEdge Hard Disk 9.5.1 on my Toshiba Portege M780 and started encrypting. I shut the computer down, went home and the computer wont boot. When I hit the power button, I can get to the preboot authentication screen. The system fan is going full blast. It doesn’t do that normally. And 5 seconds later the computer turns itself off.
I called support and their advice is to use the GuardianEdge Access utility to recover my data and reinstall. Hope that backup worked. Not what I was planning to do tonight.
What am I supposed to do now. This gives me zero confidence to deploy this to others. While there are plenty of other dominos that need to fall in our Windows 7 project, getting a GE package for Windows 7 is an important one.
The recover /a option was grayed out. No problems were detected with the GEHD volume files. So I decrypted the drive and uninstalled GEHD. I was then able to use the computer. I have a lot of doubt right now about the ability of GEHD to encrypt Vista and Windows 7

Tags: ,
Category: FDE  |  5 Comments

BitLocker vs Third Party FDE

March 30, 2010, 9:59 am

Like many organizations, we skipped Vista. So with Windows 7 we are facing the question “is Windows 7 good enough” or do we still need to pay for a third-party full disk encryption (FDE) product.

This question was asked back in 2006 at the SANS Desktop Encryption Summit. The FDE vender’s felt their product was better because:
1. Better Management tools
2. Mature product
3. Multiple OS support
4. No requirement for TPM.

BitLocker is no longer a first gen product. Let’s look at today’s reasons for purchasing or continuing to use a third-party FDE product.
BitLocker Minimum Requirements
“BitLocker stores its own encryption and decryption key in a hardware device that is separate from your hard disk, so you must have either a computer with a Trusted Platform Module (TPM) or a removable USB memory device.”
USB memory devices would tend to be stored in the laptop bag, so that isn’t a secure solution.
TPMs are an additional thing to manage. Perhaps it’s not as difficult as I envision. When I did a WAVE eval, I had to go into the BIOS to enable the TPM and set a master TPM password. That doesn’t scale.
“The computer must have been configured with an additional separate active partition to be used as a system partition.”
This extra step now happens automatically, so I don’t think that is a big deal.
“The BIOS must be compatible with TPM and/or support usb devices during computer startup”
It may be necessary to upgrade the BIOS. While probably not an issue on the newer computers we would be using, this could be an issue on upgrades in place.
None of these prerequisite requirements is particularly burdensome. However it leaves out one key minimum requirement: Vista or Windows 7 Enterprise. Our XP systems would still be on the current FDE product requiring two management methods.

OTHER BitLocker Considerations
1. Provable Encryption
With the current FDE product, if a computer is lost I would be able to tell that it was actually encrypted when it was last seen on $date $time. Can BitLocker say the same? I don’t know.
Many states have an encryption safe harbor. Meaning if the lost system was provably encrypted, breach notification provisions do not apply.
2. Usability
The current FDE product syncs the domain password to the pre-boot environment. The user does not need to know a second password. The normal password requirements apply.
With BitLocker the PIN is just that. An enhanced PIN can be required but it is possible that some system BIOS will not support alphanumeric entry in the pre-boot environment. Does this PIN ever expire? It doesn’t seem like it.
3. Recoverability
The standard recovery method is to use a recovery password. This is a 48 digit number backed up to Active Directory. Enjoy typing that in when the user forgets their password.
This method is not FIPS compliant and must be disabled. Instead there are other two options
A recovery key is a 256 bit key that is saved to a flash drive. This method must be done by the end-user and they need to store the key securely. Obviously that isn’t enterprise ready.
The third option is a data recovery agent. A public key is distributed to all BitLocker protected devices. Someone with the matching private key (e.g. me) would need to be physically present at the computer. Apparently even then the OS drive must be installed on another computer running Windows 7 as a data drive.
So basically no recovery options work for us.
4. Standby
BitLocker protection is in effect only when the computer is turned off or in hibernation.
Our current FDE product protects in standby, hibernation or when the computer is off.
Update:This is is no longer true.   a preboot authentication in standby is a false sense of security.
5. Enterprise Manageability
While BitLocker has caught up with third-party encryption products in its ability to encrypt USB drives there are still other areas where FDE vender’s shine. Many FDE vender’s can also encrypt phones and managed hardware based encryption products. It’s a lot more convenient to manage these devices through one vendor.
From my limited reading it seems that there are still a number of items that argue for the continued use of a non-Microsoft FDE product.

Tags: , , , ,
Category: FDE, Microsoft  |  4 Comments

GuardianEdge Announces Hardware Based Encryption Support

December 12, 2009, 2:21 pm

GuardianEdge put out a press release this week announcing Encrypted Drive Manager. This software will allow you to managed hardware encrypted hard drives as well as drives encrypted with GuardianEdge Hard Disk all from one platform. This will be released in Q2 2010. When I was evaluating GuardianEdge in 2007 they talked about these features so its nice to see it finally (soon to be) making it to market.
Hardware based encryption may finally be ready to ignite. The Trusted Computing Group has been working on standards so its not such a mishmash. Performing the encryption on hardware keeps the encryption keys out of memory so it isn’t vulnerable to cold boot attacks. There isn’t a CPU performance penalty as there can be with software encryption. Wiping a drive is as simple as removing the encryption key.
The main problem has been manageability. You need to be able to corporately manage accounts on the hardware encrypted drive just as you do with the software encryption. It has to be enterprise ready. Its necessary to be able to manage both software and hardware based Full Disk Encryption and GuardianEdge is going to allow for that.
I anticipate a time when the drives we order in our standard systems will all be hardware FDE capable and managed by GuardianEdge.

Tags: ,
Category: FDE  |  Comment
« Previous Entries