Welcome to WebmasterWorld Guest from 188.8.131.52
Forum Moderators: open
Coming soon: Full-disk encryption for all computer drives [computerworld.com]
The world's six largest computer drive makers today published the final specifications for a single, full-disk encryption standard that can be used across all hard disk drives, solid state drives (SSD) and encryption key management applications. Once enabled, any disk that uses the specification will be locked without a password -- and the password will be needed even before a computer boots.
This may cause as many problems as it solves. However, I think it will make data more secure if universally implemented.
There is also a critical flaw in the whole concept. If Joe Public takes his laptop into a store to have his installation of Windows fixed - he will have to hand over the password to the whole system. And by the sound of it, changing the password afterwards is not going to be possible.
I would have thought that hardware encryption of partitions would have been possible without too much effort. It would have meant that single drives would have to appear as multiple drives to the operating system/bios but that should not have been difficult to achieve.
Nevertheless, IT departments in government and commerce will find this useful, but I'm guessing that certain government agencies will have a way to unlock these drives.
Once enabled, any disk that uses the specification will be locked without a password -- and the password will be needed even before a computer boots.
Am I just reading that wrong or is that statement confusing to others? If the disk is locked without a password, and a password is needed even before a computer boots ... what password would you enter? None?
I read the announcement as well as the linked pdf download specification but couldn't find an answer.
Thereafter, whenever the computer is switched on (or comes out of standby presumably) the bios will request the password and refuse access to the hard disk if it isn't entered.
Mounting encrypted portable drives would have to be possible at both bios level and operating system level.
The more I think about this the more I am concerned about the potential of newbies turning their drive into bricks. They'll be secure bricks ;), but I can already hear the griping on the net when a password is lost, compromised or somehow corrupted. I hope they're thoroughly thinking this entire system through.
New disk encryption standards could complicate data recovery [computerworld.com]
When the world's largest disk-makers joined last week to announce a single standard for encrypting disk drives, the move raised questions among users about how to deal with full-disk encryption once it's native on all laptop or desktop computers.
For example, what happens if a user loses a password -- essentially leaving the drive filled with data that can no longer be unencrypted? Or what if a drive becomes corrupted or damaged, the data has to be recovered by a third party -- and your password is on the drive?
"Then you have just killed yourself," said Dave Hill, an analyst at research firm Mesabi Group.
LOL! Great answer!
Looks like they've been mulling over a lot of the same issues:
Aha! So! It isn't just the 3 of us having concerns, eh? :)
consumers purchasing laptops or desktops with drives would face a more daunting scenario: They would need to either back up their data and their passwords, or lose their drives and data.
So, we need to backup the data from one encrypted HDD to another encrypted HDD. Or to an unencrypted tape or other media. I'm starting to see a circle here ...
I'm being a tad facetious here. I personally like the idea for myself. And not that I am above anybody else, mind you, I just know that certain levels of technology fit certain people, others not so much.
The process of data recovery would remain essentially unchanged. If the disk platter or electronics need to be transplanted there should be no problem unless a really stupid system is used.
Validation of the password should be achieved by parsing a block of data (one hidden sector presumably). For security, there should be a few of these scattered at predetermined positions on the disk so that if one fails another can be read. Thereafter, every sector will be encrypted predictably according to its number, i.e. component parts will be interchangeable and data recovery will work exactly as it does now except that it may be necessary to disclose the password.
Ideally, CRC data validaton per sector should be possible without the password so that drive health can be determined. If manufacturers don't do this, then they're not very bright.
That's going to make it difficult to work with Wake On LAN, rebooting and other remote maintenance tasks.
But I can definitely see a market for organizations that store all their data on one drive (or password protecting entire partitions), as long as it's separate from the boot disk/partition.