Components and Features
Full Disk Encryption components and features
Matrix42 Full Disk Encryption has the following features:
- FDE support (FDE uses sector-based encryption). For further information, refer to the section below.
- Support for the encryption of multiple internal hard disks.
- Strong PBA via a hardened Linux operating system (protected against manipulation via the use of MD5 checksums). For details, review section PBA.
- Smart card/token or Windows credentials used for authentication. For details, review section PBA.
- Single Sign-On (SSO) from the PBA component to Windows. For details, review section PBA.
- Emergency recovery via:
- HelpDesk application
- Emergency Recovery CD (plug-ins for WinPE).
- For details about emergency recovery, please refer to Emergency Recovery Information (ERI)
- Optional policy-based deployment and configuration. For details, see Administration and Usage Guide.
- Secure data erasure so that the hard disk on which Matrix42 Full Disk Encryption is installed may be reused without having to worry about data being recovered by third parties. For details, see Administration and Usage Guide.
Full Disk Encryption (FDE)
Full Disk Encryption (FDE) provides access protection and encryption for sensitive business information. It stops unauthorized users from gaining access to any part of the (encrypted) hard disk – provided the computer is either turned-off or in stand-by/hibernation mode. ‘Full Disk Encryption’ is the term used to describe the encryption of the whole disk or partition – literally everything – including temporary files, swap files, and the operating system itself. Because of this, the data cannot be accessed when booting the computer from media such as a CD-ROM, floppy disk, or USB stick. Hacker tools that crack or reset the system password do not have a chance to compromise the system. If the hard disk is built into another computer as a second disk, access to encrypted partitions would also be impossible. For authorized users, disk access will be no different to that of unencrypted systems. FDE applies to hard disks that DO NOT utilizes a hardware encryption chip – in other words ‘standard’ hard disks. The advantage of Matrix42 Full Disk Encryption is that it can be installed on ANY hard disk regardless of size or manufacturer. Once the hard disk has undergone an initial encryption, further encryption/decryption of new data is performed on the fly with little or no impact on system performance. Unlike other encryption products that encrypt specific files on your hard disk, Matrix42 FDE uses a sector-for-sector encryption method. That means that FDE encrypts all the data written to your hard disk and decrypts all the data read from the disk at a very low level – all directly at physical hard disk access.
Pre-Boot Authentication (PBA)
The Matrix42 Full Disk Encryption PBA component extends FDE to the highest level of security via Windows credentials/smart card/token authentication to a hardened Linux system at pre-boot time. The Matrix42 Full Disk Encryption installer places a fully functional and secure Linux system to a small partition on the hard disk pre-prepared by the installer. Once the PBA has loaded the user can enter either Windows credentials or smart card PIN; this information is compared to the encrypted information in the PBA. If the credentials/PIN matches the information in the PBA, the PBA will terminate and Windows will be booted.
Advantages of using Linux for the PBA
Using a hardened Linux system for PBA has a huge advantage when compared to normal Windows logon. For example, it is common knowledge amongst hackers how to extract a Windows password. Not only does the Matrix42 FDE component encrypt the hard disk making password extraction impossible, but Matrix42 PBA goes one step further by providing a secure authentication system that cannot be manipulated. The same component protection for the PBA applies as already stated above (MD5 checksums and strong encryption for the keys). Matrix42 Full Disk Encryption gives the user the security needs – safe with the knowledge that the password is securely encrypted in PBA, and without it no one can access their computer.
Authentication
Two forms of authentication can be used in Matrix42 PBA:
Smart card authentication based on international standards such as X.509, PKCS#11, and PC/SC
The smart card, or token, authentication method is the alternative to Windows credentials. This method has the advantage of separability - the ‘key’ (the smart card) can be taken with you. As the keys are stored solely on the smart card or token, if the computer is stolen, it is impossible to access the data without the card and PIN. The only theoretical way to obtain the data in such a case would be to use brute force method, which is considered useless if a key length of 128 bits or more has been used to encrypt the data.
After entering the smart card PIN in the PBA, the PIN is used to decrypt a so called ‘Data Encryption Key (DEK)’ (the key used to encrypt data on the hard disk) by the smart card. Only if successful will Windows be booted.
