Article: Full Disk Encryption (FDE) Engine vs Key Management
FDE Encryption Engine vs Key Management
Key Management is:
- “Pre-Boot Authentication (PBA)where the keys or credentials required for decrypting or unlocking the drive are revealed only after authentication. The user could be authenticated locally with single or multi-factor authentication. Alternatively the device could utilize pre-boot networking (PBN) to communicate with a central key manager or Active Directory to authenticate, enforce policy and possibly obtain the keys required to unlock or decrypt the local drive. “Enforce policy” could range from sending the device the credentials or keys to automatically unlock without user intervention to sending a kill pill to the device and triggering a crypto-erase. More typically if the policy was set to allow the particular user to have access, the central key manager would send the credentials or keys required to decrypt or unlock the drive protected by the user’s password or smart card. User authentication would then occur locally.
- Central storage and distribution of keys or credentials for managing access and recovery. An OS present agent may communicate post boot with the central key manager to report status and get policy updates and keys. For example, once booted the OS-present agent could receive instructions and data to add or remove PBA users. In a less typical use case, the central key manager could send a kill pill to trigger a crypto-erase.
The table below assumes that SecureDoc key management is being utilized and aims to be an aid to the Pre-Sales Engineer and customer to gain an understanding of what encryption engine is the best fit for their security purposes.
FDE Cryptographic Engines Managed by SecureDoc: Trusted Advisor
| Feature / Function | Self-Encrypting Drive (SED) | OS Native (BitLocker ) | OS Native (FV2) | SecureDoc Native Encryption |
Security | Crypto Erase | Unrecoverable | Always recoverable with BitLocker Key Package |
| Recoverable (with Emergency Disk) |
| Lock on reboot | No | Yes |
| Yes |
| Prevent physical disconnect SATA drive (but not power) attacks for unattended machines | No | Yes |
| Yes |
| FIPS 140 | Mostly not (Some Seagate HDDs have) | Yes:https://technet.microsoft.com/en-us/library/security/cc750357.aspx |
| Yes |
| Common Criteria | Not yet: (maybe CC cPP in a year or so) | Yes, for Windows 8 and Win Svr 2012 https://www.niap-ccevs.org/st/vid10540/ https://www.niap-ccevs.org/st/st_vid10540-ci.pdf
|
| Yes (but very old - maybe CC cPP in a year or so) |
| Disable Sleep | Yes | Yes |
| Yes |
| Data Encryption Key (DEK) susceptible to RAM attacks | NO, DEK never leaves drive | YES |
| YES |
| Evil Maid attack protection | YES ( Shadow MBR is read only) |
|
| NO (unless UEFI Secure Boot is on) |
Transparency | Conflicts with other software | Little conflict | Very little due to extensive testing & MS requirements |
| Possible due to filter driver |
| Software RAID | Yes (with OSA) | Yes |
| No |
| Hardware RAID | No | Yes |
| Yes |
| Sleep | Supported with filter driver | Supported |
| Supported with filter driver |
| Support any OS | YES (with OSA) | Windows only |
| NO |
|
|
|
|
|
|
Performance | Hard Disk Drive (HDD) I/O | Little better than software (SW) encryption |
|
| Good |
| Solid-State Drive (SSD) I/O | Noticeably better than software encryption |
|
| Not bad if machine supports AES-NI for ‘normal’ use. |
| SSD I/O (NVMe) | Much, much better than software encryption (TBD) |
|
| Unacceptably slow? |
| Conversion | Minutes | Hours |
| Hours |
| Boot / resume times | Good |
|
| Little bit slower |
|
|
|
|
|
|
Other |
|
|
|
|
|
| Cost | Usually no extra charge | Customer may already have it |
| Included in SecureDoc |
| Availability | SEDs limited to some SKUs. (Gartner still says there are issues) | No issue |
| No issue |
| Forensic Support | YES (EnCase) | Yes (EnCase) |
| YES (EnCase) |
| Data Recovery | YES (for Seagate +?) | Yes |
| YES |
| Re-purposing encrypted drive | Revert disk with SID or PSID before re-imaging drive | Just re-image disk |
| Just re-image disk |