Sunday, May 15, 2016

Whole Disk Encryption

Many people, even card carrying computer geeks, do not understand why a computer hard disk must be encrypted and why a computer must be shut down for the disk encryption to be effective.

This applies, whether you are using Bitlocker, Filevault, PGP, GPG or LUKS.

Why Encrypt Your Disks?

If the disk is not encrypted, then a miscreant can boot the computer with a USB stick or CD and read everything on the disk, or plant incriminating data on your disk, and then call the police, or wait for you to go through a border post where your machine may get searched - then watch you end up in the slammer.

Also, if the disk drive controller would fail and you replace the disk and chuck it in the trash, then the data is still accessible, if someone would replace the drive controller from an identical disk bought on Ebay.

If your laptop PC gets stolen, then it can end up on Ebay, with all your data and the buyer can empty your bank account, order a bunch of credit cards in your name, or sell your house for you and run away with the money.

Even if you are a broke student with no money, someone can still order a credit card in your name and use it.

Therefore, if you don't want to incur thousands of dollars in losses, a ruined credit rating and huge amounts in legal fees to sort out the resulting mess, then you have to encrypt your data.

Protecting Data at Rest

When the machine is powered on and running, the encryption keys are kept in RAM and the data is accessible to you, and an attacker.  So obviously, you should never leave a running computer alone.

When the machine is shut down, the RAM gradually loses power, the keys get lost and your data is safe and 'at rest' - or that is the idea anyway.

On a server, the memory has error correcting capabilities and always powers up in a zero state.  On a cheap laptop computer, the memory doesn't have error correction and the RAM can retain data for several minutes after the machine was powered down.

Therefore, it is possible for a miscreant to quickly boot a recently abandoned laptop PC and read the memory using a special tool (http://mcgrewsecurity.com/oldsite/projects/msramdmp.1.html), recover the passwords and keys, then dump the disk and go away and analyse it at his leisure.

Suspend (save in RAM) / Hibernate (save on disk)

When you slam the lid of your laptop, it typically suspends by writing CPU data to RAM and then partially powers down, leaving the memory powered up to preserve the data.  When the battery gets low, it will wake up, write the data to the hard disk and then power down completely.  When you power up again, it will restore itself and get going again.

If the machine suspended, then it can be (quickly) rebooted from a USB stick or CD and the contents of RAM can be read.  The data in RAM is in plain text and a search through the raw data will reveal your passwords and encryption keys, the last files you worked on, even the last PGP encrypted email you sent may have a plain text copy in RAM.  Therefore, suspend is risky and should be avoided.

If the machine hibernated, then the hibernate file can be read from disk, by booting from a USB stick or CD and a search through the raw data could reveal your passwords and encryption keys.  However, if the disk is encrypted, then the hibernate file will be unreadable. Therefore hibernate is potentially secure, if the encryption is done right.

BIOS Boot Options and Password

It doesn't help locking the front door of your house and putting the key under the carpet, or leaving the back door open.  Disk encryption must be done properly and all loopholes must be closed, else it is ineffective.  As shown above, suspending a machine to RAM and leaving it on your desk, is like leaving a slowly vanishing key under the carpet.

It is therefore important to buy yourself time - 10 minutes or more - and make it hard for an attacker to bypass the encryption, by making it difficult to boot from a TFTP server, CD or USB stick.

Therefore, in the BIOS, change the boot order so that the machine will not boot from a network server or removable media and set a BIOS password, so that an attacker cannot easily change the boot order.

Another interesting factoid, is that enabling a BIOS RAM check option - if available - would also help to destroy the RAM data while rebooting.

A determined attacker can open the PC, and reset the BIOS memory chip using a link, or by removing the battery, but that is hard to do on a laptop and it means that the perp needs to do multiple attacks - first to change the BIOS settings and later, to recover your keys and dump the disk.  Therefore setting a BIOS password makes it much more likely that he'll get caught.

Also, if dragoons are bashing your door down, or if you have to cross a border post, it may be a good idea to pull the battery from your laptop PC.

Note also that Windows has special features in the UEFI BIOS that makes it less secure, by allowing the installation of code that always gets loaded and executed before the system starts up. This was supposed to be used as an anti-theft system, but as always, MS botched it, thereby creating a very bad, low level, built-in, universal exploit vector.

Is This For Real?

I just tried it on my Windows 7 laptop PC with PGP encrypted disk using the McGrew CD to boot and a memory stick for the data and it worked - nuff sed.


Écrasez l'infâme,

Herman

No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.