The PBA component is able to perform the decryption/encryption of the Data Encryption Key on the basis of symmetric encryption or asymmetric encryption mechanisms, so called ‘public key’ mechanisms. In the case of asymmetric encryption, X.509 certificates (and the corresponding private key) are used for encryption and decryption. This guarantees the highest degree of interoperability with most PKIs on the market.
Windows credentials authentication based on the user’s current user ID, password, and optionally – domain
The Windows credentials authentication method is the ideal way to improve security and usability at the same time. The user has no need to remember another password or learn a new PIN – user simply enters the user ID and password used for Windows.
Boot and authentication scenarios
This section details the PBA boot and authentication procedure.
The following figure (Figure 1) illustrates the difference between:
- Booting normally to Windows (no encryption, no PBA = high security risk)
- Booting to an encrypted hard disk with a Windows-smart card interface without PBA (medium security risk)
- Booting to an encrypted hard disk with PBA using the PBA
Dark blue indicates protected components and data, while light blue indicates components and data that are unprotected:
- The first row illustrates the standard Windows boot procedure. This method offers no data protection whatsoever. Windows logon can easily be overcome using readily-available hacker tools –leaving your data open. Even if the attacker does not have these tools a third party can remove the hard disk from the computer and attach it as a secondary drive to another computer to copy the data (these are just a few examples of how to hack a computer that is not protected).
- The second row illustrates the Matrix42 Full Disk Encryption. Up to the point of successful authentication the sensitive system files and user data are inaccessible. Due to this encryption the data cannot be retrieved by connecting the hard disk to another computer as a secondary drive - the contents of the drive are unreadable without the disk key! The only weakness that remains with this method is the Windows logon dialog.
- The third row illustrates the full Matrix42 Full Disk Encryption approach to data protection with PBA. User login is processed within the Linux PBA component. This stops any attack via the Windows login dialog. The PBA partition is not encrypted. To protect the PBA, only those components needed to complete the secure authentication via Windows credentials or smart card/token exist in the system. No networking components are available making hacking the PBA via a network impossible. USB and CD drivers are implemented strictly for the purpose of emergency recovery and are protected as such. All PBA system components are protected against manipulation.
HelpDesk and data recovery methods
An Matrix42 Full Disk Encryption user is supported in an emergency situation through several recovery methods. Remote assistance via a HelpDesk is the method most likely to be used in an enterprise, but self-help recovery methods are also available.
These recovery methods may become necessary when a user stumble into one of the following situations:
- Defective smart card readers, lost/forgotten/broken smart cards;
- Forgotten Windows credentials;
- Forgotten/blocked smart card PIN;
- Failed Matrix42 Full Disk Encryption installation/ encryption/ decryption.
Matrix42 Full Disk Encryption offers several methods of data recovery in an emergency:
Help Desk Application
- The PBA HelpDesk application can be used to assist a user in starting his/her computer in an emergency, for example, should the user have forgotten password or lost smartcard, the user receives HelpDesk contact information (telephone-based, contained within the PBA) displayed on his/her screen. A challenge–response process between the user and the HelpDesk personnel is used to verify the installation as well as the identity of the user and consequently start the computer.
- HelpDesk in the Matrix42 Data Protection Console (Product Settings | FDE | Helpdesk).
Use Helpdesk to permit the user a certain number of boot actions without authenticating in the “Matrix42 boot system”.
During PBA the user can launch the helpdesk to select the request code (request ID) and send it to the administrator.
Then, administrator enters the challenge ID that was received from the user.
After that, administrator sends the response (response ID) that contains the number of boot actions, available to the user without PBA logging.
It is also possible to activate self-init (automatic initialization), which means that the next user, who logs in via the Windows logon function successfully is automatically added to the PBA list and can be used in the PBA during the next boot process.
Emergency Recovery Disk (ERD)
This is a hands-on method of data recovery. The ERD should only be used in situations in which the HelpDesk is no longer of help, for example, when the PBA can no longer be started, or if the initial encryption on a standard hard disk has been interrupted prematurely (due to power failure). Matrix42 has developed add-on for WinPE. To recover a computer in such an emergency scenario, it is necessary to use an Emergency Recovery Information (ERI) file created either by the Matrix42 Full Disk Encryption installer during the installation or afterwards via the Matrix42 Full Disk Encryption control center. The ERI file contains the specific recovery information necessary to clear any major problems with the computer.